Ad tech company Optimizely has confirmed a data breach following a vishing attack that leaked business contact information from some internal business systems.
Voice phishing (vishing) leverages phone calls or audio messages to lure victims into disclosing their login credentials, authorizing a rogue app, or disclosing sensitive information such as credit card numbers.
New York-based Optimizely serves over 10,000 businesses across 21 global locations and employs 1,500 people. Its clients include clothing company H&M, payment giant PayPal, automaker Toyota, telecommunications giant Vodafone, and video conferencing firm Zoom.
Vishing attack on ad tech company leaks customer data
According to data breach notification letters sent to affected customers, Optimizely learned of the data breach on February 11 after a threat actor contacted the ad tech company claiming to have compromised its systems.
Upon learning of the data breach, Optimizely initiated an investigation and determined that the leak stemmed from a vishing attack. The unauthorized access enabled the attacker to exfiltrate basic business contact information. However, they were unable to escalate privileges, install malicious software, or gain persistence by creating a backdoor for future exploitation.
“The threat actor gained access to Optimizely’s systems through a sophisticated voice-phishing attack, but was unable to escalate privileges, install software, or create any backdoors in the Optimizely environment,” the ad tech company stated.
Additionally, no sensitive client information was compromised, and the attack was limited to some business systems, CRM, and a subset of internal documents.
“The incident was confined to certain internal business systems including Zendesk, records in our Salesforce CRM, and a limited set of internal documents used for back-office operations,” it added.
The vishing attack also did not disrupt operations at the ad tech company, and the threat actor’s access was terminated successfully.
Meanwhile, Optimizely has notified law enforcement and launched an investigation with third-party cybersecurity experts to determine the scope of the incident. The ad tech company also advised impacted customers to be on the lookout for potential spear phishing attacks leveraging the stolen information.
“Voice phishing is effective because it turns security into a real time conversation, where an attacker can build trust and convince employees to hand over credentials,” said Pete Luban, Field CISO at AttackIQ. “Vishing is becoming more popular, and potent, as attackers combine call scripts with leaked personal details and spoofed caller IDs, or pairing the phone call with a convincing login prompt or a fake support workflow. In Optimizely’s case, even if the stolen data ends up being limited, it’s still valuable fuel for follow-up scams, since personal information makes future phishing and vishing attempts far more convincing.”
ShinyHunters linked to Optimizely vishing attack
So far, the ad tech company has not attributed the vishing attack to any threat group. However, the tactics are consistent with the aggressive hacking campaign by the prolific hacking gang ShinyHunters.
Since 2025, the group has conducted vishing attacks on single sign-on (SSO) platforms, Okta, Microsoft, and Google, affecting over 100 organizations. Some notable downstream victims of the ShinyHunters’ vishing campaign include Canada Goose, investment platform Betterment, streaming website SoundCloud, fintech company Figure, and business intelligence platform CrunchBase.
“Marketing, PR, and advertising companies like Optimizely are not typically the primary targets of major data breaches, which makes this incident unique,” noted Chance Caldwell, Senior Director of the Phishing Defense Center at Cofense. “Attackers often focus on high‑value enterprises, yet ad‑tech platforms hold substantial sensitive data on behalf of their clients.”
In January, Google’s cybersecurity company Mandiant warned that ShinyHunters was targeting more cloud platforms and seeking more sensitive data for extortion.
Additionally, the cybercrime group started using more aggressive tactics, including harassing employees and business partners to force victim organizations to pay the ransom. ShinyHunters also deploys a sophisticated phishing toolkit to meet callers’ specific needs, such as providing contextual screens matching the victim’s authentication flows to harvest login credentials and MFA codes.
However, Mandiant insists that ShinyHunters’ breaches do not stem from product vulnerabilities but from the effectiveness of its social engineering tactics. Subsequently, the cybersecurity firm recommends deploying phishing-resistant MFA, such as FIDO2 security keys, and ditching SMS-based two-factor authentication.
