Canva among ~100 targets of ShinyHunters Okta identity-theft campaign
Summary
ShinyHunters has targeted around 100 organisations in a campaign to steal Okta single sign-on (SSO) credentials, researchers at Silent Push and the criminal group itself say. Silent Push published a list of domains it observed being actively targeted in the past 30 days; named tech firms include Atlassian, AppLovin, Canva, Epic Games, Genesys, HubSpot, Iron Mountain, RingCentral and ZoomInfo.
Researchers stress that being targeted does not mean a confirmed breach — Silent Push has no intel to confirm successful compromises across all listed organisations. Google’s Mandiant is tracking the campaign and describes evolved voice‑phishing tactics that both capture SSO credentials and enrol attacker‑controlled devices into victims’ multi‑factor authentication (MFA) solutions. After initial access, attackers pivot into SaaS environments to exfiltrate sensitive data and, in some cases, issue extortion demands.
Security advice from incident responders includes adopting phishing‑resistant MFA (for example FIDO2 keys or passkeys), enforcing strict app authorisation policies and monitoring logs for anomalous API activity or unauthorised device enrolments. Okta issued its own alert about criminals voice‑phishing for SSO credentials; ShinyHunters has claimed access to Crunchbase and Betterment and leaked what it says are millions of records.
Key Points
- ShinyHunters is behind an Okta SSO credential‑theft campaign targeting roughly 100 organisations.
- Silent Push listed multiple tech firms as targets, including Canva, Atlassian, RingCentral and ZoomInfo.
- Targeting does not equate to confirmed breach — investigators have not verified success for all named organisations.
- Attackers employ advanced voice‑phishing and enrol attacker devices into victims’ MFA setups to bypass protections.
- Mandiant warns actors pivot into SaaS environments to exfiltrate data and pursue extortion where possible.
- Mitigations recommended: phishing‑resistant MFA (FIDO2/passkeys), strict app authorisation, and vigilant log/API monitoring.
Context and Relevance
This campaign highlights a growing trend: social‑engineering techniques that defeat traditional push‑based or SMS MFA by enrolling attacker devices. Organisations that rely on SSO and SaaS are particularly exposed — CISOs, identity teams and IT ops should note the shift from simple phishing to voice‑phishing plus MFA‑enrolment tactics. The incident ties into broader threats around SaaS supply‑chain access, commoditised social engineering, and extortion following data exfiltration.
Why should I read this
Short and blunt: if you look after cloud identities or SaaS accounts, this is the sort of scam that can blow up fast. Read it to get a quick grip on what attackers are doing, which big names were targeted, and the practical fixes (think FIDO2/passkeys, tighter app approvals and log checks) you should consider yesterday.
Author style
Punchy — this is important: an active campaign hitting well‑known targets means you should prioritise reviewing SSO and MFA defences now.