A notorious cybercriminal group calling itself ShinyHunters has publicly stated that it is behind a wave of sophisticated credential theft attacks targeting Single Sign-On (SSO) accounts used by major corporate cloud services. This development adds significant concerns for organisations relying on unified authentication platforms such as Okta, Microsoft Entra, and Google for secure access to corporate tools and data.
What Happened? The SSO Credential Theft Wave
According to recent reports, ShinyHunters has claimed responsibility for a series of credential theft campaigns that leverage voice phishing, or vishing, to trick employees into handing over login credentials and multi-factor authentication (MFA) codes for SSO services.
In these attacks, threat actors impersonate an organisation’s IT support staff and contact employees by phone. While on the call, they manipulate the victim into visiting a realistic-looking phishing page and entering their credentials in real time — including MFA codes — effectively bypassing one of the strongest layers of modern authentication.
Once attackers obtain access to a valid SSO account, they can traverse the victim’s enterprise ecosystem, reaching connected services like Salesforce, Microsoft 365, Google Workspace, Slack, Dropbox, and others. This makes a compromised SSO account extremely valuable: it’s not just a single account breach but a potential gateway into a company’s entire cloud environment.
The Mechanics: How Vishing Works
Traditional phishing relies on deceptive emails and fake web pages. In contrast, vishing adds a human element that exploits trust and urgency.
Attackers prepare by gathering personal information — sometimes from stolen data leaks — so they can convincingly claim to be calling from an organisation’s internal helpdesk. They often know the target’s name, role, company services used, and even which MFA app the employee uses. This knowledge makes it easier to persuade individuals to comply with authentication requests during the call.
The phishing infrastructure used in these attacks includes web control panels that let attackers dynamically update the fake login pages based on what the victim is prompted for — whether it’s a password, push notification approval, or time-based MFA code. This real-time manipulation is one reason why such attacks can be more effective than static phishing sites.
Why ShinyHunters’ Claim Matters
ShinyHunters first appeared in the cybercrime spotlight around 2020, gaining notoriety for large-scale data thefts and online extortion. The group has claimed responsibility for stealing tens of millions of user records from various online platforms over the years and distributing or selling stolen data through dark web channels.
In the current campaign, ShinyHunters has confirmed to journalists that it orchestrated some of the social engineering attacks and that Salesforce remains one of its primary targets. It claims to be using data from earlier breaches — including corporate datasets — to make its vishing campaigns more convincing.
The group has even relaunched a Tor-based leak site listing victims it says refused extortion demands. Early entries on this site include organisations such as SoundCloud, Betterment, and Crunchbase, whose data was allegedly stolen and later published after they declined to pay.
Broader Cybersecurity Impact
This latest wave is not isolated. Cybersecurity analysts and vendors have been warning about evolving vishing threats that bypass strong authentication controls. Okta and other identity providers have issued internal alerts to customers about custom phishing kits configured specifically for real-time social engineering.
SSO platforms are central to modern digital business operations. A breach in one area can cascade across cloud services, making robust identity and access management practices more crucial than ever. Organisations must now think beyond traditional security measures like passwords and MFA codes and adopt holistic strategies to defend against social engineering at scale.
What Organisations Should Do Now
Security experts recommend a combination of technical controls and training to mitigate these threats:
- Enhanced authentication and behavioural monitoring – Use adaptive MFA and anomaly detection to flag suspicious access attempts.
- Employee awareness and training – Teach staff to recognise and report vishing attempts.
- Internal verification procedures – Establish secure processes for IT support to avoid unauthorized credential disclosures.
Awareness and preparedness are key. As threat actors like ShinyHunters continue to evolve their tactics, organisations must stay proactive in defending their digital perimeters.
