ShinyHunters Leak Alleged Data of Millions From SoundCloud, Crunchbase and Betterment

The resurgence of ShinyHunters illustrates how cyber‑crime groups leverage failed extortion attempts to weaponize data leaks. By publishing partial dumps of high‑profile platforms such as SoundCloud, Crunchbase and Betterment on a dedicated .onion portal, the actors aim to pressure victims into payment while simultaneously profiting from the sale of credentials on underground markets. This tactic builds on the December 2025 SoundCloud breach, where roughly 20 percent of its 175‑million user base was compromised, suggesting the group may have harvested data from that incident or similar sources.

Security analysts are closely watching the alleged link between ShinyHunters and an Okta single‑sign‑on (SSO) vishing campaign. Okta’s advisory warns that attackers are phishing users for authentication tokens, a method that can grant attackers unfettered access to corporate environments. If the same threat actor controls both the data dumps and the vishing operation, it signals a more sophisticated supply‑chain threat where credential theft and data exposure are coordinated to maximize impact on enterprises relying on cloud identity services.

For organizations, the key takeaway is proactive threat hunting across dark‑web forums and rapid verification of any claimed data exposure. Companies should enforce multi‑factor authentication, monitor for anomalous login attempts, and engage incident‑response teams immediately upon suspicion of a breach. Regularly updating security awareness training to include vishing scenarios can also reduce the success rate of social‑engineering attacks tied to identity platforms like Okta.