**ShinyHunters Flip the Script: Bypassing MFA in New Data Theft Attacks**

In a shocking turn of events, threat actors operating under the ShinyHunters banner have been using multi-factor authentication (MFA) as a pretext in ongoing social engineering attacks aimed at bypassing it. This new tactic has left many organizations scrambling to protect themselves against these sophisticated phishing operations.

Among the high-profile targets of these attacks are Panera Bread, SoundCloud, Match Group (owner of online dating services Tinder, Hinge, Match, and OkCupid), and Crunchbase. But this is not an isolated incident – Silent Push researchers have detected active targeting or infrastructure preparation directed at domains of a wide variety of organizations across multiple sectors, including tech and fintech, financial services, real estate, energy, healthcare, logistics, retail, and many others.

The recent attacks are believed to be linked to the ShinyHunters cyber extortion group, which has been using custom-made phishing kits that allow them to synchronize the authentication flow on phishing pages with requests made over the phone. This approach is designed to bypass even the most advanced MFA systems, leaving organizations vulnerable to data theft.

"It's worth noting that these hybrid phishing operations are also capable of bypassing push notifications that use number challenge/number matching as an additional method of verification," noted Okta researchers. "A social engineer interacting on the phone with a targeted user can simply request a user to choose or enter a specific number."

The tactics employed by ShinyHunters are eerily similar to those used by UNC6661 and UNC6671, two seemingly independent groups that have been using the same approach. In incidents spanning early to mid-January 2026, UNC6661 pretended to be IT staff and called employees at targeted victim organizations claiming that the company was updating MFA settings.

The threat actor directed the employees to victim-branded credential harvesting sites to capture their SSO credentials and MFA codes, and then registered their own device for MFA. In at least some cases, the threat actor gained access to accounts belonging to Okta customers, moving laterally through victim customer environments to access various SaaS platforms and exfiltrate specific data from them.

The attackers searched for documents containing personally identifiable information, as well as words such as "poc," "confidential," "internal," "proposal," "salesforce," and "vpn." In one incident where these attackers gained access to an Okta customer account, the group tried to minimize the possibility of detection by deleting a "Security method enrolled" email from Okta, and by deleting phishing emails sent from compromised email accounts to contacts working at cryptocurrency-focused companies.

Meanwhile, UNC6671 threat actors impersonated IT staff over the phone and directed victims to enter their credentials and MFA authentication codes into phishing sites that were made to look like they belonged to their employer. Once they gained access to Okta customer accounts, the group leveraged PowerShell to download sensitive data from SharePoint and OneDrive.

Based on details such as phishing domain hosting, Tox Chat accounts used for negotiation, and other indicators, Mandiant researchers believe these are two separate groups or individuals. However, based on overlapping tactics, techniques, and procedures used, UNC6661 can be tied to UNC6040, i.e., the ShinyHunters cyber extortion group.

"GTIG also observed extortion text messages sent to employees and received reports of victim websites being targeted with distributed denial-of-service (DDoS) attacks," the researchers shared. "We have shared indicators of compromise related to the attacks as well as threat hunting queries."

Mandiant has published thorough guidance for organizations on how to avoid becoming a victim in these attacks, how to detect intrusions, and how to minimize the scope of the compromise if they do become a victim.

**Stay ahead of the threats: subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities, and cybersecurity threats. Subscribe here!**