ShinyHunters' Vishing Spree Shows Social Engineering Still Beats Tech Defenses

Troy Hunt’s latest weekly update zeroes in on ShinyHunters, a loose crew of young threat actors punching well above their weight against major brands. Their access pattern isn’t built on novel exploits or zero-days — it’s voice phishing and convincingly branded credential harvesting pages aimed at extracting SSO logins and MFA codes from employees. Mandiant’s recent write-up corroborates the pattern: vishing plus look-alike auth portals is the primary initial access vector.

The takeaway is uncomfortable for defenders who’ve poured budget into MFA and SSO consolidation. Federated identity collapses the attack surface to a single high-value credential set, and a convincing phone call still routinely defeats the human layer guarding it. Number-matching, FIDO2, and phishing-resistant factors exist precisely for this scenario, but adoption inside large enterprises remains patchy.

Hunt notes the obvious trajectory — operations of this profile typically end with arrests — but for now the group continues to land breaches at a pace that suggests target organizations haven’t closed the vishing gap. Until phishing-resistant MFA becomes the default rather than the exception, the asymmetry favors the callers.