There are reports that threat actor ShinyHunters is behind an active voice phishing campaign, aimed at stealing single sign-on (SSO) credentials for Okta, Microsoft, and Google accounts.
This is a tactic that can hand attackers a direct route into many enterprises’ cloud-based software applications.
While Okta published details of the attack on Thursday, the most actionable technical details remain restricted to paying customers.
The criminal cyber group’s claimed involvement was confirmed to The Register and Bleeping Computer, amid continued data leak activity tied to the campaign.
According to The Register, the latest organizations to have data leaked as part of the operation include SoundCloud, fintech firm Betterment, and market intelligence company Crunchbase.
The tech title added that the criminals said they gained access to Crunchbase and Betterment by voice phishing Okta single sign-on codes, highlighting how attackers are increasingly focused on identity systems rather than exploiting traditional network vulnerabilities.
SoundCloud previously confirmed it had been breached in December, with attackers accessing data relating to around 20% of its users – approximately 28 million people.
Who are the ShinyHunters?
ShinyHunters is a well-known cybercrime and extortion gang, previously linked to multiple high-profile breaches and large-scale data theft campaigns, including last year’s Salesforce CRM data heist that targeted enterprise cloud services and customer databases.
The latest activity marks a shift in emphasis towards human-driven social engineering, an approach designed to bypass security controls by persuading employees to cooperate in the compromise.
Okta describes “real-time” vishing-enabled phishing kits
In its threat intelligence blog published on Friday, Okta Threat Intelligence details how these operations work, describing phishing kits built specifically to support attackers during live phone calls with targets.
“Once you get in the driver’s seat of one of these tools, you can immediately see why we are observing higher volumes of voice-based social engineering,” said Moussa Diallo, a threat researcher at Okta Threat Intelligence, in the report.
Okta added that attackers typically impersonate IT support, calling employees and directing them to phishing websites designed to look like legitimate login portals.
Victims are then tricked into entering their usernames, passwords, and multi-factor authentication (MFA) codes, giving attackers everything they need to take over the SSO session.
“Using these kits, an attacker on the phone to a targeted user can control the authentication flow as that user interacts with credential phishing pages,” Diallo said, adding that this “synchronization” can enable attackers to defeat MFA methods that are not phishing-resistant.
Why Okta is a key target for attackers
Okta is widely used as an identity provider for workforce authentication. Its SSO platform is designed to let employees sign in once, then access connected services through a central dashboard, often including SaaS-based business systems such as Microsoft 365, Google Workspace, Salesforce, Slack, and other cloud applications.
That central role makes it a high-impact target. A single compromised SSO account can provide attackers with convenient access to multiple enterprise platforms, internal data stores, and administrative tools without needing to breach each service individually.
Detailed threat advisory behind paywall
Okta said it has published a detailed threat advisory for customers that provides “an inside look” at two phishing kits used in these operations. However, the company also noted that detailed Indicators of Compromise (IoC) were reserved for paying customers.
IoCs are forensic and technical artefacts, such as malicious domains, IP addresses, file hashes, and attack patterns that help defenders detect active intrusions and block related activity.
Cory Michal, CSO at SaaS security company AppOmni welcomed the Okta’s research, noting that it was “encouraging to see Okta finally engage more directly on behalf of customers by documenting how these kits operate. However, he added:
“Putting IoCs behind a paywall makes ecosystem-wide disruption harder, because effective takedowns depend on defenders, SaaS providers, and ISPs being able to rapidly share and operationalize indicators at scale.”
Cory Michal, CSO, AppOmni
“What’s most noteworthy is how quickly attacker tooling and tradecraft are evolving—these kits reflect a broader shift toward “vibe coding” and “vibe hacking,” where adversaries use AI to rapidly build, iterate, and operationalize automation that used to require deeper engineering skill," he added.
What security measures can be taken?
Okta’s guidance emphasizes the adoption of phishing-resistant authentication, including Okta FastPass and FIDO passkeys, alongside defensive controls such as network zone restriction and access-control lists that limit logins from anonymized infrastructure commonly used by attackers.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked