Ad tech firm Optimizely confirms data breach after vishing attack
Source: Bleeping Computer
New York‑based ad tech company Optimizely has notified an undisclosed number of customers of a data breach after threat actors compromised some of its systems in a voice‑phishing (vishing) attack.
Optimizely employs nearly 1,500 people across 21 global offices, and its customer list includes over 10,000 businesses, among them high‑profile brands such as H&M, PayPal, Zoom, Toyota, Vodafone, Shell, Salesforce, and Nike.
In breach notification letters sent to affected customers, the company said the threat actors reached out on February 11, claiming they had access to its systems.
Optimizely also told BleepingComputer that the attackers breached some of its systems and stole what it described as “basic business contact information.”
“The threat actor gained access to Optimizely’s systems through a sophisticated voice‑phishing attack, but was unable to escalate privileges, install software, or create any backdoors in the Optimizely environment, and we have no evidence that the threat actor was able to access sensitive customer data or personal information beyond basic business contact information,” the company said.
Optimizely added that the incident was confined to certain internal business systems, records in its CRM, and a limited set of internal documents used for back‑office operations, and that its business operations continue without disruption.
The company warned customers to be wary of follow‑up attacks that could use the stolen data in further phishing attempts, which may involve calls, texts, or emails asking for passwords, MFA codes, or other credentials.
ShinyHunters links
While Optimizely did not disclose how many customers were affected or name the threat actor, it told affected customers that “the communication we received is consistent with the behavior of a loosely affiliated group who use sophisticated and aggressive social engineering tactics, most often involving voice phishing, to attempt to access their victims’ systems.”
This suggests the attackers may be part of the ShinyHunters extortion operation, which has claimed similar breaches at:
- Canada Goose
- Panera Bread
- Betterment
- SoundCloud
- PornHub
- Figure
- Match Group (owner of Tinder, Hinge, Meetic, Match.com, OkCupid)
Some of these breaches involved a voice‑phishing campaign targeting single sign‑on (SSO) accounts at Microsoft, Okta, and Google across over 100 high‑profile organizations. In those attacks, threat actors impersonated IT support, called employees, and tricked them into entering credentials and MFA codes on phishing sites that mimicked legitimate login portals.
More recently, the group has shifted to device‑code vishing, abusing the OAuth 2.0 device authorization grant flow to obtain Microsoft Entra authentication tokens. Once inside, they hijack the victim’s SSO account and gain access to connected enterprise services such as Salesforce, Microsoft 365, Google Workspace, Zendesk, Dropbox, SAP, Slack, Adobe, Atlassian, and many others.
The future of IT infrastructure is here
Modern IT infrastructure moves faster than manual workflows can handle.
In this new Tines guide, learn how your team can reduce hidden manual delays, improve reliability through automated response, and build and scale intelligent workflows on top of tools you already use.