How does Okta voice phishing work, and why are Betterment, Crunchbase, and SoundCloud mentioned in ShinyHunters claims?

Did ShinyHunters breach Okta customers via voice phishing, and what should security teams do next?

ShinyHunters, a cybercriminal group, claims it obtained data tied to three organizations that use Okta for identity and access management: Betterment, Crunchbase, and SoundCloud. The key point is attribution: ShinyHunters alleges the access path involved an Okta-focused voice phishing campaign for two of the organizations, while the access method for the third remains unclear in the reporting cited.

Okta is an identity provider that many companies use to manage sign-in, single sign-on (SSO), and multi-factor authentication (MFA). When an attacker bypasses or manipulates that sign-in flow, the result can look like a “customer breach,” even if the identity provider itself is not the system where the data lives. In most real incidents, the data is pulled from the customer’s environment after the attacker gains valid login capability.

Who the named parties are (why they matter)

ShinyHunters is widely described in public reporting as a financially motivated threat group that targets organizations to steal data and pressure victims. Their common playbook, as reported historically, involves social engineering and credential-driven access rather than noisy, purely technical exploitation.

Okta provides identity services that sit at the front door of many SaaS apps and internal tools. If an attacker convinces a user to share a one-time code, approve a prompt, or reset an authenticator, the attacker may obtain a session that behaves like a legitimate login.

Crunchbase provides private-market and company intelligence products used by businesses and investors. Betterment provides financial services and investment-related products, which increases sensitivity because exposed personal data can raise fraud risk. SoundCloud is a large audio platform where user account data can be valuable for spam, credential stuffing, and secondary account takeover attempts elsewhere.

What is being claimed (and what is known)

Reporting cited by The Register states that ShinyHunters claimed access to data associated with all three organizations. It also states that ShinyHunters told The Register they accessed two of them—Crunchbase and Betterment—through voice phishing that involved Okta single sign-on codes. Voice phishing typically means the attacker calls or messages a target while impersonating IT support, then persuades the target to share a code or take an action that grants access.

For SoundCloud, the same reporting notes that the intrusion path was not disclosed by either the victim or the attacker. Separately, SoundCloud had previously acknowledged a security incident in December 2025. Public reporting connected that incident to unauthorized access impacting a significant portion of users; the cited article references figures in the tens of millions. Treat those figures as “reported” unless SoundCloud or regulators publish confirmed totals in formal notices.

The reporting also cites a ShinyHunters post that described the alleged size of the data involved: more than 20 million records for Betterment, more than 2 million for Crunchbase, and more than 30 million for SoundCloud. Record counts can be inflated, duplicated, or mischaracterized, so the practical risk depends on what fields exist in the dump and whether the sample aligns with known customer datasets.

Alon Gal (Hudson Rock) stated publicly that he downloaded files attributed to Crunchbase and that they contained personally identifiable information and internal business materials such as signed contracts. That type of third-party verification can add credibility, but it still does not replace confirmation from the impacted organization, incident-response firms, or regulatory filings.

Why Okta-focused voice phishing is credible as a tactic

Okta deployments concentrate access. A single successful social engineering event can yield broad reach because SSO can open many downstream applications without fresh logins. Voice phishing also bypasses many “good password” controls because it targets the human step: the moment a user reads out a code, approves a push, or follows a fake support workflow.

This is not the same as “Okta was hacked.” In many incidents, the identity provider performs as designed, while the attacker abuses authentication factors or recovery processes. The practical lesson is that identity is now a primary attack surface, and help-desk or “support” workflows often become the weakest link.

What organizations should do next (actionable, not speculative)

If your organization uses Okta or any SSO provider, treat this as a prompt to tighten identity controls and to assume attackers will pressure staff directly.

• Enforce phishing-resistant MFA (for example, FIDO2/WebAuthn hardware keys) for admins and high-risk users
• Lock down help-desk processes: require strong caller verification, add call-back procedures, and log all factor resets
• Reduce OTP and SMS reliance where possible; attackers routinely trick users into sharing one-time codes
• Monitor for “impossible travel,” new device enrollment, new factor registration, and anomalous session creation
• Segment access: limit what SSO sessions can reach, and require step-up auth for sensitive exports and admin actions
• Prepare breach communications: if PII is involved, coordinate legal, privacy, and regulatory response early (YMYL-sensitive)

What readers should do if they have accounts (practical user steps)

People who have accounts with any impacted service should assume their contact details may be used for phishing, even if passwords were not exposed.

• Change passwords where reused, and enable MFA where available
• Watch for messages that impersonate “support” and ask for codes or approvals
• Use a password manager to prevent reuse and to reduce credential stuffing risk