ShinyHunters in the support of Salesforce info theft attacks at Qantas, Allianz Life, and LVMH
Scam detection
A wave of information breaches impacting firms like Qantas, Allianz Life, LVMH, and Adidas has been linked to the ShinyHunters extortion community, which has been the usage of issue phishing attacks to snatch info from Salesforce CRM conditions.
In these attacks, the threat actors impersonated IT toughen workers in cellphone calls to centered workers, making an try to persuade them into visiting Salesforce’s linked app setup internet page. On this internet page, they were advised to enter a “connection code”, which linked a malicious version of Salesforce’s Knowledge Loader OAuth app to the target’s Salesforce atmosphere.
In some conditions, the Knowledge Loader recount used to be renamed to “My Ticket Portal,” to fabricate it extra convincing in the attacks.
Counseled to enter connection code Offer: Google
GTIG says that these attacks were in general completed through vishing (issue phishing), however credentials and MFA tokens were also stolen through phishing pages that impersonated Okta login pages.
Around the time of this record, a pair of firms reported info breaches engrossing third-occasion customer provider or cloud-based mostly CRM systems.
Adidas, Qantas, and Allianz Life also reported breaches engrossing third-occasion systems, with Allianz confirming it used to be a third-occasion customer relationship administration platform.
“On July 16, 2025, a malicious threat actor gained access to a third-party, cloud-based CRM system used by Allianz Life Insurance Company of North America (Allianz Life),” an Allianz Life spokesperson advised BleepingComputer.
While BleepingComputer has realized that the Qantas info breach also enthusiastic a third-occasion customer relationship administration platform, the corporate will now not ascertain it is Salesforce. Alternatively, previous reporting from local media claims the info used to be stolen from Qantas’ Salesforce instance.
Moreover, courtroom documents issue that the threat actors centered “Accounts” and “Contacts” database tables, each of which are Salesforce objects.
While none of these firms assemble publicly named Salesforce, BleepingComputer has since confirmed that every were centered in the identical advertising and marketing campaign detailed by Google.
The attacks assemble no longer ended in public extortion or info leaks but, with BleepingComputer studying that the threat actors try to privately extort firms over email, the set they name themselves as ShinyHunters.
It is believed that as soon as these extortion attempts fail, the threat actors will open stolen records in a lengthy wave of leaks, identical to ShinyHunter’s previous Snowflake attacks.
Scam detection Who’s ShinyHunters
The breaches assemble triggered confusion amongst the cybersecurity community and the media, including BleepingComputer, with the attacks attributed to Scattered Spider (tracked by Mandiant as UNC3944), as these threat actors were also focused on the aviation, retail, and insurance sectors around the identical time and demonstrated identical ways.
Alternatively, threat actors associated with Scattered Spider have a tendency to price plump-blown network breaches, culminating with info theft and, generally, ransomware. ShinyHunters, tracked as UNC6040, on the varied hand, tends to point of interest extra on info-theft extortion attacks focused on a particular cloud platform or internet software program.
It is BleepingComputer’s and some safety researchers’ perception that every UNC6040 and UNC3944 consist of overlapping members that keep in touch interior the identical on-line communities. The threat community will be believed to overlap with “The Com,” a network of experienced English-speaking cybercriminals.
“According to Recorded Future intelligence, the overlapping TTPs between known Scattered Spider and ShinyHunters attacks indicate likely some crossover between the two groups,” Allan Liska, an Intelligence Analyst for Recorded Future, advised BleepingComputer.
Other researchers assemble advised BleepingComputer that ShinyHunters and Scattered Spider seem like working in lockstep, focused on the identical industries at the identical time, making it more durable to attribute attacks.
One more theory is that ShinyHunters is acting as an extortion-as-a-provider, the set they extort firms on behalf of quite a lot of threat actors in replace for a income half, identical to how ransomware-as-a-provider gangs operate.
This theory is supported by previous conversations BleepingComputer has had with ShinyHunters, the set they claimed no longer to be in the support of a breach, however simply acting because the vendor of the stolen info.
Yet even after these arrests, unique attacks occur with firms receiving extortion emails stating, “We are ShinyHunters,” relating to themselves as a “collective.”
Scam detection Retaining Salesforce conditions from attacks
In a assertion to BleepingComputer, Salesforce emphasised that the platform itself used to be no longer compromised, however rather, customers’ accounts are being breached through social engineering.
“Salesforce has not been compromised, and the issues described are not due to any known vulnerability in our platform. While Salesforce builds enterprise-grade security into everything we do, customers also play a critical role in keeping their data safe — especially amid a rise in sophisticated phishing and social engineering attacks,” Salesforce advised BleepingComputer.
CISOs know that getting board aquire-in starts with a transparent, strategic look of how cloud safety drives trade ticket.
This free, editable board record deck helps safety leaders show conceal threat, impact, and priorities in positive trade terms. Turn safety updates into meaningful conversations and sooner decision-making in the boardroom.
