ShinyHunters Claims Okta Vishing Campaign and Leaks Data from Crunchbase, Betterment, and SoundCloud
The ShinyHunters extortion group claimed responsibility for a recent Okta SSO voice-phishing (vishing) campaign used to steal authentication codes and access victim environments. The group told reporters and researchers it used vishing to obtain Okta single-sign-on codes to compromise Crunchbase and Betterment, and then published alleged stolen data after the organizations reportedly rejected extortion demands; ShinyHunters also said additional victims exist and that more disclosures are forthcoming.
ShinyHunters published alleged datasets for Crunchbase, Betterment, and SoundCloud on a newly launched leak site, asserting the dumps contain PII and large record counts (reported as >20 million for Betterment, ~2 million for Crunchbase, and ~30+ million for SoundCloud). SoundCloud stated it is aware of data published online allegedly taken from its organization and said its security team, supported by third-party experts, is reviewing the claim and the posted data; ShinyHunters asserted SoundCloud access was not obtained via SoundCloud’s Okta credentials. SoundCloud had previously confirmed a breach affecting roughly 20% of users (about 28 million based on public user counts), while Crunchbase and Betterment had not publicly responded at the time of reporting.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
9 events from the most recent confirmed update back to the earliest known activity.
Public reporting notes attribution uncertainty around 'ShinyHunters' branding
Researchers and journalists reported that the campaign was 'ShinyHunters-branded' but warned the name could reflect misattribution or opportunistic reuse rather than confirmed actor identity. They advised focusing on the observed tactics, techniques, and procedures instead of branding alone.
Researchers estimate campaign targeted over 100 enterprises
Silent Push assessed that more than 100 Okta SSO accounts at high-value enterprises had been targeted or had attack infrastructure prepared against them, while cautioning this did not prove all named companies were breached. Mandiant corroborated the ongoing campaign and described post-compromise SaaS data theft and extortion activity.
ShinyHunters claims access to Crunchbase and Betterment
ShinyHunters told reporters it used voice-phished Okta SSO codes to access Crunchbase and Betterment. Downloaded Crunchbase files were reported to contain personally identifiable information and corporate documents.
Alon Gal reports ShinyHunters claimed the Okta vishing campaign
Hudson Rock co-founder Alon Gal said ShinyHunters confirmed to him that it was behind the recent Okta-focused vishing campaign. He also reported that the group had published alleged data from Crunchbase, SoundCloud, and Betterment on its new leak site.
ShinyHunters launches a new Tor leak site
ShinyHunters opened a new Tor-based victims blog to publish stolen data and pressure victims who refused extortion demands. The site listed alleged victims including Crunchbase, SoundCloud, and Betterment.
Okta warns customers about voice-phishing kits
Okta Threat Intelligence issued an alert warning that criminals were using voice-phishing kits to target Google, Microsoft, and Okta accounts. Okta and other researchers emphasized the activity relied on social engineering rather than an Okta product vulnerability.
ShinyHunters-linked vishing campaign targets SSO accounts
An active campaign used phone-based social engineering to steal SSO credentials and MFA codes for Okta, Microsoft, and Google-linked accounts, then pivot into SaaS environments for data theft and extortion. Researchers later said the operation also enrolled attacker-controlled devices into victims' MFA solutions.
Attackers begin registering SSO-themed phishing domains
Sophos identified a cluster of roughly 150 malicious domains impersonating SSO and authentication providers that began appearing in December 2025. The infrastructure suggested broad preparation for voice-phishing and credential-theft operations against enterprise identity platforms.
SoundCloud confirms a breach in December
SoundCloud previously confirmed a breach in December 2025. Later reporting said the company was reviewing ShinyHunters' claim that data from SoundCloud had been published on the group's new leak site.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
8 references tracked. Mallory keeps watching after this page renders.
Real-Time phishing kits target Okta, Microsoft, Google
cyberscoop.com
Open sourceCanva among ~100 ShinyHunters credential-theft targets • The Register
go.theregister.com
Open sourceShinyHunters claim to be behind SSO-account data theft attacks - DataBreaches.Net
databreaches.net
Open sourceShinyHunters claims Okta customer breaches, leaks data • The Register
go.theregister.com
Open sourceShinyHunters group opens new dark web leak site, claims responsibility for OKTA vishing campaign - DataBreaches.Net
databreaches.net
Open sourceBIG - ShinyHunters confirmed to me that they are behind the recent Okta vishing campaign and have published alleged data from three major victims (Crunchbase, SoundCloud, and Betterment) on their new… | Alon Gal
linkedin.com
Open sourceBIG - ShinyHunters confirmed to me that they are behind the recent Okta vishing campaign and have published alleged data from three major victims (Crunchbase, SoundCloud, and Betterment) on their new… | Alon Gal
linkedin.com
Open sourceBIG - ShinyHunters confirmed to me that they are behind the recent Okta vishing campaign and have published alleged data from three major victims (Crunchbase, SoundCloud, and Betterment) on their new… | Alon Gal
linkedin.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
SoundCloud Data Breach Exposes 29.8 Million User Records
SoundCloud confirmed unauthorized access to an internal/ancillary service dashboard that enabled attackers to correlate **hidden email addresses** with information already visible on public SoundCloud profiles, impacting roughly **29.8 million accounts** (about **20%** of its user base). Exposed data was primarily **email addresses** plus public-profile metadata (e.g., usernames/display names, avatars, follower/following counts, and other profile statistics); SoundCloud stated **no passwords or financial data** were accessed. Users also reported service disruptions around the time of the incident, including access issues such as `403 Forbidden` errors (notably when connecting via VPN), consistent with post-incident security changes and response actions. Reporting attributed the intrusion and subsequent extortion attempt to the **ShinyHunters** group, with SoundCloud later acknowledging the actor made demands and used harassment tactics such as **email flooding**. The stolen dataset was subsequently leaked and then added to *Have I Been Pwned* for exposure checking, increasing downstream risk of targeted phishing and account-takeover attempts via credential stuffing on other services where users may have reused emails as identifiers. Separate contemporaneous claims by ShinyHunters against other companies (e.g., Panera Bread, CarMax, Edmunds) were reported but are distinct from the confirmed SoundCloud incident and include different alleged access vectors (e.g., stolen SSO codes).
Mar 21, 2026
ShinyHunters SaaS Data Theft via Vishing-Enabled SSO Credential and MFA Capture
**ShinyHunters** has been linked to a wave of SaaS-focused data-theft and extortion activity enabled by targeted **voice phishing (vishing)** and company-branded phishing portals designed to capture **SSO credentials** and **MFA codes**. Mandiant reported that attackers impersonate IT/helpdesk staff, direct employees to realistic login pages, and use real-time interaction (including guiding victims to approve push prompts or provide one-time codes) to authenticate and then **enroll attacker-controlled devices into MFA**. After account takeover, the actor pivots through **Okta, Microsoft Entra, or Google** SSO dashboards to rapidly access downstream SaaS services (e.g., *Salesforce*, *Microsoft 365/SharePoint*, *DocuSign*, *Slack*, *Atlassian*, *Dropbox*, *Google Drive*), turning a single compromised identity into broad cloud data access. Separately, **Bumble** reported a phishing-driven compromise of a **contractor account**, after which ShinyHunters allegedly claimed theft of ~**30 GB** of data—reported as largely internal files sourced from **Google Drive** and **Slack**—while Bumble stated there was no evidence of exposure of user chats or profiles. Reporting also tied ShinyHunters to other claimed or alleged thefts affecting consumer and enterprise brands (including Match Group properties such as *Hinge*, *Match*, and *OkCupid*), consistent with the broader pattern of leveraging compromised identities and SaaS access paths for data exfiltration and extortion leverage.
May 6, 2026
ShinyHunters Data-Extortion Claims Target Crunchbase and Waltio
**Crunchbase** confirmed a cybersecurity incident after the **ShinyHunters** cybercrime group claimed it stole **over 2 million personal records**. ShinyHunters reportedly posted a **402 MB compressed archive** online after an extortion attempt failed, and Crunchbase stated the threat actor **exfiltrated certain documents from its corporate network**. Crunchbase said business operations were not disrupted, the incident was **contained**, external cybersecurity experts were engaged, and **federal law enforcement** was notified while the company reviews the exposed data to determine required legal notifications. In a separate ShinyHunters-linked extortion case, French crypto tax platform **Waltio** was reported to be facing a ransom threat tied to alleged theft of personal data for **nearly 50,000 users**, including threatened exposure of users’ **2024 tax reports**. Waltio stated its services and production systems remained secure and that **no sensitive banking or crypto access data** was compromised. The activity aligns with ShinyHunters’ established pattern of **data theft and leak-site pressure** when ransom demands are not met.
Mar 21, 2026