Security Alert: ShinyHunters’ Vishing Campaign Threatens Enterprise Identity Security

Organisations around the world are facing a growing cybersecurity threat from the ShinyHunters hacking collective, which has escalated its tactics to include sophisticated voice-based social engineering attacks targeting identity and access management systems.

In a joint observation by Google Threat Intelligence and Mandiant, cybersecurity leaders highlighted that ShinyHunters is executing “a new, ongoing ShinyHunters-branded campaign using evolved vishing techniques to successfully compromise SSO credentials from victim organisations, and enrol threat actor controlled devices into victim MFA solutions. This is an active and ongoing campaign. After gaining initial access, these actors pivot into SaaS environments to exfiltrate sensitive data. An actor that identifies as ShinyHunters has approached some of the victim organisations with an extortion demand,” said Charles Carmakal, CTO, Mandiant Consulting.

Attackers Exploiting Trust, Not Vulnerabilities

The actors do not exploit software flaws. Instead, they rely on human manipulation — persuading employees during legitimate-looking phone calls to divulge credentials or approve multifactor prompts. Once inside, attackers abuse access to extract sensitive corporate data from cloud services and, in some cases, approach victims with ransom demands.

Recent reporting also notes that ShinyHunters’ campaign has cast a wide net, with more than 100 high-profile organisations identified as potential targets in a credential-theft operation aimed at identity platforms including Okta.

Business Impact and Risk Profile

For business leaders, the implications are serious:

Identity is the new perimeter: Compromised SSO credentials can provide lateral access to critical business applications like CRM, finance, and operations systems.

Extortion risks are rising: Some organisations contacted by ShinyHunters have received extortion demands following data access — adding financial and reputational risk.

Compliance concerns: Data exfiltration could trigger regulatory reporting obligations under privacy laws and industry standards.

Recommended Defences

Mandiant’s advisory reinforces that organisations should focus on stronger authentication practices. “While this is not the result of a security vulnerability in vendors’ products or infrastructure, we strongly recommend moving toward phishing-resistant MFA, such as FIDO2 security keys or passkeys where possible, as these protections are resistant to social engineering attacks in ways that push-based or SMS authentication are not. Administrators should also implement strict app authorization policies and monitor logs for anomalous API activity or unauthorized device enrollments.”

Business risk teams should also:

Educate employees about voice phishing and impersonation threats.

Validate IT support requests through official channels.

Audit access and authorisation workflows regularly.

Invest in monitoring tools that identify anomalous login behaviour and unauthorised changes to identity settings.

Looking Ahead

The ShinyHunters campaign underscores that cybercriminals are increasingly targeting organisational identities rather than infrastructure vulnerabilities. For executives, this shift means reassessing cybersecurity investments to prioritise identity-centric controls and user behaviour analytics — crucial steps in managing risk in a cloud-centric enterprise environment.

© Scoop Media