CYBERCRIME ShinyHunters-Branded Extortion Activity Expands, Escalates Hackers rely on evolved vishing and login harvesting to compromise SSO credentials for unauthorized MFA enrollment. By Ionut Arghire | February 2, 2026 (10:28 AM ET) Flipboard Reddit Whatsapp Email ShinyHunters-branded extortion attacks are expanding and escalating, relying on effective social engineering tactics to compromise cloud environments, Mandiant cautions. The warning comes only days after reports that the ShinyHunters group has set up infrastructure to target more than 100 organizations across multiple sectors, including Atlassian, Adyen, Canva, Epic Games, HubSpot, Moderna, ZoomInfo, GameStop, WeWork, Halliburton, Sonos, and Telstra. A known extortion group, ShinyHunters was seen registering fake domains to target these companies, using specialized phishing kits for credential harvesting. ShinyHunters-linked actors were seen using vishing to target single sign-on (SSO) authentication and compromise enterprises’ cloud-based software-as-a-service (SaaS) environments, and Mandiant’s alert reinforces the observation. “These campaigns leverage evolved voice phishing (vishing) and victim-branded credential harvesting to successfully compromise single sign-on (SSO) credentials and enroll unauthorized devices into victim multi-factor authentication (MFA) solutions,” the Google-owned cybersecurity firm notes. Okta recently warned of such attacks, in which the hackers intercepted credentials and tricked their victims into aiding them bypass MFA, deploying scripts to control authentication flows in the victims’ browsers in real time. ADVERTISEMENT. SCROLL TO CONTINUE READING. Once an intrusion is detected, organizations should prioritize rapid containment to block the attackers’ access and prevent further data exfiltration, Mandiant says. “Because these campaigns rely on valid credentials rather than malware, containment must prioritize the revocation of session tokens and the restriction of identity and access management operations,” the company notes. Advice for organizations Organizations are advised to identify and disable compromised accounts, revoke active session tokens and OAuth authorizations, disable or heavily restrict public self-service password reset portals, and temporarily disable MFA registration. Additionally, they should restrict or temporarily disable VPNs, virtual desktop infrastructure (VDI) and similar remote access points, restrict access to identity provider and SaaS applications, and adopt manual, high-assurance verification protocols for account-related requests. “When appropriate, organizations should also communicate with end-users, HR partners, and other business units to stay on high-alert during the initial containment phase. Always report suspicious activity to internal IT and Security for further investigation,” Mandiant notes. A hardened verification process should include high-assurance paths such as live video calls, out-of-band approvals from users’ managers, and calls to users’ known good numbers. Helpdesk employees should not provide access or information during inbound calls and should independently contact the company’s designated account manager for explicit verification of access requests. Organizations should also educate their users on identifying vishing and phishing attempts, on being cautious of requests to change their passwords, especially during off-business hours, and on not sharing passwords. “Organizations should implement a layered series of controls to protect all types of identities. Access to cloud identity providers (IdPs), cloud consoles, SaaS applications, document and code repositories should be restricted since these platforms often become the control plane for privilege escalation, data access, and long-term persistence,” Mandiant notes. Related: Researchers Trap Scattered Lapsus$ Hunters in Honeypot Related: In Other News: 600k Hit by Healthcare Breaches, Major ShinyHunters Hacks, DeepSeek’s Coding Bias Related: Security Industry Skeptical of Scattered Spider-ShinyHunters Retirement Claims Related: Scattered Spider Suspect Arrested in US WRITTEN BY Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire VS Code Configs Expose GitHub Codespaces to Attacks SystemBC Infects 10,000 Devices After Defying Law Enforcement Takedown Critical N8n Sandbox Escape Could Lead to Server Compromise Cisco, F5 Patch High-Severity Vulnerabilities Orion Raises $32 Million for Data Security DockerDash Flaw in Docker AI Assistant Leads to RCE, Data Theft Cryptominers, Reverse Shells Dropped in Recent React2Shell Attacks Fresh SolarWinds Vulnerability Exploited in Attacks Latest News Organizations Urged to Replace Discontinued Edge Devices Flickr Security Incident Tied to Third-Party Email System In Other News: Record DDoS, Epstein’s Hacker, ESET Product Vulnerabilities Living off the AI: The Next Evolution of Attacker Tradecraft Airrived Emerges From Stealth With $6.1 Million in Funding ‘DKnife’ Implant Used by Chinese Threat Actor for Adversary-in-the-Middle Attacks 5 Bills to Boost Energy Sector Cyber Defenses Clear House Panel Critical SmarterMail Vulnerability Exploited in Ransomware Attacks TRENDING Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Identity Under Attack: Why Every Business Must Respond Now February 11, 2026 Attendees will walk away with guidance for how to build robust identity defenses, unify them under a consistent security model, and ensure business operations move quickly without compromise. Register Virtual Event: Ransomware Resilience & Recovery 2026 Summit February 25, 2026 SecurityWeek’s 2026 Ransomware Summit will discuss a roadmap for defending the enterprise, from mitigating root causes to mastering recovery, giving security teams the critical insights needed to navigate and neutralize today’s ransomware extortion threats. Submit PEOPLE ON THE MOVE Pennsylvania has named Andy Ritter as CISO and Jim Sipe as executive deputy CIO. Hayete Gallot has rejoined Microsoft as Executive Vice President, Security. Torq has appointed industry veteran John White as Field CISO. More People On The Move EXPERT INSIGHTS Living off the AI: The Next Evolution of Attacker Tradecraft Living off the AI isn’t a hypothetical but a natural continuation of the tradecraft we’ve all been defending against, now mapped onto assistants, agents, and MCP. (Etay Maor) Why We Can’t Let AI Take the Wheel of Cyber Defense The fastest way to squander the promise of AI is to mistake automation for assurance, and novelty for resilience. (Steve Durbin) The Upside Down is Real: What Stranger Things Teaches Us About Modern Cybersecurity To all those who are fighting the good fight in the world of cyber, keep collaborating to ensure our world never succumbs to the chaos of the Upside Down. (Nadir Izrael) Why Identity Security Must Move Beyond MFA By integrating identity threat detection with MFA, organizations can protect sensitive data, maintain operational continuity, and reduce risk exposure. (Torsten George) Forget Predictions: True 2026 Cybersecurity Priorities From Leaders Security leaders chart course beyond predictions with focus on supply chain, governance, and team efficiency. (Jennifer Leggio) Flipboard Reddit Whatsapp Email