ShinyHunters SaaS Data Theft via Vishing-Enabled SSO Credential and MFA Capture
ShinyHunters has been linked to a wave of SaaS-focused data-theft and extortion activity enabled by targeted voice phishing (vishing) and company-branded phishing portals designed to capture SSO credentials and MFA codes. Mandiant reported that attackers impersonate IT/helpdesk staff, direct employees to realistic login pages, and use real-time interaction (including guiding victims to approve push prompts or provide one-time codes) to authenticate and then enroll attacker-controlled devices into MFA. After account takeover, the actor pivots through Okta, Microsoft Entra, or Google SSO dashboards to rapidly access downstream SaaS services (e.g., Salesforce, Microsoft 365/SharePoint, DocuSign, Slack, Atlassian, Dropbox, Google Drive), turning a single compromised identity into broad cloud data access.
Separately, Bumble reported a phishing-driven compromise of a contractor account, after which ShinyHunters allegedly claimed theft of ~30 GB of data—reported as largely internal files sourced from Google Drive and Slack—while Bumble stated there was no evidence of exposure of user chats or profiles. Reporting also tied ShinyHunters to other claimed or alleged thefts affecting consumer and enterprise brands (including Match Group properties such as Hinge, Match, and OkCupid), consistent with the broader pattern of leveraging compromised identities and SaaS access paths for data exfiltration and extortion leverage.
Timeline
May 1, 2026
Canadian Centre for Cyber Security issues SaaS social-engineering alert
The Canadian Centre for Cyber Security issued Alert AL26-010 warning of ongoing financially motivated attacks against enterprise identity services and SaaS platforms using vishing, brand impersonation, adversary-in-the-middle phishing, help-desk abuse, and theft of OAuth refresh tokens from compromised third-party vendors. The alert said attackers typically pivot through SaaS environments via compromised SSO identities, exfiltrate data through legitimate APIs and export features, and pursue extortion without usually deploying malware, while recommending phishing-resistant MFA and tighter identity and SaaS controls.
May 1, 2026
CrowdStrike reports Cordial Spider and Snarky Spider SaaS extortion activity
CrowdStrike warned that the cybercrime clusters Cordial Spider and Snarky Spider were using vishing and adversary-in-the-middle SSO phishing to compromise identity providers and connected SaaS apps, then steal data for extortion. The report added that the actors remove existing MFA devices, create inbox rules to suppress security alerts, and in Snarky Spider cases can begin exfiltration in under an hour.
Mar 11, 2026
Obsidian details Okta persistence and SaaS pivot patterns in ShinyHunters campaign
Obsidian Security published new technical findings from three 2026 incidents showing attackers used anomalous, failure-heavy Okta login flows, then enrolled Okta FastPass or Okta Verify on devices named "Passkey," often linked to Genymobile-associated Android emulators. The report said the intruders quickly enumerated SSO-connected apps, pivoted into services such as Slack, Google Drive, Salesforce, and VPNs, and conducted bulk file downloads consistent with automated data exfiltration.
Feb 26, 2026
ReliaQuest reports shift to branded subdomain impersonation in ShinyHunters campaign
ReliaQuest reported that ShinyHunters had evolved its SaaS intrusion playbook to use branded subdomain impersonation and mobile-first, phone-guided adversary-in-the-middle phishing, often themed around SSO and Okta. The firm also assessed that the group was reusing previously exposed enterprise data to improve social-engineering pretexts and scaling operations through outsourced vishing and spam services, including Telegram-recruited voice operators.
Jan 31, 2026
Mandiant publishes report on ShinyHunters-linked SSO and MFA bypass tactics
Mandiant publicly detailed how ShinyHunters-linked clusters use synchronized vishing and phishing kits to capture credentials and MFA codes, enroll attacker-controlled MFA devices, and steal data from SaaS platforms. The report also provided indicators, infrastructure patterns, and defensive guidance for detecting and stopping the intrusions.
Jan 30, 2026
Match Group responds to ShinyHunters claims affecting dating apps
ShinyHunters also claimed theft of more than 10 million records from Hinge, Match, and OkCupid. Match Group characterized the incident as limited in scope and said there was no indication that login credentials, financial data, or private communications were accessed.
Jan 30, 2026
ShinyHunters claims theft of 30 GB of Bumble data
Reports said ShinyHunters claimed to have stolen about 30 GB of Bumble data, largely internal files allegedly taken from Google Drive and Slack. The claim was part of a broader string of alleged SaaS-focused thefts attributed to the group.
Jan 30, 2026
Bumble discloses contractor-account compromise via phishing
Bumble acknowledged a recent breach involving a contractor account compromised through phishing. The company said no user chats or profiles were exposed and that its investigation was ongoing.
Jan 26, 2026
Silent Push reports ShinyHunters targeting about 100 organizations
Silent Push said ShinyHunters was running an active voice-phishing campaign to steal Okta SSO credentials from roughly 100 organizations, including Canva, with evidence of targeting or infrastructure preparation across multiple industries. Mandiant confirmed the activity and said the attackers used vishing to capture credentials, enroll attacker-controlled MFA devices, access SaaS platforms, steal data, and sometimes extort victims.
Jan 15, 2026
Mandiant observes intensified intrusions and data theft in mid-January
In early to mid-January, Mandiant observed the clusters expanding activity across Okta, Microsoft 365, Google Workspace, SharePoint, OneDrive, Slack, Salesforce, and DocuSign. Attackers enrolled their own MFA devices, moved laterally through SaaS environments, and exfiltrated bulk cloud data for extortion.
Jan 1, 2026
ShinyHunters-linked vishing campaign begins targeting SaaS environments
Mandiant said the social-engineering campaign tied to clusters UNC6661, UNC6671, and UNC6240 was active by early January 2026. Attackers impersonated IT or help-desk staff, used company-branded phishing pages to capture SSO credentials and MFA codes, and then accessed cloud applications.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Affected Products
Sources
5 more from sources like security online info, scworld, help net security, ampcuscyber.com and cyber security news
Related Stories
ShinyHunters-Linked Vishing Campaign Steals MFA Codes to Breach SaaS Platforms for Extortion
Google-owned **Mandiant** reported an expansion in **ShinyHunters**-style intrusions using **voice phishing (vishing)** and spoofed credential-harvesting sites to steal **SSO credentials** and **MFA codes**, enabling unauthorized access to cloud **SaaS** environments. Mandiant tracked the activity across multiple clusters (**UNC6661**, **UNC6671**, and **UNC6240** / *ShinyHunters*) and assessed the objective as data theft from cloud applications (including internal communications) followed by **extortion**, with some incidents involving escalatory pressure such as **harassment of victim personnel**. In observed tradecraft, operators impersonated IT staff, directed employees to phishing links under the pretext of updating MFA settings, then used captured credentials to enroll attacker-controlled devices for MFA. Separate reporting characterized the same campaign as a broad vishing operation with **hundreds of organizations** in scope, reinforcing that the activity is not limited to a single SaaS provider and is focused on identity-layer compromise rather than software exploitation. Other items in the set were unrelated: a supply-chain compromise of *eScan* antivirus update infrastructure distributing a backdoor, a Fortinet write-up on **Interlock** ransomware tradecraft, an article on EU vulnerability identifier policy, and general security-awareness/detection-engineering content; these do not describe the ShinyHunters vishing activity and should not be treated as part of the same incident thread.
1 months ago
ShinyHunters Claims Okta Vishing Campaign and Leaks Data from Crunchbase, Betterment, and SoundCloud
The **ShinyHunters** extortion group claimed responsibility for a recent **Okta SSO voice-phishing (vishing)** campaign used to steal authentication codes and access victim environments. The group told reporters and researchers it used vishing to obtain Okta single-sign-on codes to compromise **Crunchbase** and **Betterment**, and then published alleged stolen data after the organizations reportedly rejected extortion demands; ShinyHunters also said additional victims exist and that more disclosures are forthcoming. ShinyHunters published alleged datasets for **Crunchbase, Betterment, and SoundCloud** on a newly launched leak site, asserting the dumps contain **PII** and large record counts (reported as **>20 million** for Betterment, **~2 million** for Crunchbase, and **~30+ million** for SoundCloud). **SoundCloud** stated it is aware of data published online allegedly taken from its organization and said its security team, supported by third-party experts, is reviewing the claim and the posted data; ShinyHunters asserted SoundCloud access was *not* obtained via SoundCloud’s Okta credentials. SoundCloud had previously confirmed a breach affecting roughly **20% of users** (about **28 million** based on public user counts), while Crunchbase and Betterment had not publicly responded at the time of reporting.
1 months ago
Match Group Confirms Data Theft After ShinyHunters Leak Claim
**Match Group** confirmed it is investigating a “recently identified security incident” after **ShinyHunters** claimed to have stolen and leaked data tied to its dating platforms, including **Hinge, Match.com, and OkCupid**. The actor advertised a dump of roughly **1.7 GB** of compressed files and claimed **10+ million records** plus internal documents; Match Group said it moved quickly to terminate unauthorized access and is working with external incident response experts while notifying affected individuals as appropriate. Reporting indicates the intrusion likely stemmed from compromised identity and SaaS access rather than direct compromise of the dating apps themselves. The alleged source of exposure was **AppsFlyer** (a marketing analytics platform), and one account of the incident attributes initial access to a compromised **Okta SSO** account that enabled access to AppsFlyer and cloud storage (including **Google Drive** and **Dropbox**). Match Group stated there is currently **no indication** that **user login credentials, financial information, or private communications** were accessed, while third-party review of samples reportedly suggested the dataset includes personal customer data, some employee details, and internal corporate material.
1 months ago