[ad_1]
A wave of information breaches impacting corporations like Qantas, Allianz Life, LVMH, and Adidas has been linked to the ShinyHunters extortion group, which has been utilizing voice phishing assaults to steal knowledge from Salesforce CRM situations.
In June, Google’s Threat Intelligence Group (GTIG) warned that menace actors tracked as UNC6040 have been focusing on Salesforce clients in social engineering assaults.
In these assaults, the menace actors impersonated IT help employees in cellphone calls to focused staff, making an attempt to influence them into visiting Salesforce’s related app setup web page. On this web page, they have been informed to enter a “connection code”, which linked a malicious model of Salesforce’s Data Loader OAuth app to the goal’s Salesforce setting.
In some circumstances, the Data Loader part was renamed to “My Ticket Portal,” to make it extra convincing within the assaults.
Source: Google
GTIG says that these assaults have been normally carried out by vishing (voice phishing), however credentials and MFA tokens have been additionally stolen by phishing pages that impersonated Okta login pages.
Around the time of this report, a number of corporations reported knowledge breaches involving third-party customer support or cloud-based CRM programs.
LVMH subsidiaries Louis Vuitton, Dior, and Tiffany & Co. every disclosed unauthorized entry to a buyer info database, with Tiffany Korea notifying clients the attackers breached a “vendor platform used for managing buyer knowledge.”
Adidas, Qantas, and Allianz Life additionally reported breaches involving third-party programs, with Allianz confirming it was a third-party buyer relationship administration platform.
“On July 16, 2025, a malicious menace actor gained entry to a third-party, cloud-based CRM system utilized by Allianz Life Insurance Company of North America (Allianz Life),” an Allianz Life spokesperson informed BleepingComputer.
While BleepingComputer has discovered that the Qantas knowledge breach additionally concerned a third-party buyer relationship administration platform, the corporate won’t verify it’s Salesforce. However, earlier reporting from native media claims the info was stolen from Qantas’ Salesforce occasion.
Furthermore, court docket paperwork state that the menace actors focused “Accounts” and “Contacts” database tables, each of that are Salesforce objects.
While none of those corporations have publicly named Salesforce, BleepingComputer has since confirmed that each one have been focused in the identical marketing campaign detailed by Google.
The assaults haven’t led to public extortion or knowledge leaks but, with BleepingComputer studying that the menace actors are trying to privately extort corporations over e-mail, the place they identify themselves as ShinyHunters.
It is believed that when these extortion makes an attempt fail, the menace actors will launch stolen info in a protracted wave of leaks, much like ShinyHunter’s earlier Snowflake assaults.
Who is ShinyHunters
The breaches have prompted confusion among the many cybersecurity neighborhood and the media, together with BleepingComputer, with the assaults attributed to Scattered Spider (tracked by Mandiant as UNC3944), as these menace actors have been additionally focusing on the aviation, retail, and insurance coverage sectors across the similar time and demonstrated comparable ways.
However, menace actors related to Scattered Spider are inclined to carry out full-blown community breaches, culminating with knowledge theft and, generally, ransomware. ShinyHunters, tracked as UNC6040, then again, tends to focus extra on data-theft extortion assaults focusing on a specific cloud platform or internet utility.
It is BleepingComputer’s and a few safety researchers’ perception that each UNC6040 and UNC3944 encompass overlapping members that talk throughout the similar on-line communities. The menace group can be believed to overlap with “The Com,” a community of skilled English-speaking cybercriminals.
“According to Recorded Future intelligence, the overlapping TTPs between recognized Scattered Spider and ShinyHunters assaults point out doubtless some crossover between the 2 teams,” Allan Liska, an Intelligence Analyst for Recorded Future, informed BleepingComputer.
Other researchers have informed BleepingComputer that ShinyHunters and Scattered Spider seem like working in lockstep, focusing on the identical industries on the similar time, making it more durable to attribute assaults.
Some additionally consider that each teams have ties to menace actors from the now-defunct Lapsus$ hacking group, with reviews indicating that one of many just lately arrested Scattered Spider hackers was additionally in Lapsus$.
Another principle is that ShinyHunters is appearing as an extortion-as-a-service, the place they extort corporations on behalf of different menace actors in change for a income share, much like how ransomware-as-a-service gangs function.
This principle is supported by earlier conversations BleepingComputer has had with ShinyHunters, the place they claimed to not be behind a breach, however simply appearing as the vendor of the stolen knowledge.
These breaches embody PowerSchool, Oracle Cloud, the Snowflake data-theft assaults, AT&T, NitroPDF, Wattpad, MathWay, and many extra.
Source: BleepingComputer
To muddy the waters additional, there have been quite a few arrests of individuals linked to the identify “ShinyHunters,” together with those that have been arrested for the Snowflake data-theft assaults, breaches at PowerSchool, and the operation of the Breached v2 hacking discussion board.
Yet even after these arrests, new assaults happen with corporations receiving extortion emails stating, “We are ShinyHunters,” referring to themselves as a “collective.”
Protecting Salesforce situations from assaults
In an announcement to BleepingComputer, Salesforce emphasised that the platform itself was not compromised, however fairly, clients’ accounts are being breached by way of social engineering.
“Salesforce has not been compromised, and the problems described aren’t as a consequence of any recognized vulnerability in our platform. While Salesforce builds enterprise-grade safety into every part we do, clients additionally play a important position in holding their knowledge secure — particularly amid an increase in subtle phishing and social engineering assaults,” Salesforce informed BleepingComputer.
“We proceed to encourage all clients to comply with safety greatest practices, together with enabling multi-factor authentication (MFA), imposing the precept of least privilege, and punctiliously managing related purposes. For extra info, please go to: https://www.salesforce.com/blog/protect-against-social-engineering/.”
Salesforce is urging clients to strengthen their safety posture by:
- Enforcing trusted IP ranges for logins
- Following the precept of least privilege for app permissions
- Enabling multi-factor authentication (MFA)
- Restricting use of related apps and managing entry insurance policies
- Using Salesforce Shield for superior menace detection, occasion monitoring, and transaction insurance policies
- Adding a chosen Security Contact for incident communication
Further particulars on these mitigations may be present in Salesforce’s steering linked above.
Contain rising threats in actual time – earlier than they influence what you are promoting.
Learn how cloud detection and response (CDR) provides safety groups the sting they want on this sensible, no-nonsense information.