Article Details

ShinyHunters claims Okta customer breaches, leaks data belonging to 3 orgs. 'A lot more' victims to come, we're told. ShinyHunters has claimed responsibility for an Okta voice-phishing campaign during which the extortionist crew allegedly gained access to Crunchbase and Betterment. On Friday, the criminals leaked data allegedly stolen from market-intel broker Crunchbase, streaming platform SoundCloud, and financial-tech firm Betterment, and confirmed to The Register that they gained access to two of the three - Crunchbase and Betterment - by voice-phishing Okta single-sign-on codes. SoundCloud in December confirmed it had been breached and the crooks accessed data belonging to about 20 percent of its users, which translates to about 28 million people, based on the company's publicly available customer count. When asked about ShinyHunters' claims, a SoundCloud spokesperson told us that the streaming platform is "aware that a threat actor group has published data online allegedly taken from our organization," and directed users to a January 13 blog update for more information. "Please know that our security team - supported by leading third-party cybersecurity experts - is actively reviewing the claim and published data," the spokesperson said. ShinyHunters wouldn't say how they accessed SoundCloud's data, but added that it wasn't through the streaming platform's Okta credentials. They also claimed to have broken into "a lot more" companies in the Okta campaign than the two they leaked on Friday, but declined to say how many more or name any of the alleged victims. According to the group's Friday blog post, the Betterment and Crunchbase data dumps contain more than 20 million and 2 million records respectively, while the SoundCloud leak totals more than 30 million records, all with personally identifiable information (PII). Neither Crunchbase nor Betterment immediately responded to The Register's inquiries. We will update this story if we hear back from either company. Hudson Rock co-founder and CTO Alon Gal said on LinkedIn that he had downloaded the Crunchbase files and that they contained PII, signed contracts, and other corporate data. On Thursday, Okta Threat Intelligence warned customers about criminals using voice-phishing kits and campaigns to target victim organizations' Google, Microsoft, and Okta accounts. A spokesperson for the identity services provider on Friday declined to share any additional information about the campaign or ShinyHunters' claims.  The Register also reached out to Google and Microsoft, asking if they or their customers' data had been stolen in similar social-engineering scams, and will update this story if we receive any responses. Last year, this same crime crew stole data belonging to hundreds of Salesforce customers in a rash of similar attacks.