ShinyHunters Claim Responsibility for SSO Account Data Theft Attacks

February 1, 2026 Rachel Kim – Technology Editor Technology

Here’s a breakdown of the key information from the provided text, focusing on the recent SSO attacks:

The Threat:

* Vishing Attacks: Threat actors are using voice phishing (vishing) to target employees. They call pretending to be IT support.
* Real-time Phishing: They use sophisticated phishing kits that allow them to dynamically change the phishing page while on the phone with the victim. This means they can guide the victim through the login and Multi-Factor Authentication (MFA) process in real-time.
* SSO Exploitation: The attacks target Single Sign-On (SSO) accounts (like those managed by Okta and Microsoft Entra). Once an SSO account is compromised, attackers can access all connected applications.
* Data Theft & Extortion: after gaining access, attackers harvest data from connected applications and then issue extortion demands.

Who is Behind It:

* ShinyHunters: This threat group has claimed responsibility for some of the attacks.They specifically mentioned Salesforce as a primary target, with othre compromised companies being “benefactors” (meaning they were exploited as an inevitable result of targeting Salesforce).

How it Works:

  1. The Call: Attackers call employees,impersonating IT staff.
  2. Social Engineering: They use social engineering tactics to convince the employee to go to a phishing website.
  3. Real-time Manipulation: The phishing kit allows the attacker to change the page on the fly, mirroring the legitimate login process and MFA prompts.
  4. MFA Bypass (Effectively): The attacker instructs the victim to approve push notifications, enter TOTP codes, or complete other MFA steps on the phishing site, effectively bypassing security.
  5. Data Access: Once inside the SSO account, the attacker accesses connected applications and steals data.
  6. Extortion: The attackers demand ransom for the stolen data.

affected Platforms/Companies:

* Okta: Okta has acknowledged the attacks and released a report on the phishing kits used. They initially declined to comment on specific data breaches.
* Microsoft Entra: the article shows a screenshot of a Microsoft Entra SSO dashboard, indicating it’s a potential target.
* Salesforce: ShinyHunters specifically identified Salesforce as their primary target.
* Other Applications: The attacks can impact any application connected to the compromised SSO account, including Slack, zendesk, Atlassian, and many others.

Key Takeaway: This is a sophisticated attack that highlights the vulnerability of SSO systems when combined with effective social engineering and real-time phishing capabilities.MFA, while significant, is not a silver bullet if attackers can trick users into approving legitimate-looking prompts on a fake site.