ShinyHunters Claims Okta Vishing Campaign and Leaks Data from Crunchbase, Betterment, and SoundCloud
The ShinyHunters extortion group claimed responsibility for a recent Okta SSO voice-phishing (vishing) campaign used to steal authentication codes and access victim environments. The group told reporters and researchers it used vishing to obtain Okta single-sign-on codes to compromise Crunchbase and Betterment, and then published alleged stolen data after the organizations reportedly rejected extortion demands; ShinyHunters also said additional victims exist and that more disclosures are forthcoming.
ShinyHunters published alleged datasets for Crunchbase, Betterment, and SoundCloud on a newly launched leak site, asserting the dumps contain PII and large record counts (reported as >20 million for Betterment, ~2 million for Crunchbase, and ~30+ million for SoundCloud). SoundCloud stated it is aware of data published online allegedly taken from its organization and said its security team, supported by third-party experts, is reviewing the claim and the posted data; ShinyHunters asserted SoundCloud access was not obtained via SoundCloud’s Okta credentials. SoundCloud had previously confirmed a breach affecting roughly 20% of users (about 28 million based on public user counts), while Crunchbase and Betterment had not publicly responded at the time of reporting.
Related Entities
Threat Actors
Organizations
Sources
3 more from sources like linkedin.com
Related Stories
SoundCloud Data Breach Exposes 29.8 Million User Records
SoundCloud confirmed unauthorized access to an internal/ancillary service dashboard that enabled attackers to correlate **hidden email addresses** with information already visible on public SoundCloud profiles, impacting roughly **29.8 million accounts** (about **20%** of its user base). Exposed data was primarily **email addresses** plus public-profile metadata (e.g., usernames/display names, avatars, follower/following counts, and other profile statistics); SoundCloud stated **no passwords or financial data** were accessed. Users also reported service disruptions around the time of the incident, including access issues such as `403 Forbidden` errors (notably when connecting via VPN), consistent with post-incident security changes and response actions. Reporting attributed the intrusion and subsequent extortion attempt to the **ShinyHunters** group, with SoundCloud later acknowledging the actor made demands and used harassment tactics such as **email flooding**. The stolen dataset was subsequently leaked and then added to *Have I Been Pwned* for exposure checking, increasing downstream risk of targeted phishing and account-takeover attempts via credential stuffing on other services where users may have reused emails as identifiers. Separate contemporaneous claims by ShinyHunters against other companies (e.g., Panera Bread, CarMax, Edmunds) were reported but are distinct from the confirmed SoundCloud incident and include different alleged access vectors (e.g., stolen SSO codes).
1 months ago
ShinyHunters SaaS Data Theft via Vishing-Enabled SSO Credential and MFA Capture
**ShinyHunters** has been linked to a wave of SaaS-focused data-theft and extortion activity enabled by targeted **voice phishing (vishing)** and company-branded phishing portals designed to capture **SSO credentials** and **MFA codes**. Mandiant reported that attackers impersonate IT/helpdesk staff, direct employees to realistic login pages, and use real-time interaction (including guiding victims to approve push prompts or provide one-time codes) to authenticate and then **enroll attacker-controlled devices into MFA**. After account takeover, the actor pivots through **Okta, Microsoft Entra, or Google** SSO dashboards to rapidly access downstream SaaS services (e.g., *Salesforce*, *Microsoft 365/SharePoint*, *DocuSign*, *Slack*, *Atlassian*, *Dropbox*, *Google Drive*), turning a single compromised identity into broad cloud data access. Separately, **Bumble** reported a phishing-driven compromise of a **contractor account**, after which ShinyHunters allegedly claimed theft of ~**30 GB** of data—reported as largely internal files sourced from **Google Drive** and **Slack**—while Bumble stated there was no evidence of exposure of user chats or profiles. Reporting also tied ShinyHunters to other claimed or alleged thefts affecting consumer and enterprise brands (including Match Group properties such as *Hinge*, *Match*, and *OkCupid*), consistent with the broader pattern of leveraging compromised identities and SaaS access paths for data exfiltration and extortion leverage.
1 months ago
ShinyHunters Data-Extortion Claims Target Crunchbase and Waltio
**Crunchbase** confirmed a cybersecurity incident after the **ShinyHunters** cybercrime group claimed it stole **over 2 million personal records**. ShinyHunters reportedly posted a **402 MB compressed archive** online after an extortion attempt failed, and Crunchbase stated the threat actor **exfiltrated certain documents from its corporate network**. Crunchbase said business operations were not disrupted, the incident was **contained**, external cybersecurity experts were engaged, and **federal law enforcement** was notified while the company reviews the exposed data to determine required legal notifications. In a separate ShinyHunters-linked extortion case, French crypto tax platform **Waltio** was reported to be facing a ransom threat tied to alleged theft of personal data for **nearly 50,000 users**, including threatened exposure of users’ **2024 tax reports**. Waltio stated its services and production systems remained secure and that **no sensitive banking or crypto access data** was compromised. The activity aligns with ShinyHunters’ established pattern of **data theft and leak-site pressure** when ransom demands are not met.
1 months ago