The cybercrime group ShinyHunters has claimed responsibility for a wave of ongoing voice phishing attacks targeting single sign-on (SSO) accounts linked to major platforms, including Okta, Microsoft Entra, and Google.
The attacks are being used to break into corporate cloud services and steal company data for extortion.
In these attacks, threat actors call employees while pretending to be IT support staff. Victims are tricked into logging into fake company portals and entering their usernames, passwords, and multi-factor authentication codes in real time. Once the attackers gain access to an employee’s SSO account, they can move into multiple connected business applications using a single login.
SSO services allow companies to connect third-party apps into one authentication system, giving employees access to cloud services, internal tools, and enterprise platforms through a single dashboard. If one SSO account is compromised, attackers can potentially access email, file storage, CRM tools, and collaboration platforms linked to that account.
Commonly connected services include Salesforce, Microsoft 365, Google Workspace, Dropbox, Adobe, SAP, Slack, Zendesk, Atlassian, and other widely used business tools. This makes SSO accounts a valuable target for attackers seeking large amounts of sensitive corporate data.
As first reported by BleepingComputer, the attackers actively guide victims through the login process during phone calls. After gaining access, they review the list of connected applications and begin extracting data from platforms available to the compromised user.
Although Okta declined to comment on the reported data thefts, the company published a report describing voice phishing kits that closely match the attack methods used. According to Okta, the phishing kits include a live web-based control panel that allows attackers to change what victims see on fake login pages while speaking to them on the phone. This lets attackers guide victims step by step through password and MFA approval requests.
If attackers trigger an MFA challenge while logging in to a real service, the phishing site can instantly display instructions telling victims to approve push notifications, enter one-time codes, or complete other authentication steps.
ShinyHunters later confirmed to BleepingComputer that it was behind some of the social engineering attacks. The group said its main target remains Salesforce, while access to other platforms is used as a means to reach that goal. It also confirmed details about the phishing infrastructure used in the campaign but denied using the specific command-and-control server screenshot shared by Okta, claiming its tools were developed internally.
The group stated that it is targeting SSO platforms from Okta, Microsoft Entra, and Google. Microsoft said it had no comment at this time, while Google said it had found no evidence that its products were being abused.
ShinyHunters also claimed it is using data stolen in previous breaches, including past Salesforce-related incidents, to identify employees. This data reportedly includes names, phone numbers, job titles, and other details that make the phone-based social engineering attacks more convincing.
The group recently relaunched its Tor-based data leak site, which now lists alleged breaches involving SoundCloud, Betterment, and Crunchbase. SoundCloud previously confirmed a data breach in December 2025, while Betterment acknowledged misuse of its email platform and data theft earlier this month.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Crunchbase, which had not publicly disclosed a breach before, confirmed that data was stolen from its corporate network. The company said the incident was contained, systems are secure, and law enforcement has been notified while it reviews whether affected users need to be informed.
