Your corporate data is under siege, and it’s not just hackers you need to worry about—it’s the cunning tactics they’re using to get inside. ShinyHunters, a notorious extortion gang, has boldly claimed responsibility for a wave of sophisticated voice phishing attacks targeting single sign-on (SSO) accounts at tech giants like Okta, Microsoft, and Google. But here’s where it gets controversial: these attacks aren’t just about stealing credentials; they’re a gateway to breaching entire corporate SaaS platforms, putting sensitive company data at risk for extortion. And this is the part most people miss—once an SSO account is compromised, attackers gain access to a treasure trove of connected enterprise applications, from Salesforce to Slack, making it a nightmare for cybersecurity teams.
Here’s how it works: Threat actors impersonate IT support, calling employees and tricking them into entering their login details and multi-factor authentication (MFA) codes on fake login portals. These phishing sites are so convincing that even tech-savvy employees can fall victim. Once inside, attackers browse the SSO dashboard, which conveniently lists all connected services, giving them a roadmap to corporate systems and data. Platforms like Microsoft 365, Google Workspace, Dropbox, and Adobe are just a few of the high-profile targets at risk.
But here’s the kicker: ShinyHunters isn’t just targeting one platform—they’re going after Okta, Microsoft Entra, and Google SSO, making this a multi-front battle for cybersecurity teams. BleepingComputer first reported these attacks, revealing that threat actors use social engineering to convince employees to log into phishing pages and complete MFA challenges in real time. After gaining access, attackers harvest data from connected platforms, leaving companies vulnerable to extortion demands.
Okta, while declining to comment directly on the breaches, released a report detailing the phishing kits used in these attacks. These kits include a web-based control panel that allows attackers to dynamically manipulate what victims see on phishing sites, guiding them step-by-step through the login and MFA process. For example, if attackers need an MFA code, they can display real-time prompts on the phishing site, making the scam even more convincing.
ShinyHunters confirmed their involvement to BleepingComputer, stating, ‘We are behind the attacks,’ and adding that Salesforce remains their primary target. The group also disputed claims about their phishing infrastructure, insisting their tools are built in-house. Meanwhile, Microsoft and Google have downplayed their involvement, with Google stating they’ve found no evidence of their products being abused in the campaign.
What’s truly alarming is how ShinyHunters is leveraging data from previous breaches, such as the Salesforce attacks, to make their social engineering calls more convincing. They’re using stolen phone numbers, job titles, and names to craft highly targeted scams. The group even relaunched their Tordata leak site, listing breaches at SoundCloud, Betterment, and Crunchbase. While SoundCloud and Betterment had previously disclosed breaches, Crunchbase confirmed today that data was stolen from its corporate network, though it claims no business operations were disrupted.
Here’s the burning question: Are companies doing enough to protect their SSO accounts and the vast ecosystems connected to them? With attackers constantly evolving their tactics, it’s clear that traditional security measures may not be sufficient. What do you think? Are SSO platforms like Okta, Microsoft, and Google doing enough to safeguard corporate data, or is it time for a radical rethink of how we approach cybersecurity? Let us know in the comments—this is a conversation that needs to happen.
