Find notable cyber news and cases, enriched with sources, timelines, and signals.

ShinyHunters vishing campaign targeting SSO accounts

Campaign
First reported
Last updated
Happening score
H score 84
1 unique sources, 5 articles

Summary

Hide ▲

The ShinyHunters group ran a voice phishing campaign against single sign-on (SSO) accounts at Okta, Microsoft, and Google, widening risk across more than 100 high-profile organizations. The operation mattered because it used account-access abuse rather than a one-off intrusion, creating repeatable exposure across many targets. The campaign was active in late January 2026 and tied to credential theft and follow-on data access.

Related Happenings

Oracle PeopleSoft broad zero-day exploitation campaign

Exploitation Wave
H score82 First: 29.06.2026 13:00 Last: 29.06.2026 13:00 Sources 1

About this happening: A **broad PeopleSoft zero-day exploitation campaign** exposed **multiple organizations** to compromise after attackers abused a **previously unknown Oracle PeopleSoft vulnerabilit...

FortiBleed Fortinet credential-theft campaign

Campaign
H score89 First: 19.06.2026 13:48 Last: 19.06.2026 13:48 Sources 1

About this happening: The **FortiBleed** Happening is a global **Fortinet credential-theft** campaign affecting **FortiGate firewall** and **SSL VPN** customers. The **UK’s NCSC** issued guidance after...

Latest development: 22.06.2026 11:30

The UK’s National Cyber Security Centre issued guidance for Fortinet customers impacted by FortiBleed after the campaign exposed around 75,000 credentials from FortiGate firewall and SSL VPN customers. The NCSC urged affected organizations to use Hudson Rock’s or SOCRadar’s FortiBleed checker tools and then review indicators of compromise such as unauthorized account creation and unexpected activity in log files.

Russian-speaking FortiGate and Microsoft SQL Server bruteforce campaign

Campaign
H score82 First: 17.06.2026 18:12 Last: 17.06.2026 18:12 Sources 1

About this happening: A Russian-speaking multi-operator threat group ran a **FortiGate** and **Microsoft SQL Server** bruteforce campaign that generated **billions of credential attempts**, raising the...

Organization hit by network compromise linked to Velvet Ant

Incident
H score35 First: 13.06.2026 17:06 Last: 13.06.2026 17:06 Sources 1

About this happening: A **target organization** suffered a **10-year authentication stack compromise** that exposed **administrative activity** inside an **isolated critical infrastructure network**. T...

Senior executive at major global stock exchange hit by data theft breach

Incident
H score7 First: 03.06.2026 15:46 Last: 03.06.2026 15:46 Sources 1

About this happening: A senior executive at a major global stock exchange suffered an **email account compromise** that enabled **months of unauthorized mailbox access** and data theft. The intrusion b...

Timeline

  1. 26.05.2026 22:46 1 articles · 1mo ago

    ShinyHunters claims Charter Communications data theft via Salesforce access

    Victim Impact Update

    ShinyHunters claims it breached Charter Communications on April 1 by vishing an employee's Microsoft Entra account, then used that access to export millions of consumer and business customer records from the company's Salesforce instance; Charter says no sensitive personal information or CPNI was exfiltrated.

    Show sources
  2. 23.02.2026 20:04 2 articles · 4mo ago

    ShinyHunters vishing campaign adds device code abuse

    Campaign Scope Update

    ShinyHunters-linked operators expanded a voice-phishing campaign that targeted single sign-on (SSO) accounts at Microsoft, Okta, and Google across more than 100 high-profile organizations, and they also shifted to device code vishing that abuses the OAuth 2.0 device authorization grant flow to obtain Microsoft Entra authentication tokens.

    Show sources
  3. 02.02.2026 15:46 3 articles · 5mo ago

    ShinyHunters vishing campaign targeting SSO accounts

    Initial Disclosure

    In **late January 2026**, **ShinyHunters** began a **vishing** push aimed at **SSO accounts** tied to major identity platforms. The initial phase used voice phishing and account-access abuse to reach a broad set of organizations.

    Show sources