TL;DR: ShinyHunters targeted more than 100 organizations by voice-phishing their employees' Okta single sign-on credentials. Three companies (Crunchbase, Betterment, and SoundCloud) are confirmed breached, with over 50 million records leaked after ransom negotiations failed. Google's Mandiant team says the campaign is ongoing. The targeted list includes Atlassian, Canva, Epic Games, HubSpot, and ZoomInfo, among others. If your company uses Okta, Microsoft Entra, or Google SSO with anything other than FIDO2 keys or passkeys, you're a sitting duck.
100 Targets. Three Down. More Coming.
On January 26, 2026, security researchers at Silent Push published a report identifying more than 100 "high-value enterprises" targeted in ShinyHunters' latest credential-theft operation.[1] The attack method: call an employee, pretend to be IT support, walk them through a fake login page, and steal their Okta SSO credentials in real time.
It worked. Three companies have already confirmed data theft:
- SoundCloud: 29.8 million users affected (about 20% of its user base), confirmed in December 2025[2]
- Betterment: 20+ million records claimed by ShinyHunters, dumped January 23 after the fintech company refused to pay a ransom[3]
- Crunchbase: 2+ million records exfiltrated, 400 MB of compressed data published on January 26 after ransom talks collapsed[4]
That's over 50 million records from just three victims. BleepingComputer reports it is aware of multiple additional companies that have received extortion demands signed by ShinyHunters.[2]
Who's on the Target List
Silent Push researcher Zach Edwards identified companies that were targeted, not necessarily breached, in the campaign. The list reads like a SaaS industry directory:[1]
- Atlassian
- AppLovin
- Canva
- Epic Games
- Genesys
- HubSpot
- Iron Mountain
- RingCentral
- ZoomInfo
"We do believe the orgs we've listed on our public blog have been targeted," Edwards said.[1] None of these companies have confirmed a breach. But if ShinyHunters phished three companies successfully, the odds that everyone else walked away clean aren't great.
How They Did It
The attack chain is elegant and terrifying:
- Reconnaissance: ShinyHunters uses data from previous breaches, including their own Salesforce supply chain campaign from 2025, to identify employees with SSO access at target companies.[2]
- The Phone Call: An attacker calls the employee, spoofing their company's IT helpdesk number. "We've detected suspicious activity on your account. We need to verify your identity."
- The Fake Login: The victim gets directed to a phishing page that looks exactly like their Okta login portal. It's actually a real-time proxy, an adversary-in-the-middle setup that captures credentials as they're typed.[5]
- MFA Bypass: When Okta sends a push notification or number-matching challenge, the attacker's control panel shows them the code. They tell the victim: "You'll see a notification asking you to approve number 47. Go ahead and tap it." The victim does. Authentication complete.
- Device Enrollment: The attacker enrolls their own device into the victim's MFA setup, giving them persistent access even after the phone call ends.[1]
- Data Harvest: With SSO access, the attacker can reach every connected app: Salesforce, Slack, Zendesk, Google Workspace, Microsoft 365, Dropbox, Adobe, SAP, Atlassian. They download everything they can.
One phone call. Every app. All your data.
Google Mandiant: "Active and Ongoing"
Google's Mandiant incident response team confirmed on January 26 that it's tracking the ShinyHunters campaign. Charles Carmakal, Mandiant's consulting CTO, didn't mince words:[1]
"This is an active and ongoing campaign. After gaining initial access, these actors pivot into SaaS environments to exfiltrate sensitive data. An actor that identifies as ShinyHunters has approached some of the victim organizations with an extortion demand."
Carmakal stressed that this isn't a vulnerability in Okta's software. It's a human problem: employees getting tricked by convincing callers. But his recommendation was blunt: ditch push-based MFA entirely.
"We strongly recommend organizations use phishing-resistant multi-factor authentication, such as FIDO2 security keys or passkeys. These protections are resistant to social engineering attacks in ways that push-based or SMS authentication are not."
What Was Stolen
Crunchbase: 2M+ Records
Employee records, signed contracts, internal corporate documents. Hudson Rock CTO Alon Gal verified the leaked samples. Crunchbase confirmed the breach on January 26, saying it has "contained the incident" and contacted law enforcement.[4]
Betterment: 20M+ Records
Financial technology user data. The breach occurred around January 9, with data dumped on January 23. Betterment confirmed its email platform was abused for crypto scams and that data was stolen.[3]
SoundCloud: 29.8M Users Affected
Roughly 20% of SoundCloud's user base. The breach was confirmed in December 2025. ShinyHunters' own claim is 30+ million records with personally identifiable information.[2]
All three data dumps appeared on ShinyHunters' Tor leak site after the companies refused ransom demands. That's their standard playbook: pay up or get published.
The Scattered Spider Connection
This isn't the first time a cybercrime group has weaponized phone calls against SSO systems. Scattered Spider, the group behind the September 2023 MGM Resorts hack that cost the company over $100 million, pioneered the technique. They called MGM's IT helpdesk, convinced an employee to reset credentials, and took down the entire company for days.[6]
EclecticIQ analysts assess that ShinyHunters is "very likely" relying on members of Scattered Spider and a broader criminal community known as "The Com" to conduct voice-phishing operations.[7] The tools that Scattered Spider built for one-off casino heists are now being deployed at industrial scale against 100+ enterprises simultaneously.
Okta's threat intelligence team reported in January 2026 that at least two custom phishing kits, built specifically for voice-based social engineering, are now being sold as a service.[5] Anyone can rent the platform and the callers to go with it.
Why This Matters Beyond the Breaches
Single sign-on was supposed to make things more secure. One login, strong MFA, access to everything. The problem is that "access to everything" includes your attacker.
When an employee's Okta credentials get stolen, the attacker doesn't just get one app. They get the connected list of every SaaS platform that employee can access. For a typical enterprise, that's Salesforce, Slack, email, file storage, HR systems, code repositories, customer databases, and financial tools. All from one phone call.
ShinyHunters confirmed this is deliberate: "Salesforce remains our primary interest and target, the rest are benefactors."[2] They break into Okta to get to Salesforce, which holds the customer data they actually want to sell.
Protect Yourself
For Organizations
- Deploy FIDO2 keys or passkeys now. Not next quarter. Not after the audit. Now. These cryptographically verify the domain, so a fake Okta page won't trigger authentication.
- Kill push-based MFA as a standalone option. Number matching doesn't help when the attacker is literally telling the victim which number to press.
- Monitor device enrollments. ShinyHunters enrolls their own devices into victim MFA. Flag any new device registration that doesn't match your provisioning process.
- Audit API activity. After SSO compromise, attackers hammer APIs to bulk-download data from connected apps. Anomalous API call volume is a clear signal.
- Restrict SSO logins by network. Block authentication from VPNs, Tor nodes, and anonymizing proxies in your Okta policies.
For Individuals
- If "IT" calls you, hang up. Call back on the number from your company directory. Real IT won't call you and ask you to log into a link they send.
- Never enter credentials via a link someone gives you on the phone. Type the URL yourself or use a bookmark.
- Ask your employer about FIDO2 keys. If your company doesn't offer hardware security keys, they're leaving the front door open.
- Enable passkeys on personal accounts. Google, Apple, Microsoft, and most major services support them. They protect against exactly this kind of attack.
- If you used Betterment, SoundCloud, or Crunchbase, change your passwords, enable 2FA, and watch for phishing emails that reference specific account details.
The Bottom Line
ShinyHunters found the skeleton key: call someone, sound official, and steal their SSO login. It worked against 100 companies. Three are confirmed breached with 50+ million records leaked. Mandiant says it's still going.
The fix isn't complicated. FIDO2 keys and passkeys stop this attack cold because they verify the server's identity cryptographically: no human can be tricked into bypassing them. But most companies still rely on push notifications and SMS codes, which a skilled caller defeats in under five minutes.
ShinyHunters has been pulling these attacks since 2020. They breached Ticketmaster in 2024. They ran the Salesforce supply chain campaign in 2025. Now they're scaling up with voice phishing against SSO platforms. Each campaign gets bigger. The question for every company on Okta, Microsoft, or Google SSO: are you one of the 100, and do you have a FIDO2 key deployed, or just a push notification and hope?
References
- The Register - Canva among ~100 ShinyHunters credential-theft targets (January 26, 2026)
- BleepingComputer - ShinyHunters Claim to Be Behind SSO Account Data Theft Attacks (January 2026)
- Hackread - ShinyHunters Leak Alleged Data of Millions From SoundCloud, Crunchbase, Betterment (January 2026)
- TechStartups - Crunchbase Hacked: Company Confirms January 2026 Data Breach After ShinyHunters Leak Millions of Records
- Help Net Security - Okta Users Under Attack: Modern Phishing Kits Are Turbocharging Vishing Attacks (January 23, 2026)
- Bank Info Security - Voice Phishing Okta Customers: ShinyHunters Claims Credit (January 2026)
- EclecticIQ - ShinyHunters Calling: Financially Motivated Data Extortion Group Targeting Enterprise Cloud Applications (January 2026)