Digital Event Horizon
A Scam of Unparalleled Success: The ShinyHunters' Tactic of Phishing and Exploitation on Salesforce has been making waves in the cybersecurity world, with companies such as Google falling victim to this campaign. Learn more about the tactics used by ShinyHunters and how you can protect your business from these types of attacks.
ShinyHunters, a new threat actor group, has been exploiting vulnerabilities in Salesforce CRM software to gain unauthorized access to high-value business data.The group has successfully phished employees into divulging sensitive information using social engineering tactics.Prior victims include companies such as Adidas, Qantas, Allianz Life, Cisco, and LVMH subsidiaries.Google itself was also a victim of this scam, with data retrieved during a small window of time before access was cut off.ShinyHunters is linked to two distinct groups: UNC6040 and ShinyHunters, with the latter engaging in extortion activities.Companies must audit their Salesforce instances and implement multifactor authentication to prevent unauthorized access.
In recent months, a new threat actor group known as ShinyHunters has been making waves in the cybersecurity world. Dubbed "ShinyHunters" due to their brazen tactics, this group has been successfully exploiting vulnerabilities in popular CRM software Salesforce to gain unauthorized access to high-value business data.
According to reports from Bleeping Computer, companies such as Adidas, Qantas, Allianz Life, Cisco, and the LVMH subsidiaries Louis Vuitton, Dior, and Tiffany & Co. have fallen victim to this campaign. The ShinyHunters group has been using a cunning tactic to gain access to these accounts: pretending to be someone in the customer's IT department.
The attackers contact employees and instruct them to connect an external app to their Salesforce instance. Once connected, they ask for an eight-digit security code that the Salesforce interface requires before a connection is made. The attackers then use this number to gain access to the instance and all data stored in it.
This campaign of phishing and exploitation is remarkably successful due to its simplicity. Rather than exploiting software or website vulnerabilities, ShinyHunters relies on social engineering tactics to trick employees into divulging sensitive information.
In June, Google announced that it had discovered a campaign involving mass-compromising accounts belonging to customers of Salesforce. However, in a surprising twist, Google itself was also a victim of this scam. The breach occurred in June but was only disclosed two months later, reportedly due to the company's recent discovery of the campaign.
An investigation by Google revealed that data was retrieved by the threat actor during a small window of time before access was cut off. However, the attackers were able to gain access to business information such as business names and contact details, which is largely public already.
Google attributed the attacks to two distinct groups: UNC6040 and ShinyHunters. The first group, UNC6040, has been linked to a series of data breaches involving financially motivated threat actors. The second group, ShinyHunters, brands itself under the name "ShinyHunters" and has been engaging in extortion activities.
In addition to their phishing tactics, Google warned that ShinyHunters may be preparing to escalate their extortion tactics by launching a data leak site (DLS). This new tactic is likely intended to increase pressure on victims, including those associated with the recent UNC6040 Salesforce-related data breaches.
As the threat landscape continues to evolve, companies must take proactive steps to protect themselves from these types of attacks. All Salesforce customers should carefully audit their instances to see what external sources have access to it and implement multifactor authentication to prevent unauthorized access.
Related Information:
https://www.digitaleventhorizon.com/articles/A-Scam-of-Unparalleled-Success-The-ShinyHunters-Tactic-of-Phishing-and-Exploitation-on-Salesforce-deh.shtml
https://arstechnica.com/information-technology/2025/08/google-sales-data-breached-in-the-same-scam-it-discovered/
Published: Thu Aug 7 16:40:14 2025 by llama3.2 3B Q4_K_M
