Optimizely confirms data breach after voice phishing attack

The advertising technology firm says attackers accessed internal systems through a vishing campaign however, they did not reach sensitive customer data.

What happened

New York-based ad tech company Optimizely has notified customers of a data breach after attackers gained access to parts of its internal systems through a voice phishing attack, also known as vishing, where scammers use phone calls to trick employees into revealing access details. According to BleepingComputer, the attackers contacted the company on February 11, claiming they had gained entry. Optimizely later confirmed that certain internal business systems, customer relationship management records, and limited back office documents were accessed. The company said the data involved basic business contact information and reported no evidence that sensitive customer data or other personal information was exposed. It also stated that the attackers were unable to gain higher-level access, install malicious software, or create hidden backdoors, and that operations continue without disruption.

Going deeper

Voice phishing, or vishing, involves attackers calling employees while posing as trusted staff to trick them into sharing login details or approving authentication requests. In this case, Optimizely said the breach resulted from a sophisticated social engineering attack rather than a software flaw. Similar campaigns have targeted single sign-on systems, where one set of credentials provides access to multiple services, and in some cases have abused OAuth 2.0 device authorization flows, a legitimate login method, to steal authentication tokens. With valid tokens, attackers can take over active sessions and access connected systems without installing malware.

What was said

Optimizely told BleepingComputer in a statement published February 23, 2026, “The threat actor gained access to Optimizely's systems through a sophisticated voice-phishing attack, but was unable to escalate privileges, install software, or create any backdoors in the Optimizely environment, and we have no evidence that the threat actor was able to access sensitive customer data or personal information beyond basic business contact information.” The company also informed customers that “the communication we received is consistent with the behavior of a loosely affiliated group who use sophisticated and aggressive social engineering tactics, most often involving voice phishing, to attempt to access their victims systems.” Those statements were included in breach notifications and confirmed in reporting by BleepingComputer.

In the know

According to IT Pro, Google’s Threat Intelligence Group (GTIG) has issued a warning about a new wave of vishing campaigns linked to groups with ShinyHunters-style tactics, where attackers impersonate IT staff in phone calls and direct victims to fake login sites to steal single sign-on (SSO) credentials and multi-factor authentication (MFA) codes, which they then use to infiltrate cloud SaaS applications and exfiltrate sensitive data for extortion; in one example tracked by GTIG, threat actors labeled UNC6661 pretended to be internal support staff calling employees to claim their MFA settings needed updating, leading victims to attacker-controlled credential harvesting sites and ultimately enabling unauthorized access and data theft.

The big picture

The Optimizely incident also points to a wider change in attacker tactics. Instead of breaking in through software bugs, threat groups are going after people and identity systems. Actors linked to ShinyHunters have claimed similar breaches at Canada Goose, Panera Bread, Betterment, SoundCloud, PornHub, fintech firm Figure, and Match Group. In several cases, attackers relied on voice phishing to trick support teams into granting access to single sign-on systems tied to Microsoft, Okta, and Google. Even where sensitive data was not confirmed stolen, these identity-focused social engineering campaigns were enough to get around traditional security controls and disrupt operations, putting fresh pressure on organizations to tighten help desk verification and deploy phishing-resistant multifactor authentication instead of depending only on perimeter defenses.

FAQs

What is voice phishing or vishing?

Voice phishing is a social engineering technique where attackers impersonate trusted individuals over the phone to convince victims to reveal credentials, approve authentication requests, or perform security-sensitive actions.

What is single sign-on, and why is it targeted?

Single sign-on systems allow users to access multiple enterprise applications with one set of credentials. Compromising those credentials can provide access to many connected services at once.

How does device code phishing work?

Device code phishing abuses a legitimate OAuth authentication flow designed for devices with limited input capability. Attackers trick victims into entering a device code on an official login page, allowing the attacker to obtain authentication tokens tied to the victim’s account.

What type of data was exposed in the Optimizely incident?

Optimizely said attackers accessed basic business contact information stored in certain internal systems and CRM records, and reported no evidence that sensitive customer data was accessed.

What should organizations do to reduce vishing risk?

Organizations can implement strict help desk verification procedures, require phishing-resistant multifactor authentication, monitor token issuance events, and train employees to independently verify unexpected support calls before approving access requests.