THE ShinyHunters extortion gang claims it is behind a wave of ongoing SSO account data theft attacks targeting Okta, Microsoft Entra, and Google, enabling threat actors to breach corporate SaaS platforms and steal company data for extortion, according to Lawrence Abrams. In these attacks, the threat actors impersonate IT support and call employees, tricking them into entering their credentials and multi-factor authentication codes on phishing sites that impersonate company login portals.
Once compromised, the attackers gain access to the victim’s SSO account, which can provide access to other connected enterprise applications and services. SSO services from Okta, Microsoft Entra, and Google enable companies to link third-party applications into a single authentication flow, giving employees access to cloud services, internal tools, and business platforms with a single login.
The report notes that the claim originates from the ShinyHunters and emphasises the potential impact on enterprise security through credential and MFA credential theft.