ShinyHunters SaaS Data Theft via Vishing-Enabled SSO Credential and MFA Capture
ShinyHunters has been linked to a wave of SaaS-focused data-theft and extortion activity enabled by targeted voice phishing (vishing) and company-branded phishing portals designed to capture SSO credentials and MFA codes. Mandiant reported that attackers impersonate IT/helpdesk staff, direct employees to realistic login pages, and use real-time interaction (including guiding victims to approve push prompts or provide one-time codes) to authenticate and then enroll attacker-controlled devices into MFA. After account takeover, the actor pivots through Okta, Microsoft Entra, or Google SSO dashboards to rapidly access downstream SaaS services (e.g., Salesforce, Microsoft 365/SharePoint, DocuSign, Slack, Atlassian, Dropbox, Google Drive), turning a single compromised identity into broad cloud data access.
Separately, Bumble reported a phishing-driven compromise of a contractor account, after which ShinyHunters allegedly claimed theft of ~30 GB of data—reported as largely internal files sourced from Google Drive and Slack—while Bumble stated there was no evidence of exposure of user chats or profiles. Reporting also tied ShinyHunters to other claimed or alleged thefts affecting consumer and enterprise brands (including Match Group properties such as Hinge, Match, and OkCupid), consistent with the broader pattern of leveraging compromised identities and SaaS access paths for data exfiltration and extortion leverage.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
11 events from the most recent confirmed update back to the earliest known activity.
Canadian Centre for Cyber Security issues SaaS social-engineering alert
The Canadian Centre for Cyber Security issued Alert AL26-010 warning of ongoing financially motivated attacks against enterprise identity services and SaaS platforms using vishing, brand impersonation, adversary-in-the-middle phishing, help-desk abuse, and theft of OAuth refresh tokens from compromised third-party vendors. The alert said attackers typically pivot through SaaS environments via compromised SSO identities, exfiltrate data through legitimate APIs and export features, and pursue extortion without usually deploying malware, while recommending phishing-resistant MFA and tighter identity and SaaS controls.
CrowdStrike reports Cordial Spider and Snarky Spider SaaS extortion activity
CrowdStrike warned that the cybercrime clusters Cordial Spider and Snarky Spider were using vishing and adversary-in-the-middle SSO phishing to compromise identity providers and connected SaaS apps, then steal data for extortion. The report added that the actors remove existing MFA devices, create inbox rules to suppress security alerts, and in Snarky Spider cases can begin exfiltration in under an hour.
Obsidian details Okta persistence and SaaS pivot patterns in ShinyHunters campaign
Obsidian Security published new technical findings from three 2026 incidents showing attackers used anomalous, failure-heavy Okta login flows, then enrolled Okta FastPass or Okta Verify on devices named "Passkey," often linked to Genymobile-associated Android emulators. The report said the intruders quickly enumerated SSO-connected apps, pivoted into services such as Slack, Google Drive, Salesforce, and VPNs, and conducted bulk file downloads consistent with automated data exfiltration.
ReliaQuest reports shift to branded subdomain impersonation in ShinyHunters campaign
ReliaQuest reported that ShinyHunters had evolved its SaaS intrusion playbook to use branded subdomain impersonation and mobile-first, phone-guided adversary-in-the-middle phishing, often themed around SSO and Okta. The firm also assessed that the group was reusing previously exposed enterprise data to improve social-engineering pretexts and scaling operations through outsourced vishing and spam services, including Telegram-recruited voice operators.
Mandiant publishes report on ShinyHunters-linked SSO and MFA bypass tactics
Mandiant publicly detailed how ShinyHunters-linked clusters use synchronized vishing and phishing kits to capture credentials and MFA codes, enroll attacker-controlled MFA devices, and steal data from SaaS platforms. The report also provided indicators, infrastructure patterns, and defensive guidance for detecting and stopping the intrusions.
Match Group responds to ShinyHunters claims affecting dating apps
ShinyHunters also claimed theft of more than 10 million records from Hinge, Match, and OkCupid. Match Group characterized the incident as limited in scope and said there was no indication that login credentials, financial data, or private communications were accessed.
ShinyHunters claims theft of 30 GB of Bumble data
Reports said ShinyHunters claimed to have stolen about 30 GB of Bumble data, largely internal files allegedly taken from Google Drive and Slack. The claim was part of a broader string of alleged SaaS-focused thefts attributed to the group.
Bumble discloses contractor-account compromise via phishing
Bumble acknowledged a recent breach involving a contractor account compromised through phishing. The company said no user chats or profiles were exposed and that its investigation was ongoing.
Silent Push reports ShinyHunters targeting about 100 organizations
Silent Push said ShinyHunters was running an active voice-phishing campaign to steal Okta SSO credentials from roughly 100 organizations, including Canva, with evidence of targeting or infrastructure preparation across multiple industries. Mandiant confirmed the activity and said the attackers used vishing to capture credentials, enroll attacker-controlled MFA devices, access SaaS platforms, steal data, and sometimes extort victims.
Mandiant observes intensified intrusions and data theft in mid-January
In early to mid-January, Mandiant observed the clusters expanding activity across Okta, Microsoft 365, Google Workspace, SharePoint, OneDrive, Slack, Salesforce, and DocuSign. Attackers enrolled their own MFA devices, moved laterally through SaaS environments, and exfiltrated bulk cloud data for extortion.
ShinyHunters-linked vishing campaign begins targeting SaaS environments
Mandiant said the social-engineering campaign tied to clusters UNC6661, UNC6671, and UNC6240 was active by early January 2026. Attackers impersonated IT or help-desk staff, used company-branded phishing pages to capture SSO credentials and MFA codes, and then accessed cloud applications.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
20 references tracked. Mallory keeps watching after this page renders.
Troy Hunt: Weekly Update 502
troyhunt.com
Open sourceCybercrime Groups Using Vishing and SSO Abuse in Rapid SaaS Extortion Attacks
thehackernews.com
Open sourceAL26-010 - Cyber Criminals Social‑Engineering‑Enabled Compromise of Enterprise SaaS Environments - Canadian Centre for Cyber Security
cyber.gc.ca
Open source[GAME THEORY] ShinyHunters- Names Fade. Playbooks Stick.
blog.alphahunt.io
Open sourceShinyHunters alert: massive vishing attack targeting SSO accounts
sosransomware.com
Open sourceSilent Push details human-led ShinyHunters phishing campaign targeting Okta SSO accounts across organizations - Industrial Cyber
industrialcyber.co
Open sourceShinyHunters Targets 100+ Organizations Through Okta SSO Vishing Campaign
adminbyrequest.com
Open sourceCanva among ~100 ShinyHunters credential-theft targets • The Register
theregister.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
ShinyHunters-Linked Vishing Campaign Steals MFA Codes to Breach SaaS Platforms for Extortion
Google-owned **Mandiant** reported an expansion in **ShinyHunters**-style intrusions using **voice phishing (vishing)** and spoofed credential-harvesting sites to steal **SSO credentials** and **MFA codes**, enabling unauthorized access to cloud **SaaS** environments. Mandiant tracked the activity across multiple clusters (**UNC6661**, **UNC6671**, and **UNC6240** / *ShinyHunters*) and assessed the objective as data theft from cloud applications (including internal communications) followed by **extortion**, with some incidents involving escalatory pressure such as **harassment of victim personnel**. In observed tradecraft, operators impersonated IT staff, directed employees to phishing links under the pretext of updating MFA settings, then used captured credentials to enroll attacker-controlled devices for MFA. Separate reporting characterized the same campaign as a broad vishing operation with **hundreds of organizations** in scope, reinforcing that the activity is not limited to a single SaaS provider and is focused on identity-layer compromise rather than software exploitation. Other items in the set were unrelated: a supply-chain compromise of *eScan* antivirus update infrastructure distributing a backdoor, a Fortinet write-up on **Interlock** ransomware tradecraft, an article on EU vulnerability identifier policy, and general security-awareness/detection-engineering content; these do not describe the ShinyHunters vishing activity and should not be treated as part of the same incident thread.
Mar 21, 2026
ShinyHunters Claims Okta Vishing Campaign and Leaks Data from Crunchbase, Betterment, and SoundCloud
The **ShinyHunters** extortion group claimed responsibility for a recent **Okta SSO voice-phishing (vishing)** campaign used to steal authentication codes and access victim environments. The group told reporters and researchers it used vishing to obtain Okta single-sign-on codes to compromise **Crunchbase** and **Betterment**, and then published alleged stolen data after the organizations reportedly rejected extortion demands; ShinyHunters also said additional victims exist and that more disclosures are forthcoming. ShinyHunters published alleged datasets for **Crunchbase, Betterment, and SoundCloud** on a newly launched leak site, asserting the dumps contain **PII** and large record counts (reported as **>20 million** for Betterment, **~2 million** for Crunchbase, and **~30+ million** for SoundCloud). **SoundCloud** stated it is aware of data published online allegedly taken from its organization and said its security team, supported by third-party experts, is reviewing the claim and the posted data; ShinyHunters asserted SoundCloud access was *not* obtained via SoundCloud’s Okta credentials. SoundCloud had previously confirmed a breach affecting roughly **20% of users** (about **28 million** based on public user counts), while Crunchbase and Betterment had not publicly responded at the time of reporting.
Mar 21, 2026
ShinyHunters Extorts Charter and ZenBusiness After SaaS Account Breaches
Charter Communications confirmed a data breach after **ShinyHunters** threatened to leak allegedly stolen data, with the group claiming it accessed the company on April 1 through a voice-phishing attack that compromised an employee's Microsoft Entra account and opened a path into Charter's Salesforce environment. The attackers said they stole **40 million customer records**, including names, contact details, plan information, support ticket data, and some customer proprietary network information, while Charter said it notified authorities and, based on the data published, no sensitive personal information or CPNI was exfiltrated. The Charter incident follows a broader ShinyHunters extortion campaign targeting enterprise single sign-on accounts and connected SaaS platforms, especially **Salesforce**. In a separate case, the group claimed it stole several terabytes of data from **ZenBusiness** via platforms including Salesforce, Snowflake, and Mixpanel, and threatened to publish the data unless the company responded. Reporting also linked the campaign to claims involving Ameriprise Financial, Infinite Campus, Bumble, Hinge, Match, OkCupid, Mercer Advisors, Beacon Pointe Advisors, and attacks affecting Instructure's Canvas platform, underscoring a repeatable pattern of social engineering, SaaS data theft, and leak-site extortion.
May 30, 2026