editorially independent. We may make money when you click on links
to our partners.
Learn More
Ad tech firm Optimizely is notifying customers after a voice phishing attack led to unauthorized access to some of its internal systems.
The company says threat actors obtained limited business contact information but did not access sensitive customer data or disrupt operations.
“The threat actor gained access to Optimizely’s systems through a sophisticated voice-phishing attack, but was unable to escalate privileges, install software, or create any backdoors in the Optimizely environment, and we have no evidence that the threat actor was able to access sensitive customer data or personal information beyond basic business contact information,” the company said in a statement to BleepingComputer.
“Vishing is becoming more popular, and potent, as attackers combine call scripts with leaked personal details and spoofed caller IDs, or pairing the phone call with a convincing login prompt or a fake support workflow,” said Pete Luban, Field CISO at AttackIQ in an email to eSecurityPlanet.
He added, “In Optimizely’s case, even if the stolen data ends up being limited, it’s still valuable fuel for follow-up scams, since personal information makes future phishing and vishing attempts far more convincing.”
Inside the Optimizely Incident
Optimizely operates at global scale, employing nearly 1,500 people across 21 offices and serving more than 10,000 customers worldwide.
Its client roster includes major brands such as H&M, PayPal, Zoom, Toyota, Vodafone, Shell, Salesforce, and Nike.
According to BleepingComputer, the breach stemmed from a voice phishing, or vishing, attack that enabled the threat actor to gain access to certain internal systems.
Vishing attacks typically rely on impersonation tactics, with threat actors posing as trusted personnel — such as IT support staff, vendors, or executives — to persuade employees to disclose credentials, approve multi-factor authentication (MFA) prompts, or perform account resets.
Unlike exploits tied to software vulnerabilities, these attacks target weaknesses in human processes and identity verification workflows.
Optimizely described the attack as “sophisticated,” though technical specifics have not been publicly disclosed.
The company stated to BleepingComputer that the incident was confined to specific internal business systems, CRM records, and a limited set of back-office documents.
There was no reported evidence that the attacker escalated privileges, deployed malware, established persistence, or accessed sensitive customer data beyond what it characterized as “basic business contact information.”
Business contact data can be leveraged in targeted phishing or business email compromise (BEC) campaigns aimed at customers, partners, or internal teams.
There is also no breach notification on the company website at the time of publication.
Building Resilience to Vishing Attacks
As voice phishing and other identity-based attacks target employees, organizations should strengthen controls around authentication, access management, and verification processes.
Unlike traditional exploits that focus on CVEs, these attacks take advantage of trust and procedural weaknesses to gain access.
- Implement phishing-resistant MFA and conditional access policies to prevent credential misuse, MFA fatigue attacks, and high-risk logins from unmanaged devices or suspicious locations.
- Enforce strict identity verification procedures for help desk and support workflows, including call-back validation using trusted directory numbers before resetting passwords or granting access.
- Limit privileged access through least-privilege principles, just-in-time elevation, and secondary approval requirements for administrative changes.
- Monitor identity and access management systems for unusual password resets, privilege changes, anomalous login activity, and suspicious CRM or back-office system access.
- Establish clear policies prohibiting the sharing of passwords or MFA codes over phone, email, or messaging platforms, and reinforce these through targeted voice phishing training.
- Conduct regular voice phishing simulations and employee awareness exercises to identify process gaps and improve reporting and escalation procedures.
- Regularly test incident response plans through tabletop exercises that simulate social engineering and identity-based attacks.
Collectively, these measures help reduce the risk of identity-based breaches and strengthen organizational resilience against voice phishing and other social engineering attacks.
Vishing Threats Target Enterprise Workflows
While Optimizely has indicated that the impact was limited, the incident illustrates how voice phishing and other identity-based tactics remain a concern for enterprise environments.
As attackers target authentication processes rather than specific software vulnerabilities, organizations should continue strengthening identity verification procedures, access controls, and employee awareness to reduce risk.
Attacks like this are prompting organizations to use zero-trust solutions for strengthening identity controls and reducing implicit trust across enterprise environments.
