Overview
- Mandiant says the campaign is ongoing, compromises SSO credentials, enrolls attacker-controlled devices into MFA, and pivots into SaaS apps for data theft with extortion attempts reported.
- Silent Push reports around 100 Okta SSO accounts at high-value enterprises have been targeted, including major tech firms such as Canva, while noting this does not confirm successful breaches.
- Okta Threat Intelligence has observed multiple purpose-built kits and custom domains that mimic Google, Microsoft and Okta sign-ins to synchronize prompts in real time, with other researchers tracking roughly 150 target-themed domains.
- A ShinyHunters-branded leak site posted alleged datasets and named victims, while SoundCloud and Betterment separately disclosed recent social-engineering incidents under review for scope and impact.
- Researchers have not confirmed attribution to ShinyHunters and urge phishing-resistant MFA such as FIDO2 or passkeys, stricter app authorization policies, and monitoring for unusual device enrollments or API activity.