Cybercriminal group ShinyHunters has targeted approximately 100 organizations including Canva, Atlassian, and RingCentral in an ongoing credential-stealing operation exploiting Okta single sign-on systems, raising urgent data protection concerns under GDPR and CCPA regulations.
Security researchers at Silent Push have identified a widespread credential theft campaign by cybercriminal group ShinyHunters targeting Okta single sign-on (SSO) systems across approximately 100 organizations. The operation specifically focuses on technology enterprises including Canva, Atlassian, Epic Games, HubSpot, RingCentral, and ZoomInfo, though researchers emphasize this indicates targeting rather than confirmed breaches.
According to Silent Push's report, attackers use sophisticated voice-phishing techniques to trick employees into surrendering Okta SSO credentials. Mandiant's threat intelligence team confirms the campaign enables threat actors to enroll malicious devices into victims' multi-factor authentication (MFA) systems. Charles Carmakal, Mandiant Consulting CTO, stated: "After gaining initial access, these actors pivot into SaaS environments to exfiltrate sensitive data," adding that ShinyHunters has issued extortion demands to compromised organizations.
Regulatory Implications Under GDPR and CCPA
This campaign triggers significant data protection concerns under frameworks like the EU's General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA). If successful breaches occur:
- Companies face potential fines of up to 4% of global revenue under GDPR for unauthorized access to personal data
- CCPA violations could incur penalties of $2,500 per unintentional violation or $7,500 per intentional violation
- Organizations must comply with mandatory breach notification requirements within 72 hours under GDPR
User and Organizational Impact
For consumers and employees:
- Stolen credentials could expose personal information including contact details, financial data, and internal communications
- Compromised accounts create identity theft and secondary fraud risks
- Trust in affected platforms may erode due to security concerns
For targeted companies:
- Potential reputational damage and customer attrition
- Regulatory investigation costs and potential class-action lawsuits
- Operational disruption during forensic investigations
Security Recommendations
Mandiant strongly advocates for these protective measures:
- Phishing-resistant MFA: Implement FIDO2 security keys or passkeys instead of SMS or push-based authentication
- Strict access controls: Enforce granular app authorization policies and device enrollment restrictions
- API monitoring: Continuously audit logs for anomalous API activity indicating unauthorized access
- Employee training: Conduct regular phishing simulations focusing on voice-based social engineering tactics
Okta issued an alert about the campaign last week but declined further comment. ShinyHunters previously claimed responsibility for breaches at Crunchbase and Betterment, leaking over 22 million combined records. As this remains an active threat, organizations using Okta SSO should immediately review their authentication safeguards and incident response plans.
For the complete list of targeted organizations, refer to Silent Push's research blog.
Comments
Please log in or register to join the discussion