A surge of data breaches impacting prominent companies, including Qantas, Allianz Life, LVMH, and Adidas, has been attributed to the ShinyHunters extortion group. This group has demonstrated a willingness to employ voice phishing attacks to infiltrate Salesforce CRM environments and exfiltrate sensitive data.
In June, Google’s Threat Intelligence Group (GTIG) issued a cautionary notice regarding a faction known as UNC6040, which has been actively targeting Salesforce clients through social engineering tactics.
During these attacks, threat actors impersonated IT support personnel, engaging directly with employees over the phone. They manipulated victims into accessing Salesforce’s connected app setup page, where they were instructed to input a “connection code.” This action enabled the installation of a malicious iteration of Salesforce’s Data Loader OAuth app, effectively linking it to the victim’s Salesforce environment.
Notably, in some cases, the Data Loader component was cleverly disguised as “My Ticket Portal,” enhancing its credibility and potential for success in the attack.
Example of Connection Code Input Prompt Source: Google
GTIG identified that these operations predominantly utilized voice phishing (vishing), but additional attack vectors included credential theft through phishing sites masquerading as legitimate Okta login pages.
Concurrently, several organizations reported breaches associated with third-party customer service platforms or cloud-based CRM systems. For instance, subsidiaries of LVMH, such as Louis Vuitton, Dior, and Tiffany & Co., each disclosed unauthorized access to their customer information databases. Tiffany Korea informed their clients that attackers had compromised a “vendor platform used for managing customer data.”
Similarly, breaches involving third-party systems were reported by Adidas, Qantas, and Allianz Life. Allianz confirmed that the incident involved a third-party customer relationship management platform, with an Allianz Life spokesperson stating, “On July 16, 2025, a malicious threat actor gained access to a third-party, cloud-based CRM system used by Allianz Life Insurance Company of North America.”
While the nature of the breach associated with Qantas has not been officially confirmed, local media reports suggest that it involved a Salesforce instance. Court documents further revealed that the threat actors targeted database tables for “Accounts” and “Contacts,” specific Salesforce objects pivotal to client management.
Although none of these firms have publicly identified Salesforce as the compromised platform, investigations by BleepingComputer confirm that all were subjected to the same malicious campaign outlined by Google.
The recent spate of attacks has not yet resulted in public extortion or data leaks. Nevertheless, BleepingComputer has learned that the threat actors are attempting to privately extort organizations via email, identifying themselves as ShinyHunters. Should these extortion attempts fail, it is anticipated that the actors may resort to releasing stolen data in subsequent leaks, reflecting strategies employed in prior incidents such as the Snowflake attacks.
Understanding ShinyHunters
The series of breaches has generated confusion within the cybersecurity community, with multiple entities attributing them to Scattered Spider, known as UNC3944, which has similarly targeted sectors like aviation, retail, and insurance. The tactics employed by Scattered Spider, however, typically involve comprehensive network breaches resulting in data theft or ransomware deployment. Contrarily, ShinyHunters, or UNC6040, has carved out a niche in data-theft extortion focused on specific cloud platforms or web applications.
Security analysts posit that disparate members of both UNC6040 and UNC3944 may operate within the same cybercriminal collectives, further complicating attribution efforts. The threat group is also believed to have ties to “The Com,” an alliance of seasoned English-speaking cybercriminals.
According to intelligence from Recorded Future, a noticeable overlap in tactics, techniques, and procedures (TTPs) between the known operations of Scattered Spider and ShinyHunters indicates a potential collaboration between these factions. This interrelation is underscored by reports suggesting that elements from both groups are simultaneously targeting identical industries.
Insight from researchers indicates that both threat actor groups might be affiliated with members of the now-disbanded Lapsus$ hacking group, with indications that one recently arrested individual connected with Scattered Spider previously operated within Lapsus$.
Another hypothesis emerges suggesting that ShinyHunters may function as an extortion-as-a-service entity, orchestrating extortion campaigns on behalf of other threat actors for a revenue share, akin to ransomware-as-a-service models. This theory finds support in past discussions with ShinyHunters, where they posited that they do not directly facilitate breaches but instead operate as intermediaries selling stolen data.
These breaches encompass notable incidents involving organizations like PowerSchool, Oracle Cloud, Snowflake, AT&T, NitroPDF, Wattpad, MathWay, and many others.
ShinyHunters Attempting to Sell Data from the AT&T Breach Source: BleepingComputer
To further cloud the situation, a series of arrests linked to the ShinyHunters name has occurred, including individuals implicated in the Snowflake attacks, breaches involving PowerSchool, and the management of the Breached v2 hacking forum.
Despite these law enforcement actions, new attacks have persisted, with companies receiving extortion correspondence asserting, “We are ShinyHunters,” and referring to themselves collectively.
Strategies for Safeguarding Salesforce Instances Against Threats
In dialogue with BleepingComputer, Salesforce clarified that the platform itself remains secure; breaches occur when customers’ accounts fall prey to social engineering schemes. Salesforce remarked, “The platform has not been compromised, and the issues described are not due to any known vulnerabilities in our system. While Salesforce incorporates enterprise-grade security in all aspects of our offerings, our customers must also actively participate in safeguarding their data—particularly in the context of increasingly sophisticated phishing and social engineering threats.”
Salesforce is advocating for customers to fortify their security frameworks by implementing the following measures:
- Defining trusted IP ranges for logins
- Adhering to the principle of least privilege for application permissions
- Enabling multi-factor authentication (MFA)
- Restricting the use and access of connected applications
- Utilizing Salesforce Shield for enhanced threat detection, event monitoring, and transaction policies
- Designating a Security Contact for effective incident communication
For more detailed guidance on these mitigation strategies, customers are encouraged to consult the comprehensive resources available on Salesforce’s official blog.