A series of recent data breaches at global enterprises including Qantas, Allianz Life, LVMH, and Adidas has been traced back to the cyber extortion group ShinyHunters. The group is exploiting Salesforce-connected CRM systems using advanced voice phishing and social engineering techniques to steal customer data.
The activity was confirmed by Google’s Threat Intelligence Group (GTIG), which has been tracking the actors as UNC6040.
Voice Phishing Attacks Target Salesforce CRM Users
According to GTIG, ShinyHunters is conducting vishing (voice phishing) campaigns where attackers impersonate IT support staff during phone calls. The goal is to convince employees to visit Salesforce’s connected app setup page and input a “connection code”, which links a malicious OAuth app—disguised as Salesforce Data Loader—to their environment.
In some instances, the malicious app was renamed “My Ticket Portal” to avoid suspicion.
Additionally, credentials and multi-factor authentication (MFA) tokens were harvested using fake Okta login pages, part of broader phishing tactics observed in the same campaign.
“Salesforce has not been compromised, and the issues described are not due to any known vulnerability in our platform,” a Salesforce spokesperson stated.
Confirmed Breaches Linked to Cloud CRM Access
Several companies have confirmed data breaches around the time of the reported attacks. Though not all have publicly named Salesforce, multiple indicators connect these incidents to Salesforce CRM usage:
- LVMH subsidiaries Louis Vuitton, Dior, and Tiffany & Co. reported unauthorized access to customer databases via third-party platforms.
- Qantas and Allianz Life disclosed CRM-related breaches, with Allianz confirming use of a third-party, cloud-based CRM system.
- Local reports and court documents tied the Qantas breach specifically to Salesforce.
Court filings revealed that threat actors accessed Salesforce objects such as Accounts and Contacts—further indicating misuse of the platform.
Silent Extortion Campaign Underway
So far, no stolen data has appeared on public leak sites. However, companies involved have received private extortion emails, with the actors identifying themselves as ShinyHunters. The group is demanding payment to avoid public disclosure.
This tactic mirrors ShinyHunters’ behavior in the Snowflake data-theft incidents, where data was later leaked after failed negotiations.
Distinguishing ShinyHunters from Scattered Spider
Although there has been confusion around attribution, GTIG and BleepingComputer have clarified distinctions between ShinyHunters (UNC6040) and Scattered Spider (UNC3944):
- ShinyHunters: Primarily engages in data theft and extortion via CRM platforms and phishing tactics.
- Scattered Spider: Tends to conduct full network compromises, including ransomware deployment.
Despite differences, some researchers believe there is overlap in personnel and tactics between the two groups.
“The overlapping TTPs between known Scattered Spider and ShinyHunters attacks indicate likely some crossover between the two groups,” said Allan Liska, Intelligence Analyst at Recorded Future.
There are also signs that both groups may share ties with former members of Lapsus$, the now-dismantled hacking collective.
The Possibility of Extortion-as-a-Service
There is growing speculation that ShinyHunters may be operating as an extortion-as-a-service provider, acting on behalf of other cybercriminals for a share of ransom payments. This theory is supported by previous claims from the group, where they positioned themselves not as attackers, but as data brokers.
ShinyHunters has been linked to several high-profile data thefts including:
- Snowflake
- PowerSchool
- Oracle Cloud
- NitroPDF
- Wattpad
- Mathway
- AT&T
Arrests tied to ShinyHunters-related incidents have taken place, but new extortion emails continue to surface, often referring to the group as a “collective”.
Salesforce Response and Security Recommendations
Salesforce confirmed it was not breached directly but emphasized the importance of strong user-side security measures. The company urges customers to follow these best practices:
- Enforce trusted IP ranges for logins
- Enable multi-factor authentication (MFA)
- Apply least privilege access for app permissions
- Monitor and restrict connected apps
- Use Salesforce Shield for threat detection and event monitoring
- Designate a Security Contact for incident alerts
More guidance is available at: Salesforce Blog: Protect Against Social Engineering
