Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

ShinyHunters vishing campaign targeting SSO accounts

Campaign
First reported
Last updated
Happening score
H score 53
1 unique sources, 5 articles

Summary

Hide ▲

The ShinyHunters group ran a voice phishing campaign against single sign-on (SSO) accounts at Okta, Microsoft, and Google, widening risk across more than 100 high-profile organizations. The operation mattered because it used account-access abuse rather than a one-off intrusion, creating repeatable exposure across many targets. The campaign was active in late January 2026 and tied to credential theft and follow-on data access.

Related Happenings

Kali365 Microsoft 365 device-code phishing campaign

Campaign
First: 25.05.2026 15:45 Last: 25.05.2026 15:45 Sources 1

About this happening: A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...

Open Happening

Infostealer malware operation targeting online store users

Malware Activity
First: 21.05.2026 00:36 Last: 21.05.2026 00:36 Sources 1

About this happening: A **malware operation** using **infostealer** tools infected users’ devices between **2024 and 2025**, stealing browser sessions and account credentials that enabled account theft...

Open Happening

Storm-2949 Microsoft 365 and Azure data-theft campaign

Campaign
First: 19.05.2026 22:35 Last: 19.05.2026 22:35 Sources 1

About this happening: The **Storm-2949** campaign is targeting **Microsoft 365 and Azure production environments** to steal sensitive data, increasing the risk of privileged-account takeover and cloud...

Open Happening

EvilTokens Microsoft 365 consent phishing campaign

Campaign
First: 19.05.2026 14:30 Last: 19.05.2026 14:30 Sources 1

About this happening: The **EvilTokens** campaign rapidly compromised **more than 340 Microsoft 365 organizations** across **five countries**, showing how **OAuth grant abuse** can bypass **MFA** and c...

Open Happening

Open-source admin tool zero-day 2FA bypass exploitation wave

Exploitation Wave
First: 11.05.2026 18:45 Last: 11.05.2026 18:45 Sources 1

About this happening: Google identified a **mass vulnerability exploitation operation** using a **zero-day 2FA bypass** against a **popular open-source, web-based system administration tool**, creating...

Open Happening

Timeline

  1. 26.05.2026 22:46 1 articles · 23h ago

    ShinyHunters claims Charter Communications data theft via Salesforce access

    Victim Impact Update

    ShinyHunters claims it breached Charter Communications on April 1 by vishing an employee's Microsoft Entra account, then used that access to export millions of consumer and business customer records from the company's Salesforce instance; Charter says no sensitive personal information or CPNI was exfiltrated.

    Show sources
    Open in new tab
  2. 23.02.2026 20:04 2 articles · 3mo ago

    ShinyHunters vishing campaign adds device code abuse

    Campaign Scope Update

    ShinyHunters-linked operators expanded a voice-phishing campaign that targeted single sign-on (SSO) accounts at Microsoft, Okta, and Google across more than 100 high-profile organizations, and they also shifted to device code vishing that abuses the OAuth 2.0 device authorization grant flow to obtain Microsoft Entra authentication tokens.

    Show sources
    Open in new tab
  3. 02.02.2026 15:46 3 articles · 3mo ago

    ShinyHunters vishing campaign targeting SSO accounts

    Initial Disclosure

    In **late January 2026**, **ShinyHunters** began a **vishing** push aimed at **SSO accounts** tied to major identity platforms. The initial phase used voice phishing and account-access abuse to reach a broad set of organizations.

    Show sources
    Open in new tab