ShinyHunters Claims Okta Vishing Campaign and Leaks Data from Crunchbase, Betterment, and SoundCloud
The ShinyHunters extortion group claimed responsibility for a recent Okta SSO voice-phishing (vishing) campaign used to steal authentication codes and access victim environments. The group told reporters and researchers it used vishing to obtain Okta single-sign-on codes to compromise Crunchbase and Betterment, and then published alleged stolen data after the organizations reportedly rejected extortion demands; ShinyHunters also said additional victims exist and that more disclosures are forthcoming.
ShinyHunters published alleged datasets for Crunchbase, Betterment, and SoundCloud on a newly launched leak site, asserting the dumps contain PII and large record counts (reported as >20 million for Betterment, ~2 million for Crunchbase, and ~30+ million for SoundCloud). SoundCloud stated it is aware of data published online allegedly taken from its organization and said its security team, supported by third-party experts, is reviewing the claim and the posted data; ShinyHunters asserted SoundCloud access was not obtained via SoundCloud’s Okta credentials. SoundCloud had previously confirmed a breach affecting roughly 20% of users (about 28 million based on public user counts), while Crunchbase and Betterment had not publicly responded at the time of reporting.
Timeline
Jan 26, 2026
Public reporting notes attribution uncertainty around 'ShinyHunters' branding
Researchers and journalists reported that the campaign was 'ShinyHunters-branded' but warned the name could reflect misattribution or opportunistic reuse rather than confirmed actor identity. They advised focusing on the observed tactics, techniques, and procedures instead of branding alone.
Jan 26, 2026
Researchers estimate campaign targeted over 100 enterprises
Silent Push assessed that more than 100 Okta SSO accounts at high-value enterprises had been targeted or had attack infrastructure prepared against them, while cautioning this did not prove all named companies were breached. Mandiant corroborated the ongoing campaign and described post-compromise SaaS data theft and extortion activity.
Jan 23, 2026
ShinyHunters claims access to Crunchbase and Betterment
ShinyHunters told reporters it used voice-phished Okta SSO codes to access Crunchbase and Betterment. Downloaded Crunchbase files were reported to contain personally identifiable information and corporate documents.
Jan 23, 2026
Alon Gal reports ShinyHunters claimed the Okta vishing campaign
Hudson Rock co-founder Alon Gal said ShinyHunters confirmed to him that it was behind the recent Okta-focused vishing campaign. He also reported that the group had published alleged data from Crunchbase, SoundCloud, and Betterment on its new leak site.
Jan 23, 2026
ShinyHunters launches a new Tor leak site
ShinyHunters opened a new Tor-based victims blog to publish stolen data and pressure victims who refused extortion demands. The site listed alleged victims including Crunchbase, SoundCloud, and Betterment.
Jan 1, 2026
Okta warns customers about voice-phishing kits
Okta Threat Intelligence issued an alert warning that criminals were using voice-phishing kits to target Google, Microsoft, and Okta accounts. Okta and other researchers emphasized the activity relied on social engineering rather than an Okta product vulnerability.
Jan 1, 2026
ShinyHunters-linked vishing campaign targets SSO accounts
An active campaign used phone-based social engineering to steal SSO credentials and MFA codes for Okta, Microsoft, and Google-linked accounts, then pivot into SaaS environments for data theft and extortion. Researchers later said the operation also enrolled attacker-controlled devices into victims' MFA solutions.
Dec 1, 2025
Attackers begin registering SSO-themed phishing domains
Sophos identified a cluster of roughly 150 malicious domains impersonating SSO and authentication providers that began appearing in December 2025. The infrastructure suggested broad preparation for voice-phishing and credential-theft operations against enterprise identity platforms.
Dec 1, 2025
SoundCloud confirms a breach in December
SoundCloud previously confirmed a breach in December 2025. Later reporting said the company was reviewing ShinyHunters' claim that data from SoundCloud had been published on the group's new leak site.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Sources
3 more from sources like linkedin.com
Related Stories
SoundCloud Data Breach Exposes 29.8 Million User Records
SoundCloud confirmed unauthorized access to an internal/ancillary service dashboard that enabled attackers to correlate **hidden email addresses** with information already visible on public SoundCloud profiles, impacting roughly **29.8 million accounts** (about **20%** of its user base). Exposed data was primarily **email addresses** plus public-profile metadata (e.g., usernames/display names, avatars, follower/following counts, and other profile statistics); SoundCloud stated **no passwords or financial data** were accessed. Users also reported service disruptions around the time of the incident, including access issues such as `403 Forbidden` errors (notably when connecting via VPN), consistent with post-incident security changes and response actions. Reporting attributed the intrusion and subsequent extortion attempt to the **ShinyHunters** group, with SoundCloud later acknowledging the actor made demands and used harassment tactics such as **email flooding**. The stolen dataset was subsequently leaked and then added to *Have I Been Pwned* for exposure checking, increasing downstream risk of targeted phishing and account-takeover attempts via credential stuffing on other services where users may have reused emails as identifiers. Separate contemporaneous claims by ShinyHunters against other companies (e.g., Panera Bread, CarMax, Edmunds) were reported but are distinct from the confirmed SoundCloud incident and include different alleged access vectors (e.g., stolen SSO codes).
1 months ago
ShinyHunters SaaS Data Theft via Vishing-Enabled SSO Credential and MFA Capture
**ShinyHunters** has been linked to a wave of SaaS-focused data-theft and extortion activity enabled by targeted **voice phishing (vishing)** and company-branded phishing portals designed to capture **SSO credentials** and **MFA codes**. Mandiant reported that attackers impersonate IT/helpdesk staff, direct employees to realistic login pages, and use real-time interaction (including guiding victims to approve push prompts or provide one-time codes) to authenticate and then **enroll attacker-controlled devices into MFA**. After account takeover, the actor pivots through **Okta, Microsoft Entra, or Google** SSO dashboards to rapidly access downstream SaaS services (e.g., *Salesforce*, *Microsoft 365/SharePoint*, *DocuSign*, *Slack*, *Atlassian*, *Dropbox*, *Google Drive*), turning a single compromised identity into broad cloud data access. Separately, **Bumble** reported a phishing-driven compromise of a **contractor account**, after which ShinyHunters allegedly claimed theft of ~**30 GB** of data—reported as largely internal files sourced from **Google Drive** and **Slack**—while Bumble stated there was no evidence of exposure of user chats or profiles. Reporting also tied ShinyHunters to other claimed or alleged thefts affecting consumer and enterprise brands (including Match Group properties such as *Hinge*, *Match*, and *OkCupid*), consistent with the broader pattern of leveraging compromised identities and SaaS access paths for data exfiltration and extortion leverage.
Yesterday
ShinyHunters Data-Extortion Claims Target Crunchbase and Waltio
**Crunchbase** confirmed a cybersecurity incident after the **ShinyHunters** cybercrime group claimed it stole **over 2 million personal records**. ShinyHunters reportedly posted a **402 MB compressed archive** online after an extortion attempt failed, and Crunchbase stated the threat actor **exfiltrated certain documents from its corporate network**. Crunchbase said business operations were not disrupted, the incident was **contained**, external cybersecurity experts were engaged, and **federal law enforcement** was notified while the company reviews the exposed data to determine required legal notifications. In a separate ShinyHunters-linked extortion case, French crypto tax platform **Waltio** was reported to be facing a ransom threat tied to alleged theft of personal data for **nearly 50,000 users**, including threatened exposure of users’ **2024 tax reports**. Waltio stated its services and production systems remained secure and that **no sensitive banking or crypto access data** was compromised. The activity aligns with ShinyHunters’ established pattern of **data theft and leak-site pressure** when ransom demands are not met.
1 months ago