Find notable cyber news and cases, enriched with sources, timelines, and signals.

Custom vishing campaign stealing Okta SSO credentials

Campaign
First reported
Last updated
Happening score
H score 44
2 unique sources, 2 articles

Summary

Hide ▲

A custom vishing campaign is actively stealing Okta SSO credentials through live, adversary-in-the-middle phishing pages, creating immediate risk of account takeover and downstream data theft. Multiple hacking groups are using the service against identity providers such as Google, Microsoft, and Okta, as well as cryptocurrency platforms. The operation relies on spoofed helpdesk calls, real-time MFA relay, and attacker backends such as Telegram to intercept credentials and TOTP codes.

Related Happenings

Pink new extortion brand within The Com

Threat Actor Meta
H score30 First: 08.07.2026 19:47 Last: 08.07.2026 19:47 Sources 1

About this happening: A new **Pink** extortion brand has emerged within **The Com**, signaling a more decentralized criminal ecosystem that can scale credential theft and data extortion across multiple...

O-UNC-066 / Pink Microsoft Entra passkey vishing campaign

Campaign
H score37 First: 08.07.2026 19:47 Last: 08.07.2026 19:47 Sources 1

About this happening: The **O-UNC-066 / Pink** operation is using **voice-based phishing** to push **Microsoft 365** users into enrolling attacker-controlled **Entra passkeys**, creating a direct path...

Paid brand-impersonation phishing kits Lucid and Lighthouse scale fake-domain operations

Threat Actor Meta
H score37 First: 01.07.2026 10:20 Last: 01.07.2026 10:20 Sources 1

About this happening: Brand-impersonation phishing has become a **paid service**, with kits like **Lucid** and **Lighthouse** scaling fake-domain operations across **316 brands** in **74 countries**, i...

DOJ seizes HuiOne cloud account

Law Enforcement
H score17 First: 24.06.2026 11:55 Last: 24.06.2026 11:55 Sources 1

About this happening: The **U.S. Department of Justice** seized a **cloud computing account** used by **HuiOne Group** subsidiaries, disrupting backend infrastructure tied to **cyber scams** and crimin...

Icarus Salesforce data-theft extortion campaign

Campaign
H score42 First: 18.06.2026 17:19 Last: 18.06.2026 17:19 Sources 1

About this happening: The **Icarus** extortion campaign is actively stealing **Salesforce CRM data** from **multiple organizations**, expanding pressure on victims and showing a repeatable cloud-app ab...

Latest development: 23.06.2026 16:58

LastPass says an unauthorized actor used OAuth tokens stolen from Klue to access LastPass customer data in its Salesforce environment, potentially exposing customer names, phone numbers, email addresses, physical addresses, support case information, and sales/CRM data; LastPass says its products, services, infrastructure, and customer vaults were not affected, rotated the exposed API/OAuth tokens, disabled employee access to Klue, and notified law enforcement.

Timeline

  1. 22.01.2026 23:43 2 articles · 5mo ago

    Okta warns of active vishing credential theft

    Initial Disclosure

    Okta warns that custom phishing kits built for voice-based social engineering are being used in active attacks against employees at identity providers and cryptocurrency platforms, including Okta, Google, and Microsoft, to steal SSO credentials, relay TOTP codes through real-time adversary-in-the-middle pages, and bypass push-based MFA including number matching.

    Show sources