Salesforce data theft attacks (ShinyHunter)

A wave of data breaches impacting global companies like Google, Qantas, Allianz Life, LVMH, Dior, Tiffany & Co., and Adidas has been linked to the ShinyHunters extortion group.

According to Google’s Threat Intelligence Group (GTIG), the campaign — tracked as UNC6040/UNC6240 — is exploiting Salesforce CRM customers through vishing (voice phishing) and phishing attacks.

How the Attack Works

1. Social Engineering via Vishing

   • Threat actors call employees while impersonating IT support.

   • Victims are tricked into visiting the Salesforce Connected App setup page.

2. Malicious Connected App

   • Attackers provide a fake “connection code” that links a malicious OAuth app (a trojanized version of Salesforce’s Data Loader).

   • Sometimes disguised as “My Ticket Portal” to appear legitimate.

3. Credential & MFA Theft

   • Parallel phishing pages mimicking Okta login portals were used to steal credentials and MFA tokens.

4. Data Exfiltration

   • Attackers targeted Salesforce “Accounts” and “Contacts” objects, extracting sensitive customer information.

5. Extortion Phase

   • Instead of immediate leaks, ShinyHunters attempted private extortion via email.

   • If unsuccessful, leaks are expected later, mirroring their Snowflake data-theft campaign.

Who is ShinyHunters?

• Origin: First appeared in 2020.

• Specialty: Large-scale data theft and extortion campaigns.

• Past Breaches: Snowflake, AT&T, Wattpad, Mathway, PowerSchool, and more.

• Structure: Believed to overlap with Scattered Spider (UNC3944) and The Com cybercriminal community.

• Operations: Sometimes act as extortion-as-a-service, selling stolen data on behalf of others.

• Notable: Despite multiple arrests, the group remains active and refers to itself as a collective, ensuring continuity.

Protecting Salesforce Instances

Salesforce confirmed its platform was not breached — the weakness lies in customer account security and social engineering.

Recommended Defenses:

• 1. Enforce MFA across all accounts.

• 2. Restrict connected app usage and review permissions.

• 3. Apply least privilege for Salesforce roles and apps.

• 4. Configure trusted IP ranges for logins.

• 5. Enable Salesforce Shield for event monitoring & anomaly detection.

• 6. Add a designated security contact for incident alerts.

Full Salesforce advisory: Protect Against Social Engineering

WRANCORP Insight

This campaign highlights the growing risk of SaaS-targeted attacks. Instead of breaking into networks directly, attackers are exploiting human weaknesses and cloud misconfigurations.

For African businesses increasingly adopting Salesforce and other SaaS CRMs, vigilance is critical.

• Train employees to spot vishing and phishing tactics.

• Implement strong SaaS governance and monitoring.

• Consider threat intelligence monitoring for data-leak sites tied to ShinyHunters.

Final Note
ShinyHunters is not just another hacker crew — it’s an active, evolving extortion machine that adapts quickly. The Salesforce campaign proves once again: your weakest link is not the software, but the human operator.