The ShinyHunters hacking group has emerged as one of the most prolific threat actors of early 2026, exploiting a devastating weakness that no firewall can patch: human trust. On February 13, 2026, the full scope of their campaign against Okta single sign-on customers came into focus, with victims spanning from Ivy League universities to blockchain-based fintech firms.
The Exploit Mechanics
The campaign operated through a systematic exploitation of Okta’s single sign-on infrastructure. ShinyHunters targeted employees at organizations relying on Okta for authentication, using carefully crafted social engineering lures to harvest credentials. The attack vector was deceptively simple: an employee receives what appears to be a legitimate authentication request, clicks through, and unknowingly surrenders their session token to the threat actor.
Figure Technology, a blockchain-based lending company, confirmed the breach originated when an employee was tricked into providing access to their credentials. The hackers downloaded a limited number of files containing customers’ full names, home addresses, dates of birth, and phone numbers. ShinyHunters published 2.5 gigabytes of allegedly stolen data after Figure refused to pay a ransom.
Harvard University and the University of Pennsylvania were also confirmed victims of the same campaign, with personal information of students and staff published on ShinyHunters’ dark web leak site. The common thread: all organizations relied on Okta as their identity provider.
Affected Systems
The breach exposed a fundamental vulnerability in centralized identity management. When a single SSO provider becomes the gateway to dozens of applications, compromising one set of credentials can cascade across an entire organizational infrastructure. Figure Technology’s case is particularly noteworthy because the company operates at the intersection of blockchain and traditional finance, where security expectations are especially high.
With Bitcoin trading at approximately $68,857 and Ethereum at $2,048 on the day of disclosure, the broader crypto market remained under pressure from a separate $3 billion options expiry event on Deribit. The timing amplified concerns about systemic risk in digital asset infrastructure.
The Mitigation Strategy
Organizations relying on SSO providers must implement defense-in-depth beyond the identity layer. Hardware security keys using FIDO2 protocols provide phishing-resistant authentication that renders credential harvesting attacks ineffective. Multi-factor authentication through authenticator apps, while better than SMS-based 2FA, still falls short against sophisticated session token theft.
For crypto-specific businesses, the stakes are even higher. Figure’s breach involved personal identifiable information rather than direct fund theft, but the reputational damage in an industry built on trust is incalculable. Companies should segment access so that SSO compromise cannot reach sensitive financial systems or customer asset custodial infrastructure.
Lessons Learned
The ShinyHunters campaign reinforces several critical security principles. First, social engineering remains the most reliable attack vector, bypassing even sophisticated technical defenses. Second, supply chain trust is a double-edged sword: consolidating authentication through a single provider creates efficiency but also a single point of failure. Third, ransom refusal, while admirable, means organizations must have robust incident response and data breach notification procedures ready to deploy immediately.
User Action Required
If you hold accounts with Figure Technology or any organization affected by the Okta campaign, take immediate action. Enable hardware key-based two-factor authentication wherever available. Monitor your credit reports for unusual activity, given that names, addresses, and dates of birth were compromised. Consider placing a credit freeze with major bureaus if you were potentially affected. Finally, assume that any password used across multiple services has been compromised and rotate credentials immediately.
Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always consult with qualified professionals for your specific situation.
shinyhunters hitting okta customers through sso is honestly terrifying. if harvard and upenn cant stop this, what chance does a 10-person defi team have
thats exactly the problem. figure tech lost names, addresses, dob of their customers because one employee clicked a link. no amount of smart contract auditing fixes human error
10 person defi teams at least can rotate keys fast. harvard has how many thousands of Okta accounts that never get rotated
10-person defi teams use multisig with hardware wallets. harvard probably has thousands of accounts with password123 and no 2FA
2.5 million records exfiltrated and it wasnt even a zero-day. just a well-crafted phishing page. SSO is a single point of failure most teams just accept
phishing beat a zero-day here. the attacker literally just made a convincing login page and an employee handed over the keys
the SSO vendor is the soft underbelly of every org. one compromised session token and the attacker has keys to every app. zero-day not required