ShinyHunters vishing campaign targeting SSO accounts
Campaign
Summary
Hide ▲
Show ▼
The ShinyHunters group ran a voice phishing campaign against single sign-on (SSO) accounts at Okta, Microsoft, and Google, widening risk across more than 100 high-profile organizations. The operation mattered because it used account-access abuse rather than a one-off intrusion, creating repeatable exposure across many targets. The campaign was active in late January 2026 and tied to credential theft and follow-on data access.
Related Happenings
Oracle PeopleSoft broad zero-day exploitation campaign
Exploitation Wave
H score82
First: 29.06.2026 13:00
Last: 29.06.2026 13:00
Sources 1
About this happening:
A **broad PeopleSoft zero-day exploitation campaign** exposed **multiple organizations** to compromise after attackers abused a **previously unknown Oracle PeopleSoft vulnerabilit...
Oracle PeopleSoft broad zero-day exploitation campaign
Exploitation WaveAbout this happening: A **broad PeopleSoft zero-day exploitation campaign** exposed **multiple organizations** to compromise after attackers abused a **previously unknown Oracle PeopleSoft vulnerabilit...
FortiBleed Fortinet credential-theft campaign
Campaign
H score89
First: 19.06.2026 13:48
Last: 19.06.2026 13:48
Sources 1
About this happening:
The **FortiBleed** Happening is a global **Fortinet credential-theft** campaign affecting **FortiGate firewall** and **SSL VPN** customers. The **UK’s NCSC** issued guidance after...
FortiBleed Fortinet credential-theft campaign
CampaignAbout this happening: The **FortiBleed** Happening is a global **Fortinet credential-theft** campaign affecting **FortiGate firewall** and **SSL VPN** customers. The **UK’s NCSC** issued guidance after...
Latest development: 22.06.2026 11:30
The UK’s National Cyber Security Centre issued guidance for Fortinet customers impacted by FortiBleed after the campaign exposed around 75,000 credentials from FortiGate firewall and SSL VPN customers. The NCSC urged affected organizations to use Hudson Rock’s or SOCRadar’s FortiBleed checker tools and then review indicators of compromise such as unauthorized account creation and unexpected activity in log files.
Russian-speaking FortiGate and Microsoft SQL Server bruteforce campaign
Campaign
H score82
First: 17.06.2026 18:12
Last: 17.06.2026 18:12
Sources 1
About this happening:
A Russian-speaking multi-operator threat group ran a **FortiGate** and **Microsoft SQL Server** bruteforce campaign that generated **billions of credential attempts**, raising the...
Russian-speaking FortiGate and Microsoft SQL Server bruteforce campaign
CampaignAbout this happening: A Russian-speaking multi-operator threat group ran a **FortiGate** and **Microsoft SQL Server** bruteforce campaign that generated **billions of credential attempts**, raising the...
Organization hit by network compromise linked to Velvet Ant
Incident
H score35
First: 13.06.2026 17:06
Last: 13.06.2026 17:06
Sources 1
About this happening:
A **target organization** suffered a **10-year authentication stack compromise** that exposed **administrative activity** inside an **isolated critical infrastructure network**. T...
Organization hit by network compromise linked to Velvet Ant
IncidentAbout this happening: A **target organization** suffered a **10-year authentication stack compromise** that exposed **administrative activity** inside an **isolated critical infrastructure network**. T...
Senior executive at major global stock exchange hit by data theft breach
Incident
H score7
First: 03.06.2026 15:46
Last: 03.06.2026 15:46
Sources 1
About this happening:
A senior executive at a major global stock exchange suffered an **email account compromise** that enabled **months of unauthorized mailbox access** and data theft. The intrusion b...
Senior executive at major global stock exchange hit by data theft breach
IncidentAbout this happening: A senior executive at a major global stock exchange suffered an **email account compromise** that enabled **months of unauthorized mailbox access** and data theft. The intrusion b...
Timeline
-
26.05.2026 22:46 1 articles · 1mo ago
ShinyHunters claims Charter Communications data theft via Salesforce access
Victim Impact UpdateShinyHunters claims it breached Charter Communications on April 1 by vishing an employee's Microsoft Entra account, then used that access to export millions of consumer and business customer records from the company's Salesforce instance; Charter says no sensitive personal information or CPNI was exfiltrated.
Show sources
- Charter confirms data breach after ShinyHunters extortion threat — www.bleepingcomputer.com — 26.05.2026 22:46
-
23.02.2026 20:04 2 articles · 4mo ago
ShinyHunters vishing campaign adds device code abuse
Campaign Scope UpdateShinyHunters-linked operators expanded a voice-phishing campaign that targeted single sign-on (SSO) accounts at Microsoft, Okta, and Google across more than 100 high-profile organizations, and they also shifted to device code vishing that abuses the OAuth 2.0 device authorization grant flow to obtain Microsoft Entra authentication tokens.
Show sources
- Ad tech firm Optimizely confirms data breach after vishing attack — www.bleepingcomputer.com — 23.02.2026 20:04
- ADT confirms data breach after ShinyHunters leak threat — www.bleepingcomputer.com — 25.04.2026 01:53
-
02.02.2026 15:46 3 articles · 5mo ago
ShinyHunters vishing campaign targeting SSO accounts
Initial DisclosureIn **late January 2026**, **ShinyHunters** began a **vishing** push aimed at **SSO accounts** tied to major identity platforms. The initial phase used voice phishing and account-access abuse to reach a broad set of organizations.
Show sources
- Panera Bread breach impacts 5.1 million accounts, not 14 million customers — www.bleepingcomputer.com — 02.02.2026 15:46
- Panera Bread breach impacts 5.1 million accounts, not 14 million customers — www.bleepingcomputer.com — 02.02.2026 15:46
- Data breach at fintech firm Figure affects nearly 1 million accounts — www.bleepingcomputer.com — 18.02.2026 16:01