ShinyHunters claim hacks of Okta Microsoft SSO accounts for data theft

pMicrosoft New Windows LNK spoofing issues arent vulnerabilitiesppFake AI Chrome extensions with 300K users steal credentials emailsppApple fixes zeroday flaw used in extremely sophisticated attacksppMicrosoft February 2026 Patch Tuesday fixes 6 zerodays 58 flawsppRussia tries to block WhatsApp Telegram in communication blockadeppBitwarden introduces Cupid Vault for secure password sharingppCritical BeyondTrust RCE flaw now exploited in attacks patch nowppMicrosoft New Windows LNK spoofing issues arent vulnerabilitiesppHow to access the Dark Web using the Tor BrowserppHow to enable Kernelmode Hardwareenforced Stack Protection in Windows 11ppHow to use the Windows Registry EditorppHow to backup and restore the Windows RegistryppHow to start Windows in Safe ModeppHow to remove a Trojan Virus Worm or other MalwareppHow to show hidden files in Windows 7ppHow to see hidden files in WindowsppQualys BrowserCheckppSTOPDecrypterppAuroraDecrypterppFilesLockerDecrypterppAdwCleanerppComboFixppRKillppJunkware Removal ToolppeLearningppIT Certification CoursesppGear GadgetsppSecurityppBest VPNsppHow to change IP addressppAccess the dark web safelyppBest VPN for YouTubeppppThe ShinyHunters extortion gang claims it is behind a wave of ongoing voice phishing attacks targeting single signon SSO accounts at Okta Microsoft and Google enabling threat actors to breach corporate SaaS platforms and steal company data for extortionppIn these attacks threat actors impersonate IT support and call employees tricking them into entering their credentials and multifactor authentication MFA codes on phishing sites that impersonate company login portalsppOnce compromised the attackers gain access to the victims SSO account which can provide access to other connected enterprise applications and servicesppSSO services from Okta Microsoft Entra and Google enable companies to link thirdparty applications into a single authentication flow giving employees access to cloud services internal tools and business platforms with a single login ppThese SSO dashboards typically list all connected services making a compromised account a gateway into corporate systems and datappPlatforms commonly connected through SSO include Salesforce Microsoft 365 Google Workspace Dropbox Adobe SAP Slack Zendesk Atlassian and many othersppAs first reported by BleepingComputer threat actors have been carrying out these attacks by calling employees and posing as IT staff using social engineering to convince them to log into phishing pages and complete MFA challenges in real timeppAfter gaining access to a victims SSO account the attackers browse the list of connected applications and begin harvesting data from the platforms available to that userppBleepingComputer is aware of multiple companies targeted in these attacks that have since received extortion demands signed by ShinyHunters indicating that the group was behind the intrusionsppBleepingComputer contacted Okta earlier this week about the breaches but the company declined to comment on the data theft attacksppHowever Okta released a report yesterday describing the phishing kits used in these voicebased attacks which match what BleepingComputer has been toldppAccording to Okta the phishing kits include a webbased control panel that allows attackers to dynamically change what a victim sees on a phishing site while speaking to them on the phone This allows threat actors to guide victims through each step of the login and MFA authentication processppIf the attackers enter stolen credentials into the real service and are prompted for MFA they can display new dialog boxes on the phishing site in real time to instruct a victim to approve a push notification enter a TOTP code or perform other authentication stepsppWhile ShinyHunters declined to comment on the attacks last night the group confirmed to BleepingComputer this morning that it is responsible for some of the social engineering attacksppWe confirm we are behind the attacks ShinyHunters told BleepingComputer We are unable to share further details at this time besides the fact that Salesforce remains our primary interest and target the rest are benefactorsppThe group also confirmed other aspects of BleepingComputers reporting including details about the phishing infrastructure and domains used in the campaign However it disputed that a screenshot of a phishing kit commandandcontrol server shared by Okta was for its platform claiming instead that theirs was built inhouseppShinyHunters claimed it is targeting not only Okta but also Microsoft Entra and Google SSO platformsppMicrosoft said it has nothing to share at this time and Google said it had no evidence its products were being abused in the campaignppAt this time we have no indication that Google itself or its products are affected by this campaign a Google spokesperson told BleepingComputerppShinyHunters claims to be using data stolen in previous breaches such as the widespread Salesforce data theft attacks to identify and contact employees This data includes phone numbers job titles names and other details used to make the socialengineering calls more convincingppLast night the group relaunched its Tor data leak site which currently lists breaches at SoundCloud Betterment and CrunchbaseppSoundCloud previously disclosed a data breach in December 2025 while Betterment confirmed this month that its email platform had been abused to send cryptocurrency scams and that data was stolenppCrunchbase which had not previously disclosed a breach confirmed today that data was stolen from its corporate networkppCrunchbase detected a cybersecurity incident where a threat actor exfiltrated certain documents from our corporate network a company spokesperson told BleepingComputer No business operations have been disrupted by this incident We have contained the incident and our systems are secureppUpon detecting the incident we engaged cybersecurity experts and contacted federal law enforcement We are reviewing the impacted information to determine if any notifications are required consistent with applicable legal requirementsppModern IT infrastructure moves faster than manual workflows can handleppIn this new Tines guide learn how your team can reduce hidden manual delays improve reliability through automated response and build and scale intelligent workflows on top of tools you already useppMandiant details how ShinyHunters abuse SSO to steal cloud datappOkta SSO accounts targeted in vishingbased data theft attacksppMicrosoft New Windows LNK spoofing issues arent vulnerabilitiesppApple fixes zeroday flaw used in extremely sophisticated attacksppGoogle says hackers are abusing Gemini AI for all attacks stagesppNot a member yet Register NowppMicrosoft February 2026 Patch Tuesday fixes 6 zerodays 58 flawsppMicrosoft 365 outage takes down admin center in North AmericappMalicious 7Zip site distributes installer laced with proxy toolppBuild cyber resilience with Wazuh The opensource SIEM XDR for proactive protectionppDiscover how to scale IT infrastructure reliably without adding toil or burnoutppBring observability to browserbased AI and user activityppOverdue a password healthcheck Audit your Active Directory for freeppAre your credentials in stealer logs Scan your organizations credential exposure nowppTerms of Use Privacy Policy Ethics Statement Affiliate DisclosureppCopyright 2003 2026 Bleeping Computer LLC All Rights ReservedppNot a member yet Register NowppRead our posting guidelinese to learn what content is prohibitedp