Full Report
Atlassian, RingCentral, ZoomInfo also among tech targets ShinyHunters has targeted around 100 organizations in its latest Okta single sign-on (SSO) credential stealing campaign, according to researchers and the criminal group itself.…
Analysis Summary
# Incident Report: ShinyHunters Okta Credential Stealing Campaign
## Executive Summary
ShinyHunters launched a widespread credential-stealing campaign targeting approximately 100 high-value enterprises, including major tech firms like Atlassian, Canva, and ZoomInfo, by exploiting Okta Single Sign-On (SSO). The attack primarily utilized evolved voice-phishing techniques to compromise SSO credentials and enroll attacker-controlled devices into victim MFA solutions. While intent to breach is confirmed, the success across all targeted organizations remains unconfirmed, though ShinyHunters claims success against at least two firms, leading to data extortion demands.
## Incident Details
- Discovery Date: Last week (Okta warning) / Monday (Silent Push report)
- Incident Date: Ongoing; targeting detected over the last 30 days leading up to the report.
- Affected Organization: Approximately 100 organizations targeted (including Atlassian, Canva, RingCentral, ZoomInfo, Epic Games, HubSpot). Success confirmed against Crunchbase and Betterment.
- Sector: Technology, Software, Finance (by confirmed victims)
- Geography: Global (Implied by international scope of targets)
## Timeline of Events
### Initial Access
- Date/Time: Ongoing over the last 30 days (leading up to Jan 26, 2026).
- Vector: Voice-Phishing (Vishing).
- Details: Attackers are using "Evolved" voice-phishing techniques aimed specifically at Okta SSO credentials belonging to victim organizations.
### Lateral Movement
- Date/Time: Post-Initial Access (Implied).
- Vector: Pivoting from compromised SSO credentials.
- Details: After gaining initial access via SSO, actors pivot directly into the victim organizations' SaaS environments.
### Data Exfiltration/Impact
- Date/Time: Post-Lateral Movement.
- Vector: Data Exfiltration and Extortion.
- Details: Sensitive data is exfiltrated from SaaS environments. Threat actors approached some victims with extortion demands. ShinyHunters leaked alleged data from Betterment (2M+ records) and Crunchbase (2M+ records).
### Detection & Response
- Date/Time: Last week (Okta alerted). Friday (ShinyHunters claimed success). Monday (Silent Push/Mandiant reported on ongoing targeting).
- Vector: Vendor/Threat intelligence sharing.
- Details: Okta issued a warning about the voice-phishing campaign. Silent Push detected active targeting infrastructure. Mandiant confirmed tracking the campaign.
## Attack Methodology
- Initial Access: Voice-Phishing (Vishing) to steal Okta SSO credentials.
- Persistence: Enroll threat actor-controlled devices into victim MFA solutions.
- Privilege Escalation: Not explicitly detailed, but likely leveraged the acquired SSO access rights.
- Defense Evasion: Using social engineering (vishing) to bypass standard security awareness related to link-based phishing.
- Credential Access: Compromising Okta SSO credentials via social engineering.
- Discovery: N/A - Focus was on credential acquisition for immediate SaaS environment access.
- Lateral Movement: Pivoting directly into victim SaaS environments using compromised SSO tokens.
- Collection: Exfiltrating sensitive data from SaaS environments.
- Exfiltration: Data theft (specific methods not detailed, likely standard SaaS export).
- Impact: Extortion and potential data breach.
## Impact Assessment
- Financial: Extortion demands issued to some victims (details confidential/unknown).
- Data Breach: Confirmed data leak/theft against Betterment and Crunchbase (millions of records claimed). Type of data not specified but implied to be sensitive business/customer data housed in SaaS apps.
- Operational: Implied risk of operational disruption due to unauthorized access and extortion attempts.
- Reputational: Negative publicity due to inclusion on targeted lists (Canva, Atlassian, etc.) and public data claims.
## Indicators of Compromise
(Note: Specific technical IoCs like IPs/URLs were not provided in the summary text and cannot be defanged.)
- Network Indicators: N/A
- File Indicators: N/A
- Behavioral Indicators: Anomalous API activity within SaaS environments; Unauthorized device enrollment into Okta MFA solutions.
## Response Actions
- Containment measures: Not explicitly detailed for all 100 targets. Response efforts would likely focus on revoking compromised SSO sessions and removing unauthorized MFA enrollments.
- Eradication steps: For confirmed breaches (like Crunchbase/Betterment), this would involve rigorous auditing of all accessed SaaS tools.
- Recovery actions: Password resets for affected accounts, re-provisioning devices, and data integrity checks.
## Lessons Learned
- Social engineering remains highly effective, especially when tailored to specific identity platforms (like Okta SSO).
- MFA enrollment via social engineering (MFA Bombing/Push Fatigue or Vishing assistance) is a potent technique to bypass strong authentication controls.
- Relying solely on push or SMS-based Multi-Factor Authentication (MFA) is insufficient against aggressive vishing campaigns.
## Recommendations
- **MFA Upgrade:** Immediately transition all critical accounts away from SMS/Push-based MFA towards phishing-resistant methods such as FIDO2 security keys (e.g., YubiKeys).
- **Policy Enforcement:** Implement strict application authorization policies within the SSO provider (Okta).
- **Monitoring:** Enhance monitoring for anomalous API activity and unauthorized device enrollments immediately following authentication events.
- **User Training:** Conduct specialized training focused on recognizing and reporting sophisticated voice-phishing attempts targeting SSO credentials.