ShinyHunters claims Okta customer breaches, leaks data belonging to 3 orgs
(2026/01/23)
- Reference: 1769193997
- News link: https://www.theregister.co.uk/2026/01/23/shinyhunters_claims_okta_customer_breaches/
- Source link:
ShinyHunters has claimed responsibility for an Okta voice-phishing campaign during which the extortionist crew allegedly gained access to Crunchbase and Betterment.
On Friday, the criminals leaked data allegedly stolen from market-intel broker Crunchbase, streaming platform SoundCloud, and financial-tech firm Betterment, and confirmed to The Register that they gained access to two of the three - Crunchbase and Betterment - by voice-phishing Okta single-sign-on codes.
SoundCloud in December [1]confirmed it had been breached and the crooks accessed data belonging to about 20 percent of its users, which translates to about 28 million people, based on the company's publicly available customer count.
[2]
When asked about ShinyHunters' claims, a SoundCloud spokesperson told us that the streaming platform is "aware that a threat actor group has published data online allegedly taken from our organization," and directed users to a January 13 blog [3]update for more information. "Please know that our security team - supported by leading third-party cybersecurity experts - is actively reviewing the claim and published data," the spokesperson said.
[4]
[5]
ShinyHunters wouldn't say how they accessed SoundCloud's data, but added that it wasn't through the streaming platform's Okta credentials. They also claimed to have broken into "a lot more" companies in the Okta campaign than the two they leaked on Friday, but declined to say how many more or name any of the alleged victims.
According to the group's Friday blog post, the Betterment and Crunchbase data dumps contain more than 20 million and 2 million records respectively, while the SoundCloud leak totals more than 30 million records, all with personally identifiable information (PII).
[6]
Neither Crunchbase nor Betterment immediately responded to The Register' s inquiries. We will update this story if we hear back from either company.
Hudson Rock co-founder and CTO Alon Gal [7]said on LinkedIn that he had downloaded the Crunchbase files and that they contained PII, signed contracts, and other corporate data.
[8]Crims hit the easy button for Scattered-Spider style helpdesk scams
[9]ShinyHunters 'does not like Salesforce at all,' claims the crew accessed Gainsight 3 months ago
[10]Salesforce-linked data breach claims 200+ victims, has ShinyHunters' fingerprints all over it
[11]Fake IT support calls hit 20 orgs, end in stolen Salesforce data and extortion, Google warns
On Thursday, Okta Threat Intelligence [12]warned customers about criminals using voice-phishing kits and campaigns to target victim organizations' Google, Microsoft, and Okta accounts. A spokesperson for the identity services provider on Friday declined to share any additional information about the campaign or ShinyHunters' claims.
"At this time, we have no indication that Google itself or its products are affected by this campaign," a Google spokesperson told The Register .
The Register also reached out to Microsoft, asking if they or their customers' data had been stolen in similar social-engineering scams, and will update this story if we receive any responses.
[13]
Last year, this [14]same crime crew stole data belonging to [15]hundreds of Salesforce customers in a rash of [16]similar attacks . ®
Get our [17]Tech Resources
[1] https://www.theregister.com/2025/12/16/trio_of_breaches/
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aXP9kQAQanmuuJtwtrJ2bQAAAYk&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://community.soundcloud.com/playbook-articles/protecting-our-users-and-our-service
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aXP9kQAQanmuuJtwtrJ2bQAAAYk&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aXP9kQAQanmuuJtwtrJ2bQAAAYk&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aXP9kQAQanmuuJtwtrJ2bQAAAYk&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://www.linkedin.com/feed/update/urn:li:activity:7420398716076908544/
[8] https://www.theregister.com/2026/01/22/crims_sell_voice_phishing_kits/
[9] https://www.theregister.com/2025/11/21/shinyhunters_salesforce_gainsight_breach/
[10] https://www.theregister.com/2025/11/20/salesforce_gainsight_breach/
[11] https://www.theregister.com/2025/06/04/fake_it_support_calls_hit/
[12] https://www.theregister.com/2026/01/22/crims_sell_voice_phishing_kits/
[13] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aXP9kQAQanmuuJtwtrJ2bQAAAYk&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[14] https://www.theregister.com/2025/11/21/shinyhunters_salesforce_gainsight_breach/
[15] https://www.theregister.com/2025/11/20/salesforce_gainsight_breach/
[16] https://www.theregister.com/2025/06/04/fake_it_support_calls_hit/
[17] https://whitepapers.theregister.com/
On Friday, the criminals leaked data allegedly stolen from market-intel broker Crunchbase, streaming platform SoundCloud, and financial-tech firm Betterment, and confirmed to The Register that they gained access to two of the three - Crunchbase and Betterment - by voice-phishing Okta single-sign-on codes.
SoundCloud in December [1]confirmed it had been breached and the crooks accessed data belonging to about 20 percent of its users, which translates to about 28 million people, based on the company's publicly available customer count.
[2]
When asked about ShinyHunters' claims, a SoundCloud spokesperson told us that the streaming platform is "aware that a threat actor group has published data online allegedly taken from our organization," and directed users to a January 13 blog [3]update for more information. "Please know that our security team - supported by leading third-party cybersecurity experts - is actively reviewing the claim and published data," the spokesperson said.
[4]
[5]
ShinyHunters wouldn't say how they accessed SoundCloud's data, but added that it wasn't through the streaming platform's Okta credentials. They also claimed to have broken into "a lot more" companies in the Okta campaign than the two they leaked on Friday, but declined to say how many more or name any of the alleged victims.
According to the group's Friday blog post, the Betterment and Crunchbase data dumps contain more than 20 million and 2 million records respectively, while the SoundCloud leak totals more than 30 million records, all with personally identifiable information (PII).
[6]
Neither Crunchbase nor Betterment immediately responded to The Register' s inquiries. We will update this story if we hear back from either company.
Hudson Rock co-founder and CTO Alon Gal [7]said on LinkedIn that he had downloaded the Crunchbase files and that they contained PII, signed contracts, and other corporate data.
[8]Crims hit the easy button for Scattered-Spider style helpdesk scams
[9]ShinyHunters 'does not like Salesforce at all,' claims the crew accessed Gainsight 3 months ago
[10]Salesforce-linked data breach claims 200+ victims, has ShinyHunters' fingerprints all over it
[11]Fake IT support calls hit 20 orgs, end in stolen Salesforce data and extortion, Google warns
On Thursday, Okta Threat Intelligence [12]warned customers about criminals using voice-phishing kits and campaigns to target victim organizations' Google, Microsoft, and Okta accounts. A spokesperson for the identity services provider on Friday declined to share any additional information about the campaign or ShinyHunters' claims.
"At this time, we have no indication that Google itself or its products are affected by this campaign," a Google spokesperson told The Register .
The Register also reached out to Microsoft, asking if they or their customers' data had been stolen in similar social-engineering scams, and will update this story if we receive any responses.
[13]
Last year, this [14]same crime crew stole data belonging to [15]hundreds of Salesforce customers in a rash of [16]similar attacks . ®
Get our [17]Tech Resources
[1] https://www.theregister.com/2025/12/16/trio_of_breaches/
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aXP9kQAQanmuuJtwtrJ2bQAAAYk&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://community.soundcloud.com/playbook-articles/protecting-our-users-and-our-service
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aXP9kQAQanmuuJtwtrJ2bQAAAYk&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aXP9kQAQanmuuJtwtrJ2bQAAAYk&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aXP9kQAQanmuuJtwtrJ2bQAAAYk&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://www.linkedin.com/feed/update/urn:li:activity:7420398716076908544/
[8] https://www.theregister.com/2026/01/22/crims_sell_voice_phishing_kits/
[9] https://www.theregister.com/2025/11/21/shinyhunters_salesforce_gainsight_breach/
[10] https://www.theregister.com/2025/11/20/salesforce_gainsight_breach/
[11] https://www.theregister.com/2025/06/04/fake_it_support_calls_hit/
[12] https://www.theregister.com/2026/01/22/crims_sell_voice_phishing_kits/
[13] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aXP9kQAQanmuuJtwtrJ2bQAAAYk&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[14] https://www.theregister.com/2025/11/21/shinyhunters_salesforce_gainsight_breach/
[15] https://www.theregister.com/2025/11/20/salesforce_gainsight_breach/
[16] https://www.theregister.com/2025/06/04/fake_it_support_calls_hit/
[17] https://whitepapers.theregister.com/
Re: Insanity. Talk about all your eggs in one basket.
Anonymous Coward
Apparently you don't understand what Okta is.
Insanity. Talk about all your eggs in one basket.
I think I see this group ShinyHunters on The Reg every week or other week. These guys don't stop, crazy. It hasn't even been a full month of the new year.
The entire industry really needs to start implementing zero trust in IdP and SSO frameworks. Otherwise groups like this will be attacking us aggressively.