ShinyHunters Claims Credit for SSO Vishing Attacks Driving Data Theft and Extortion
ShinyHunters says it is behind ongoing vishing campaigns targeting single sign-on (SSO) accounts for downstream data theft and extortion. The group's relaunched leak site lists SoundCloud, Betterment, and Crunchbase, with Crunchbase confirming a corporate network data theft incident. The activity aligns with Okta's warning on real-time 'vishing kits' designed to defeat non-phishing-resistant MFA.
What's happening
The operational pattern is increasingly consistent across identity-centric intrusions:
- Initial access is gained by socially engineering users over the phone (often impersonating internal IT/helpdesk)
- Credential harvesting - Attackers harvest SSO credentials + MFA material (OTP/TOTP or push approvals) using real-time phishing infrastructure
- SaaS pivot - After gaining SSO access, they move into high-value SaaS (commonly CRM, productivity suites, file storage, and support tooling) and exfiltrate data quickly
- Monetization - The extortion phase (pay to prevent leaks) is reinforced with the credibility pressure of a public data leak site
Phone call → Real-time credential capture → SSO access → SaaS data theft → Extortion
Why ShinyHunters' claim matters
Even if a "brand" claim is not the same as definitive attribution, it is operationally important for defenders because:
| Factor | Implication |
|---|---|
| Sets expectations | Rapid exfiltration, fast extortion follow-up, public leak pressure |
| Narrows the playbook | Identity-driven access, not exploit-driven access |
| Signals intelligence reuse | Attackers leverage data from prior breaches (names, roles, phone numbers) to make calls more convincing |
SoundCloud, Betterment, Crunchbase (confirmed data exfiltration)
Known / claimed impacted organizations
Based on the leak-site listings and reporting around the claim:
- SoundCloud - Listed on leak site
- Betterment - Listed on leak site
- Crunchbase - Confirmed exfiltration of certain corporate documents; stated operations were not disrupted
How the SSO vishing chain works
Okta's threat intelligence describes modern vishing kits as "operator consoles" for phone-based social engineering:
Attack sequence
| Step | Action |
|---|---|
| 1. Reconnaissance | Identify the employee, their role, apps used, and helpdesk/IT context |
| 2. Phone call | Impersonate IT/security; create urgency (e.g., "passkey enrollment," "security verification," "account lockout") |
| 3. Real-time phishing site | Victim is guided to a spoofed login page; credentials are captured and forwarded immediately |
| 4. MFA handling | The kit dynamically changes prompts so the victim sees exactly what the attacker needs (OTP entry, push approval, number matching) |
| 5. SSO dashboard pivot | Once in, attackers enumerate accessible apps and target the easiest data-exfil paths |
| 6. Extortion | Payment demand shortly after detection, often with proof-of-access and samples |
The vishing kit acts as a live proxy, forwarding credentials and MFA tokens to the real site before they expire
Defensive priorities (what to do first)
1) Enforce phishing-resistant MFA
Move critical identity flows to phishing-resistant options and enforce those policies for SSO and admin actions:
| Method | Phishing Resistant |
|---|---|
| FIDO2 / Security Keys | Yes |
| Passkeys | Yes |
| Smart Cards | Yes |
| SMS OTP | No |
| TOTP (Authenticator app) | No |
| Push notifications | No |
2) Treat helpdesk identity verification as a security control
If your service desk can reset passwords or modify factors, it is part of your identity perimeter:
- Standardize caller verification procedures
- Restrict who can reset factors
- Use time-bound, scoped recovery mechanisms instead of broad resets
3) Reduce blast radius inside SaaS
Detection: correlate identity + SaaS signals
High-signal combinations to monitor:
| Signal Pattern | Risk |
|---|---|
| Unusual sign-in + new device + immediate MFA events | High |
| MFA approvals initiated during inbound "IT support" calls | Critical |
| New session creation followed by bulk downloads/exports in Salesforce/CRM | Critical |
| Sudden access to high-value data repositories not typical for that user | High |
| New OAuth app grants shortly after authentication | Medium |
Correlate identity events with downstream SaaS activity within short time windows (minutes to hours)
Incident response checklist
If you suspect SSO vishing has occurred:
Immediate containment
- Contain identity first - Revoke sessions, reset credentials, rotate tokens, invalidate suspicious factor enrollments
- Audit MFA and factor changes - Identify who/what changed authenticators, recovery methods, or policies
- Inventory SaaS access - Review app dashboards, OAuth grants, connected apps, API usage, and export logs
Investigation
- Hunt for secondary access paths - Mailbox rules/forwarders, additional IdP accounts, support-tool enrollments
- Timeline reconstruction - Map the attack chain from initial call to data exfiltration
Preparation
- Prepare for extortion - Preserve evidence, coordinate legal/comms, and validate any leaked samples
Conclusion
The ShinyHunters claim reinforces a growing pattern: identity is the perimeter, and voice-based social engineering combined with real-time phishing infrastructure can defeat traditional MFA.
Move to phishing-resistant MFA (FIDO2/passkeys) for SSO and admin accounts as a priority
Organizations should treat this as a wake-up call to:
- Enforce phishing-resistant MFA
- Harden helpdesk verification procedures
- Restrict and monitor SaaS bulk exports
- Build detection around identity-to-SaaS correlation
Frequently Asked Questions
ShinyHunters is a threat actor group known for data breaches and extortion. They operate a leak site to pressure victims into paying to prevent data publication. The group has been linked to numerous high-profile breaches.
SSO vishing combines voice phishing (phone calls impersonating IT/helpdesk) with real-time phishing infrastructure to steal single sign-on credentials and bypass MFA. Attackers guide victims through fake login flows while capturing credentials and MFA tokens in real time.
Modern vishing kits act as real-time proxies. When the victim enters an OTP or approves a push notification, the kit immediately forwards it to the real login page. This defeats MFA methods that are not cryptographically bound to the legitimate site (non-phishing-resistant MFA).
Phishing-resistant MFA includes FIDO2 security keys, passkeys, and smart cards that cryptographically verify the legitimate site before authenticating. These cannot be proxied because the authentication is bound to the real domain.
Enforce phishing-resistant MFA for SSO and admin accounts, strengthen helpdesk identity verification procedures, restrict bulk data exports from SaaS applications, and monitor for unusual sign-in patterns followed by large data access.
Look for: unusual sign-ins with new devices followed by immediate MFA events, MFA approvals during reported IT support calls, bulk downloads or exports from CRM/SaaS shortly after authentication, and new OAuth app grants or connected apps.
Comments
Want to join the discussion?
Create an account to unlock exclusive member content, save your favorite articles, and join our community of IT professionals.
New here? Create a free account to get started.