In the wake of a sophisticated cyberattack campaign that compromised major players like Crunchbase, SoundCloud, and Betterment, we sat down with our in-house security specialist, Rupert Marais. With deep expertise in endpoint security and cyber strategy, Rupert helps us understand the intricate web of these recent breaches. We’ll explore how notorious groups like ShinyHunters are evolving their tactics from simple ransom demands to complex social engineering, the difficult choices victim companies face, and the cascading impact these attacks have on customers long after the initial breach is “contained.”
Crunchbase stated its incident was contained with systems secure, yet confirmed the exfiltration of sensitive corporate contracts and PII. How does a company validate such a “contained” status, and what immediate steps should it take to regain trust after such a breach?
That’s a critical distinction that often gets lost in translation. When a company says an incident is “contained,” it means they’ve stopped the bleeding—they’ve kicked the intruders out of their network and are confident no further damage is being done. It absolutely does not mean that nothing was stolen. The validation process involves an intense forensic investigation, where experts comb through logs and systems to ensure the threat actor’s access has been completely revoked. To rebuild trust, transparency is paramount. Crunchbase did the right things by immediately engaging cybersecurity experts to assist, contacting federal law enforcement, and beginning the arduous process of reviewing the impacted information to determine who needs to be notified. It’s about owning the situation, communicating clearly, and demonstrating a robust, structured response.
The group ShinyHunters leaked over 400 MB of data after its ransom was refused. What does this “leak-over-ransom” tactic signal about their motivations compared to traditional ransomware groups? Could you walk us through the typical decision-making process for a company facing this dilemma?
This “leak-over-ransom” strategy is a brutal form of public coercion. Unlike traditional ransomware that encrypts data and holds it hostage, this is about reputational damage and creating maximum chaos. ShinyHunters’ motivation here is twofold: they still want the payout, but if they don’t get it, they aim to make an example of the victim to pressure future targets into paying. For a company like Crunchbase, the decision is agonizing. You’re weighing the certainty of a massive data leak against the uncertainty of paying criminals—will they actually delete the data? Is it even legal to pay? You have to assess the sensitivity of the stolen information, like the PII and corporate data found in the 400 MB of compressed files, and calculate the long-term damage versus the immediate cost of the ransom. It’s a high-stakes gamble with no good outcomes.
The attacks on firms like Crunchbase and Betterment were reportedly initiated through an Okta SSO vishing campaign. Can you explain the mechanics of a sophisticated vishing attack using custom phishing kits? What makes these voice-based social engineering tactics so effective against even tech-savvy employees?
These vishing campaigns are terrifyingly effective because they bypass technical defenses and prey on human psychology. The attackers use custom phishing kits that allow them to create highly convincing fake login pages for services like Okta, Microsoft, or Google. But the real trick is the voice component. An employee gets a call from someone who sounds incredibly professional, perhaps posing as IT support, who then walks them through the “login process” on the fake page. This live interaction creates a sense of urgency and legitimacy that a simple email can’t. Even a savvy employee can be caught off guard, because the social pressure and the seemingly helpful voice on the other end of the line can override their technical training. It’s a direct, targeted manipulation, which is how they reportedly breached the defenses of companies like Crunchbase and Betterment.
After a breach, Betterment reported hackers sending crypto scams, while SoundCloud noted harassment of users and employees. How should a company’s incident response plan account for these secondary attacks that leverage stolen data? What specific communication strategies are most effective in warning customers about these threats?
A modern incident response plan must extend far beyond the initial breach. You have to anticipate how the stolen data will be weaponized. The response can’t just be “we’ve secured our systems.” It has to include a proactive communication strategy to protect your community. As we saw with Betterment, attackers immediately used stolen information to launch crypto scams. With SoundCloud, it escalated to direct harassment of users and employees. The most effective communication is direct, specific, and frequent. You need to tell customers precisely what data was compromised—like the email addresses from 20% of SoundCloud’s users—and provide clear, actionable examples of the scams or threats they should watch out for. Vague warnings are useless; you must arm your users with the knowledge to protect themselves from these inevitable follow-on attacks.
What is your forecast for the evolution of social engineering attacks, particularly vishing campaigns targeting identity and access management providers, in the coming year?
I believe we are on the cusp of an explosion in AI-driven social engineering. The vishing campaigns that hit Okta customers were sophisticated, but they still required a human attacker on the phone. In the very near future, we will see these attacks automated with AI-powered voice clones that are indistinguishable from real people, capable of carrying on convincing, context-aware conversations. These AI vishers will be able to target thousands of employees simultaneously, dramatically increasing the scale and success rate of these attacks. Identity providers like Okta will become even bigger targets because compromising them gives attackers the keys to the entire kingdom. The fight will shift from just securing systems to securing the human element against increasingly deceptive and personalized digital manipulations.
