Compromising a single corporate single sign-on (SSO) account today can unlock access to dozens of critical SaaS platforms and internal systems at once. That is exactly the strategy attributed to the cybercriminal group ShinyHunters, which is running a large‑scale phishing campaign against SSO implementations from Okta, Microsoft Entra ID and Google.
ShinyHunters’ SSO Phishing Campaign Against Okta, Microsoft Entra and Google
According to technical analyses, ShinyHunters are conducting targeted phishing attacks against corporate accounts managed by leading SSO providers, including Okta, Microsoft Entra ID (formerly Azure AD) and Google SSO. Once attackers obtain an employee’s SSO credentials, they can pivot into a broad range of connected SaaS applications and internal business systems.
Corporate SSO profiles typically provide access to platforms such as Salesforce, Microsoft 365, Google Workspace, Dropbox, Adobe, SAP, Slack, Zendesk and Atlassian. A single compromised identity effectively becomes a master key to the organization’s digital ecosystem, enabling large‑scale data theft, business disruption and lateral movement across cloud and on‑premises services.
Okta has published a technical report describing the phishing tools and infrastructure used in recent attacks against its customers. While the company has not formally confirmed attribution to ShinyHunters, the TTPs (tactics, techniques and procedures) closely match those claimed by the group.
How the SSO Phishing Attacks Work: Social Engineering and MFA Bypass
The campaign relies heavily on social engineering, particularly voice phishing (vishing). Attackers call employees while posing as internal IT support or security staff. During the call, victims are urged to follow a “verification” or “re‑authentication” link that leads to a carefully crafted phishing site imitating the organization’s SSO portal.
ShinyHunters reportedly use advanced phishing toolkits and web panels that can dynamically adapt the phishing page in real time. When the legitimate SSO platform requests multi‑factor authentication (MFA)—for example via push notification, TOTP code, SMS or email—the phishing page immediately updates to prompt the victim for the same factor. In effect, the toolkit operates as a man‑in‑the‑middle proxy, capturing usernames, passwords and one‑time codes, then relaying them to the real SSO provider.
This technique enables attackers to hijack an active SSO session and bypass conventional MFA, which many organizations still consider sufficient protection. Industry reports, such as Verizon’s Data Breach Investigations Report, consistently show that the human element is involved in the majority of breaches, making MFA phishing one of the most pressing threats for cloud‑first enterprises.
Major Data Breaches Linked to the ShinyHunters Campaign
After relaunching their Tor‑based leak site, ShinyHunters claimed responsibility for intrusions at SoundCloud, Betterment and Crunchbase, publishing sizable data sets allegedly taken from each platform.
SoundCloud: Tens of Millions of User Records Exposed
The group claims to hold more than 30 million SoundCloud records. The company had previously disclosed an incident impacting around 20% of its user base, estimated at approximately 28 million accounts, indicating that the newly published data may represent an extension or consolidation of that compromise.
Betterment: Social Engineering Leads to Data Theft and Crypto Scams
Fintech provider Betterment confirmed that attackers gained access to its environment through social engineering. Beyond data theft, the access was reportedly used to send fraudulent messages to customers promoting cryptocurrency investment scams, creating additional financial risk and reputational damage.
Crunchbase: Internal Corporate Data and User Information Leaked
Crunchbase initially had not publicly disclosed a breach. After ShinyHunters published archives of stolen information, the company acknowledged a cyber incident in which an attacker accessed internal corporate documents. Third‑party analysts from Hudson Rock reported that the leaked data includes personal user information, signed contracts and internal correspondence, underlining the severity of the compromise.
Business Impact and Key Security Recommendations for SSO Environments
While SSO simplifies access management, it also concentrates risk into a single point of security failure. A successful SSO compromise can grant uncontrolled access to critical SaaS applications, facilitate privilege escalation and provide a platform for subsequent phishing and business email compromise (BEC) attacks against partners and customers. ShinyHunters reportedly enhance their success rate by reusing data from earlier breaches—such as employee names, titles, phone numbers and internal terminology—to make their vishing scenarios highly convincing.
Organizations can significantly reduce exposure to SSO phishing campaigns by combining technical controls with strong user education:
- Adopt phishing‑resistant MFA (for example FIDO2 security keys, hardware tokens or client certificates) instead of relying on SMS, TOTP apps or push approvals.
- Enable risk‑based and contextual access controls in Okta, Microsoft Entra ID and Google (device posture, geolocation, impossible travel, anomalous behavior).
- Formalize helpdesk procedures, explicitly banning requests for passwords or MFA codes over phone, email or chat, and training staff to challenge such requests.
- Run regular phishing and vishing awareness training so employees recognize urgent “security verification” calls and unexpected re‑authentication prompts as red flags.
- Implement continuous monitoring and alerting for unusual login patterns, new device registrations, OAuth consent grants and high‑risk administrative actions across key SaaS platforms.
- Apply the principle of least privilege to limit the blast radius of any single account compromise and ensure incident response plans cover SSO and IdP breaches.
The ShinyHunters campaign underscores that even mature, cloud‑centric organizations remain vulnerable when SSO and traditional MFA are deployed without additional safeguards. Reviewing SSO configurations, accelerating the rollout of phishing‑resistant authentication, tightening access controls and investing in realistic social‑engineering exercises are now essential steps for any company that depends on Okta, Microsoft Entra or Google SSO. The organizations that act proactively will be far better positioned to avoid seeing their brand name on the next high‑profile data leak site.
