ShinyHunters Is Voice-Phishing Its Way Through Your SSO Provider

Overview

The threat group ShinyHunters has been running a coordinated voice-phishing campaign against roughly 100 organizations, stealing SSO credentials from Okta, Microsoft Entra, and Google identity platforms. The confirmed casualty list already includes Match Group (10 million records across Hinge, Tinder, and OkCupid), Betterment (20 million records), Crunchbase (2 million records), Panera Bread (14 million records), CarMax, Edmunds, and SoundCloud. The target list reportedly extends to Canva, Epic Games, HubSpot, Atlassian, Iron Mountain, and dozens more.

This is not a product vulnerability. There is no CVE to patch. ShinyHunters is calling your employees on the phone, pretending to be IT support, and walking them through handing over their SSO credentials on fake login pages. Once they have a working session, they enroll their own devices into your MFA solution and fan out across every SaaS application your SSO touches.

How the Attack Works

The campaign combines old-school social engineering with modern identity infrastructure abuse. The attack chain follows a consistent pattern across victims.

Step 1: Voice phishing. ShinyHunters calls employees directly, impersonating internal IT support. They use voice-phishing kits that direct targets to convincing fake login portals mimicking Okta, Microsoft Entra, or Google sign-in pages. In the Match Group case, researchers identified a phishing domain at matchinternal.com.

Step 2: Real-time credential and MFA relay. When the employee enters their credentials and MFA code on the phishing page, the kit relays them to the real identity provider in real time. This is an adversary-in-the-middle technique. The attacker completes authentication before the time-based code expires.

Step 3: MFA device enrollment. With an active session, ShinyHunters enrolls their own device into the victim’s MFA configuration. This gives them persistent access that survives password resets, because the attacker now has a legitimate second factor registered to the account.

Step 4: Lateral movement through connected apps. A single SSO credential is a skeleton key. At Match Group, the compromised Okta account gave ShinyHunters access to AppsFlyer (marketing analytics), Google Drive, and Dropbox. The attackers pulled 1.7 GB of compressed data including user records from Hinge, Match, and OkCupid, plus hundreds of internal documents, subscription records, IP addresses, and location data.

The group has also pivoted beyond Okta. The Panera Bread breach came through a Microsoft Entra SSO code, which means ShinyHunters is diversifying across identity providers rather than betting on a single platform.

Technical Details

Threat actor: ShinyHunters, a financially motivated group with prior campaigns against Salesforce customers (2025) and identity service providers using social-engineering tactics.

Attack classification: Social engineering + adversary-in-the-middle (AitM) credential theft + MFA enrollment abuse.

Phishing infrastructure: Voice-phishing kits capable of real-time credential and MFA relay. Known domain: matchinternal.com (Match Group campaign). Kits target Okta, Microsoft Entra, and Google authentication portals.

Scale: Approximately 100 organizations targeted within a 30-day window, per Silent Push analysis. ShinyHunters confirmed this estimate was “close” to the actual number.

Confirmed compromises and data volumes:

Victim	Records	Data Size	SSO Platform
Betterment	20M+	Undisclosed	Okta
Panera Bread	14M+	760 MB	Microsoft Entra
Match Group (Hinge, Match, OkCupid)	10M+	1.7 GB	Okta
SoundCloud	30M+	Undisclosed	Other vector
Crunchbase	2M+	Undisclosed	Okta
CarMax	500K+	1.7 GB	Undisclosed
Edmunds	Millions	12 GB	Undisclosed

Named targets (unconfirmed compromise): Atlassian, AppLovin, Canva, Epic Games, Genesys, HubSpot, Iron Mountain, RingCentral, ZoomInfo.

Impact

The scale alone makes this one of the more significant identity-focused campaigns of the past year. But the real concern is the method.

Your perimeter security, endpoint detection, and network monitoring are all bypassed the moment an attacker has a legitimate SSO session. They are not exploiting a vulnerability. They are logging in as your employee, with your employee’s credentials, through your identity provider’s front door. SIEM rules tuned for anomalous authentication patterns may not fire if the attacker’s enrolled device and session look normal.

The cascading effect of SSO compromise also multiplies the blast radius. One credential gives access to every application federated through your identity provider. For Match Group, that meant marketing analytics, cloud storage, and user databases all fell from a single compromised Okta account. Organizations with dozens of SaaS integrations behind SSO face the same risk.

There is also a supply chain dimension. The Match Group breach appears to have reached user data through AppsFlyer, a third-party marketing analytics provider. Even if your own application security is solid, a compromised SSO credential can reach data through any connected vendor or service.

Timeline

Date	Event
January 13	SoundCloud publishes security update related to breach
January 22	Okta Threat Intelligence issues alert about voice-phishing campaign targeting SSO credentials
January 23	ShinyHunters publicly leaks Crunchbase and Betterment data, claims responsibility
January 26	Silent Push and Google Mandiant publish campaign analysis; ~100 targets identified
January 27	ShinyHunters claims Panera Bread, CarMax, and Edmunds via Microsoft Entra SSO
January 29	Match Group breach confirmed; 10M+ records from Hinge, Tinder, OkCupid exposed

MITRE ATT&CK Mapping

• T1566.004, Phishing: Voice Phishing: Phone calls impersonating IT support to steal SSO credentials
• T1557, Adversary-in-the-Middle: Real-time relay of credentials and MFA tokens through phishing kits
• T1098.005, Account Manipulation: Device Registration: Enrolling attacker-controlled devices into victim MFA
• T1078, Valid Accounts: Using stolen SSO credentials to access federated applications
• T1530, Data from Cloud Storage: Exfiltration from Google Drive, Dropbox, and SaaS platforms via SSO access

Recommended Actions

1. Deploy phishing-resistant MFA. Google Mandiant CTO Charles Carmakal specifically recommended FIDO2 security keys or passkeys. SMS codes, TOTP apps, and push notifications can all be relayed through adversary-in-the-middle kits. Hardware-bound credentials cannot. If you are still using phishable MFA on your identity provider, this campaign is your wake-up call.

2. Audit MFA device enrollments. Review recently enrolled MFA devices across all SSO accounts. Look for devices registered from unfamiliar locations, IP ranges, or user-agents. If ShinyHunters gained access to an account, they enrolled a device. That device is still there unless you removed it.

3. Restrict application authorization policies. Limit which applications can receive SSO tokens and enforce conditional access policies based on device compliance, network location, and risk signals. A single SSO credential should not be a blank check for every connected application.

4. Monitor for anomalous API activity. After SSO compromise, attackers interact with connected applications through their APIs. Watch for unusual data export volumes, bulk record access, or API calls from unfamiliar client IDs. The Match Group attackers pulled data from AppsFlyer, Google Drive, and Dropbox, all of which have API audit logs.

5. Train staff on voice phishing specifically. Most phishing awareness programs focus on email. ShinyHunters is calling people on the phone. Your help desk and IT support teams should have verification procedures for inbound “IT support” calls, and employees should know that legitimate IT will never ask them to enter credentials on a page sent via text or chat during a phone call.

6. Review third-party SaaS integrations. Map which applications are federated through your SSO provider and assess whether each integration needs the level of access it has. The Match Group breach reached user data through a marketing analytics provider. Minimize the data exposure surface by restricting OAuth scopes and reviewing vendor access regularly.

7. Check your exposure against known targets. If your organization uses Okta or Microsoft Entra and operates in technology, financial services, or consumer internet sectors, treat the Okta advisory from January 22 as a direct warning. Review authentication logs from the past 30 days for suspicious patterns.

How CCG Can Help

If you are concerned about your organization’s exposure to SSO-based attacks, or you want to validate whether your identity infrastructure would withstand this type of campaign, reach out to us. Our team works with organizations to:

• Conduct SSO security assessments to evaluate your Okta, Entra, or Google Workspace configuration, including MFA policies, conditional access rules, device enrollment controls, and federated application permissions
• Perform social engineering testing that includes voice phishing (vishing) simulations to measure how your staff and help desk respond to the exact techniques ShinyHunters is using
• Run incident response and compromise assessment if you suspect your SSO credentials may have been targeted, including forensic review of authentication logs, MFA enrollments, and downstream data access
• Design phishing-resistant authentication architectures that move your organization from legacy MFA to FIDO2 security keys or passkeys, reducing your attack surface against credential relay attacks

Your SSO provider is the front door to everything. We can help you make sure it holds up.