Allianz Life faces a major data exposure after hackers leaked databases stolen in ongoing Salesforce data theft attacks. The dump contains about 2.8 million records tied to both individual customers and business partners. The leak follows Allianz Life’s disclosure last month that personal information for the “majority” of its 1.4 million customers was taken from a third-party, cloud CRM on July 16. While the provider wasn’t named, the incident aligns with a broader wave of Salesforce-targeted thefts attributed to the ShinyHunters collective.
Scope of the Allianz Life Data Breach and What the Leaked Databases Contain
Threat actors released what they describe as complete Salesforce “Accounts” and “Contacts” tables taken from Allianz Life’s CRM instances. The data covers customers and business partners such as wealth management firms, brokers, and financial advisors—about 2.8 million records in total.
The leaked Salesforce data includes:
- Names, postal addresses, phone numbers, email addresses, and dates of birth
- Tax Identification Numbers
- Professional details, including licenses, firm affiliations, product approvals, and marketing classifications
Multiple people confirmed their entries are accurate, including phone numbers, email addresses, tax IDs, and other profile details. Allianz Life said it cannot comment while the investigation is ongoing.
How the Salesforce Data Theft Attacks Were Carried Out
The Salesforce data theft campaign is believed to have started early this year. According to available details, the attackers used social engineering to trick employees into authorizing a malicious OAuth application against company Salesforce tenants. Once the OAuth app was linked, the adversaries used the connection to download CRM databases. They then sent email extortion demands, signed as ShinyHunters.
ShinyHunters has a track record of targeting cloud SaaS applications and website databases. These Salesforce intrusions involved hands-on social engineering, prompting some researchers and media to associate parts of the campaign with Scattered Spider.
ShinyHunters, Scattered Spider, and Lapsus$, All Claim Credit
Over the weekend, a Telegram channel titled “ScatteredLapsuSp1d3rHunters” appeared, where ShinyHunters and other actors claiming overlap with Scattered Spider and Lapsus$ taunted researchers, law enforcement, and journalists while taking credit for a series of high-profile breaches. Some incidents had not been previously attributed, including attacks on Internet Archive, Pearson, and Coinbase. The actors also claimed responsibility for Allianz Life and released the CRM databases said to be taken from its Salesforce environment.
“Like we have said repeatedly already, ShinyHunters and Scattered Spider are one and the same.”
“They provide us with initial access and we conduct the dump and exfiltration of the Salesforce CRM instances. Just like we did with Snowflake.”
Attribution Remains Unsettled After Arrests Linked to All Three Groups
Members behind these brands are believed to share roots with Lapsus$, the group responsible for a run of breaches in 2022–2023 that hit Rockstar Games, Uber, 2K, Okta, T-Mobile, Microsoft, Ubisoft, and NVIDIA. Like Scattered Spider, Lapsus$ was adept at social engineering and SIM-swap techniques, allowing it to bypass defenses at very large enterprises. There have been multiple arrests associated with all three collectives over the past two years, leaving open whether today’s operators are original members, new actors using the names, or false-flag copycats.
Allianz Life’s Current Position
Allianz Life previously disclosed the third-party CRM breach affecting the “majority” of its 1.4 million customers on July 16 and now faces publication of roughly 2.8 million CRM records. The company says it cannot comment further while the investigation continues.
