A notorious hacking group, ShinyHunters, is boldly claiming responsibility for a recent surge in sophisticated voice phishing (vishing) attacks that are wreaking havoc on single sign-on (SSO) accounts! This is a serious escalation, as these attacks aren't just about stealing passwords; they're designed to compromise entire corporate networks and hold sensitive company data hostage.
The core of the problem lies in how we access our digital workplaces. Companies like Okta, Microsoft (with its Entra ID), and Google offer SSO services. Think of SSO as a master key that unlocks multiple doors – all your cloud services, internal tools, and business platforms can be accessed with just one set of login credentials. This is incredibly convenient for employees, streamlining access to essential applications like Salesforce, Microsoft 365, Google Workspace, Dropbox, Adobe, SAP, Slack, Zendesk, and Atlassian, among many others. However, this convenience also presents a significant vulnerability. If that master key is stolen, attackers gain access to a veritable treasure trove of interconnected systems and data.
But here's where it gets particularly insidious: the attackers are using your phone to trick you! These aren't your typical email phishing attempts. Instead, threat actors are impersonating IT support personnel and calling employees directly. Through clever social engineering, they convince unsuspecting individuals to enter their login details and, crucially, their multi-factor authentication (MFA) codes onto fake login pages that look identical to their company's legitimate portals. This real-time manipulation allows them to bypass security measures that are meant to protect your accounts.
And this is the part most people miss: the attackers aren't just stealing credentials; they're actively harvesting data. Once they've successfully compromised an SSO account, they can navigate through the list of all the connected applications and services. This means they can then systematically extract sensitive information from any platform the compromised user has access to. We've seen evidence that ShinyHunters has been sending extortion demands to multiple companies that have fallen victim to these attacks, explicitly stating their involvement.
While Okta initially declined to comment on these specific data theft incidents, they did release a report detailing the very phishing kits being used. These kits are quite advanced, featuring web-based control panels that allow attackers to dynamically alter what a victim sees on a phishing site while they are on the phone with them. This enables the attackers to guide their victims through the entire login and MFA process, making the deception incredibly convincing. If the attackers encounter an MFA prompt, they can instantly display new dialog boxes on the phishing site to instruct the victim on how to approve a push notification, enter a one-time code, or complete any other authentication step.
ShinyHunters has now confirmed their role in these social engineering attacks. They've stated that Salesforce remains their primary target, with other platforms serving as secondary benefits. They also confirmed aspects of the phishing infrastructure used, though they claim their own systems were built in-house. The group is reportedly leveraging data stolen from previous breaches, such as the large-scale Salesforce data theft incidents, to gather personal details like phone numbers, job titles, and names. This information is crucial for making their vishing calls sound authentic and trustworthy.
Recently, ShinyHunters also relaunched their data leak site, Tordata, showcasing data from breaches at SoundCloud, Betterment, and Crunchbase. SoundCloud had previously disclosed a breach in December 2025, and Betterment confirmed a data breach this month. Crunchbase, which had not previously reported a breach, has now confirmed that data was exfiltrated from its corporate network. They are currently working with cybersecurity experts and law enforcement to assess the impact.
Now, for the thought-provoking part: Given the increasing sophistication of these vishing attacks and the reliance on SSO, are companies doing enough to educate their employees about these evolving threats? Should SSO providers like Okta, Microsoft, and Google be implementing even more robust, user-friendly security measures to combat this type of social engineering? What are your thoughts – are you more concerned about the convenience of SSO or the security risks it presents? Let us know in the comments below!
