ShinyHunters SaaS Data Theft via Vishing-Enabled SSO Credential and MFA Capture
ShinyHunters has been linked to a wave of SaaS-focused data-theft and extortion activity enabled by targeted voice phishing (vishing) and company-branded phishing portals designed to capture SSO credentials and MFA codes. Mandiant reported that attackers impersonate IT/helpdesk staff, direct employees to realistic login pages, and use real-time interaction (including guiding victims to approve push prompts or provide one-time codes) to authenticate and then enroll attacker-controlled devices into MFA. After account takeover, the actor pivots through Okta, Microsoft Entra, or Google SSO dashboards to rapidly access downstream SaaS services (e.g., Salesforce, Microsoft 365/SharePoint, DocuSign, Slack, Atlassian, Dropbox, Google Drive), turning a single compromised identity into broad cloud data access.
Separately, Bumble reported a phishing-driven compromise of a contractor account, after which ShinyHunters allegedly claimed theft of ~30 GB of data—reported as largely internal files sourced from Google Drive and Slack—while Bumble stated there was no evidence of exposure of user chats or profiles. Reporting also tied ShinyHunters to other claimed or alleged thefts affecting consumer and enterprise brands (including Match Group properties such as Hinge, Match, and OkCupid), consistent with the broader pattern of leveraging compromised identities and SaaS access paths for data exfiltration and extortion leverage.
Related Entities
Threat Actors
Sources
3 more from sources like rescana blog, bleeping computer and scworld
Related Stories
ShinyHunters-Linked Vishing Campaign Steals MFA Codes to Breach SaaS Platforms for Extortion
Google-owned **Mandiant** reported an expansion in **ShinyHunters**-style intrusions using **voice phishing (vishing)** and spoofed credential-harvesting sites to steal **SSO credentials** and **MFA codes**, enabling unauthorized access to cloud **SaaS** environments. Mandiant tracked the activity across multiple clusters (**UNC6661**, **UNC6671**, and **UNC6240** / *ShinyHunters*) and assessed the objective as data theft from cloud applications (including internal communications) followed by **extortion**, with some incidents involving escalatory pressure such as **harassment of victim personnel**. In observed tradecraft, operators impersonated IT staff, directed employees to phishing links under the pretext of updating MFA settings, then used captured credentials to enroll attacker-controlled devices for MFA. Separate reporting characterized the same campaign as a broad vishing operation with **hundreds of organizations** in scope, reinforcing that the activity is not limited to a single SaaS provider and is focused on identity-layer compromise rather than software exploitation. Other items in the set were unrelated: a supply-chain compromise of *eScan* antivirus update infrastructure distributing a backdoor, a Fortinet write-up on **Interlock** ransomware tradecraft, an article on EU vulnerability identifier policy, and general security-awareness/detection-engineering content; these do not describe the ShinyHunters vishing activity and should not be treated as part of the same incident thread.
1 months ago
ShinyHunters Claims Okta Vishing Campaign and Leaks Data from Crunchbase, Betterment, and SoundCloud
The **ShinyHunters** extortion group claimed responsibility for a recent **Okta SSO voice-phishing (vishing)** campaign used to steal authentication codes and access victim environments. The group told reporters and researchers it used vishing to obtain Okta single-sign-on codes to compromise **Crunchbase** and **Betterment**, and then published alleged stolen data after the organizations reportedly rejected extortion demands; ShinyHunters also said additional victims exist and that more disclosures are forthcoming. ShinyHunters published alleged datasets for **Crunchbase, Betterment, and SoundCloud** on a newly launched leak site, asserting the dumps contain **PII** and large record counts (reported as **>20 million** for Betterment, **~2 million** for Crunchbase, and **~30+ million** for SoundCloud). **SoundCloud** stated it is aware of data published online allegedly taken from its organization and said its security team, supported by third-party experts, is reviewing the claim and the posted data; ShinyHunters asserted SoundCloud access was *not* obtained via SoundCloud’s Okta credentials. SoundCloud had previously confirmed a breach affecting roughly **20% of users** (about **28 million** based on public user counts), while Crunchbase and Betterment had not publicly responded at the time of reporting.
1 months ago
Match Group Confirms Data Theft After ShinyHunters Leak Claim
**Match Group** confirmed it is investigating a “recently identified security incident” after **ShinyHunters** claimed to have stolen and leaked data tied to its dating platforms, including **Hinge, Match.com, and OkCupid**. The actor advertised a dump of roughly **1.7 GB** of compressed files and claimed **10+ million records** plus internal documents; Match Group said it moved quickly to terminate unauthorized access and is working with external incident response experts while notifying affected individuals as appropriate. Reporting indicates the intrusion likely stemmed from compromised identity and SaaS access rather than direct compromise of the dating apps themselves. The alleged source of exposure was **AppsFlyer** (a marketing analytics platform), and one account of the incident attributes initial access to a compromised **Okta SSO** account that enabled access to AppsFlyer and cloud storage (including **Google Drive** and **Dropbox**). Match Group stated there is currently **no indication** that **user login credentials, financial information, or private communications** were accessed, while third-party review of samples reportedly suggested the dataset includes personal customer data, some employee details, and internal corporate material.
1 months ago