ShinyHunters Breach Okta, Microsoft SSO in Major Data Theft

A sophisticated voice phishing campaign is targeting major single sign-on (SSO) providers, leading to significant corporate data theft and extortion. The ShinyHunters extortion gang claims responsibility for these ongoing attacks, which specifically compromise SSO accounts at Okta, Microsoft Entra, and Google. By impersonating IT support staff, attackers use social engineering to trick employees into entering their credentials and multi-factor authentication codes on fraudulent login portals. This access provides a gateway to a wide array of connected enterprise applications, turning a single compromised account into a major security incident.

The threat actors place phone calls to employees, posing as IT personnel. They guide their targets to phishing websites that mimic legitimate company login pages. During the call, the attackers use a dynamic web-based control panel to alter what the victim sees in real time, walking them through each step of the authentication process. If the stolen credentials trigger an MFA prompt on the genuine service, the phishing kit can instantly display new dialog boxes instructing the victim to approve a push notification or enter a time-based one-time password. This interactive method makes the scam highly convincing and effective.

Once inside a victim’s SSO dashboard, which lists all connected services, the attackers begin harvesting data from available platforms. These commonly include major business applications like Salesforce, Microsoft 365, Google Workspace, Dropbox, and Slack. The stolen data is then used for extortion. Multiple targeted companies have reportedly received ransom demands signed by the ShinyHunters group, confirming their involvement in these intrusions.

While Okta declined to comment on specific breaches, the company released a detailed report on the phishing kits used in these voice-based attacks, which aligns with independent findings. The kits are designed for real-time interaction, allowing criminals to adapt the phishing site dynamically during a call. ShinyHunters has publicly confirmed its role in the campaign, stating that Salesforce remains its primary target, with other platforms being secondary beneficiaries. The group also disputed that a specific phishing kit screenshot released by Okta belonged to its operation, claiming to use an in-house built platform instead.

The attackers are leveraging data from previous breaches to make their social engineering efforts more persuasive. Information such as employee phone numbers, job titles, and names—potentially sourced from earlier incidents like widespread Salesforce data theft—is used to add credibility to their impersonations. Microsoft and Google have been notified, with Google stating it has no evidence its products are being abused in this specific campaign. Microsoft has not shared additional details at this time.

In a related development, ShinyHunters has relaunched its Tor data leak site, listing new breaches at companies including SoundCloud, Betterment, and Crunchbase. SoundCloud had disclosed an incident late last year, while Betterment recently confirmed its email platform was abused for cryptocurrency scams. Crunchbase, which had not previously announced a breach, confirmed a cybersecurity incident where a threat actor exfiltrated certain documents from its corporate network. The company stated that business operations were not disrupted, the incident is contained, and it is working with cybersecurity experts and law enforcement while reviewing impacted information for any required notifications.

(Source: Bleeping Computer)