A new and distinct wave of voice phishing (vishing) attacks attributed to the notorious ShinyHunters hacking collective is spreading fast, with defenders urged to be on their guard following breaches affecting at least three major organisations so far.

The campaign appears to involve custom vishing kits targeting Google, Microsoft and Okta environments – as Okta itself warned last week – and may have already ensnared business intelligence specialist Crunchbase, music streaming platform SoundCloud, and financial planning and investment firm Betterment.

Charles Carmakal, chief technology officer at Google Cloud’s Mandiant, is among those following the campaign as it develops.

“Mandiant is tracking a new, ongoing ShinyHunters-branded campaign using evolved vishing techniques to successfully compromise SSO credentials from victim organisations, and enrol threat actor controlled devices into victim MFA solutions,” he told Computer Weekly via email.

“This is an active and ongoing campaign. After gaining initial access, these actors pivot into SaaS environments to exfiltrate sensitive data. An actor that identifies as ShinyHunters has approached some of the victim organisations with an extortion demand.

“While this is not the result of a security vulnerability in vendors’ products or infrastructure, we strongly recommend moving toward phishing-resistant MFA, such as FIDO2 security keys or passkeys where possible,” said Carmakal.

“These protections are resistant to social engineering attacks in ways that push-based or SMS authentication are not. Administrators should also implement strict app authorisation policies and monitor logs for anomalous API activity or unauthorised device enrolments.”

Reseachers at Sophos’ Counter Threat Unit (CTU) told our sister title Cybersecurity Dive that they had been tracking about 150 hacker-controlled domains used in the campaign, most of which seem to have been created in December 2025.

CTU threat intel director Rafe Pilling said he was unable to confirm if all of those domains had been used, but noted that the attackers appeared to be using them to create target-specific phishing websites, often impersonating authentication providers, including Okta.

Victims speak out Crunchbase has already confirmed that hackers stole and leaked a 402MB compressed archive after failing to extort its victim, but that day-to-day operations were not affected, and it has otherwise fully contained the breach. It is working with the US authorities on its investigation, and is reviewing the leaked data to determine if it needs to legally notify any users. Separately, SoundCloud and Betterment have also disclosed data breaches. SoundCloud, which was breached in December 2025 said the intrusion took the form of unauthorised activity in an ancillary service dashboard – although its notification makes no mention of social engineering or vishing as its source. It said that the compromised data took the form of email addresses and publicly available information posted on about 20% of SoundCloud user profiles. Betterment, meanwhile, said it detected a breach on 9 January when “an unauthorised individual gained access to certain Betterment systems through social engineering” against its marketing and operations teams. The attackers used their access to send a fraudulent cryptocurrency-related message to some customers, all of whom have been notified.