ShinyHunters’ Rising Wave: How Voice Phishing Is Hitting Top Brands Through Salesforce CRM

Introduction: A New Frontier in Cyberattacks

A rising tide of data breaches is sweeping through some of the world’s most prominent companies, including Qantas, Allianz Life, LVMH, and Adidas. These attacks, orchestrated by the cybercriminal group known as ShinyHunters, reveal a sophisticated new technique: voice phishing targeting Salesforce Customer Relationship Management (CRM) systems. Unlike conventional hacking that exploits software vulnerabilities, these attacks manipulate human trust, leveraging social engineering to breach corporate defenses. This method exposes sensitive customer data and raises urgent questions about the security of cloud-based platforms widely used in business today.

Rising Tide of Breaches Hits Giants

Since mid-2025, ShinyHunters has been linked to multiple breaches involving third-party CRM platforms, particularly Salesforce. Google’s Threat Intelligence Group (GTIG) identified a threat actor labeled UNC6040 targeting Salesforce customers through vishing (voice phishing) campaigns. Attackers impersonate IT support personnel, coaxing employees to visit Salesforce’s connected app setup page and enter a “connection code.” This action unknowingly authorizes a malicious version of Salesforce’s Data Loader app, renamed “My Ticket Portal” to appear legitimate, granting attackers access to sensitive data.

Multiple luxury and retail giants like LVMH subsidiaries Louis Vuitton, Dior, and Tiffany & Co. confirmed unauthorized access to customer databases. Tiffany Korea specifically cited breaches via vendor platforms managing customer data. Meanwhile, Adidas, Qantas, and Allianz Life reported incidents involving third-party CRM systems, with Allianz Life confirming a breach in a cloud-based CRM platform.

Court documents and local media reports connect these breaches to Salesforce environments, showing attackers focused on Salesforce database tables such as “Accounts” and “Contacts.” Although Salesforce itself remains uncompromised, the attackers’ social engineering tactics have successfully circumvented customer defenses, stealing credentials and multifactor authentication (MFA) tokens using phishing pages that imitate Okta login portals.

Notably, despite the extensive theft, ShinyHunters have yet to publicly leak stolen data or mount ransomware campaigns. Instead, they resort to private extortion via email, threatening to release stolen information if companies refuse to pay. This tactic follows their prior modus operandi seen in Snowflake data-theft attacks, suggesting a looming wave of leaks if extortion demands fail.

What Undercode Say: The Anatomy and Impact of ShinyHunters’ Campaign

The ShinyHunters campaign reveals evolving cybercriminal strategies combining technology and psychological manipulation. Unlike brute-force hacking or ransomware that relies on technical vulnerabilities, these attacks exploit human weaknesses, particularly trust and familiarity with IT support protocols. This shift to voice phishing as a primary vector marks a dangerous evolution in cyber threats, especially for cloud-based SaaS environments like Salesforce that many corporations rely on for customer management.

The attackers’ tactic of disguising malicious apps as legitimate Salesforce tools (“My Ticket Portal”) demonstrates advanced social engineering and in-depth knowledge of Salesforce’s ecosystem. This approach allows attackers to gain OAuth-based access without breaching Salesforce’s core infrastructure, shifting the security burden onto customers’ internal vigilance and controls.

Complicating attribution, cybersecurity researchers observe overlapping tactics and targets between ShinyHunters (UNC6040) and another group, Scattered Spider (UNC3944), suggesting shared members or coordinated operations. Both groups focus on industries like aviation, retail, and insurance, increasing the difficulty in isolating and mitigating threats. Connections to the defunct Lapsus\$ hacking group further indicate that former elite hackers have migrated and diversified their criminal activities.

The theory that ShinyHunters operates an extortion-as-a-service model is particularly concerning. This business-like approach to cybercrime allows smaller or less technically skilled actors to profit from stolen data by outsourcing extortion operations, multiplying the impact of each breach. It also explains why arrests have not quelled activity attributed to ShinyHunters—new members or subcontractors continue the cycle under the same brand.

Salesforce’s response underscores the critical role of user awareness and security hygiene. Despite Salesforce’s robust security framework, customers remain vulnerable when social engineering tricks employees into granting unauthorized access. The platform’s advice—to enforce MFA, restrict app permissions, manage connected apps carefully, and deploy Salesforce Shield—represents best practices but also highlights the limitations of technical controls when human factors are exploited.

For companies using cloud-based CRM systems, these attacks serve as a stark reminder that data security is a shared responsibility. The trust employees place in phone calls or emails can be weaponized, making ongoing security training, phishing simulations, and strict access controls essential. As cloud adoption grows, so does the attack surface, requiring continuous vigilance.

The breaches also expose wider risks in the third-party vendor ecosystem. Many companies depend on external platforms and services that, if compromised, can cascade vulnerabilities across industries. Transparency about breaches and proactive communication with customers are vital to maintain trust and manage fallout.

Looking ahead, the trend of voice phishing combined with targeted cloud platform exploitation is likely to grow. Cybercriminals have found a lucrative method that bypasses many traditional defenses, and their ability to monetize stolen data through extortion-as-a-service will drive further attacks.

🔍 Fact Checker Results

✅ ShinyHunters are confirmed as a threat group involved in recent CRM-related breaches.
✅ Google’s Threat Intelligence Group has publicly reported these voice phishing campaigns.
❌ Salesforce itself has not been compromised; attacks rely on social engineering, not platform vulnerabilities.

📊 Prediction: What Lies Ahead in Cloud CRM Security?

The ongoing ShinyHunters campaign signals a paradigm shift in cyber threats targeting cloud ecosystems. Expect voice phishing and social engineering to rise as attackers increasingly leverage psychological tactics over technical exploits. As attackers refine methods to bypass MFA and impersonate trusted apps, companies will need to adopt layered security approaches combining technology, employee training, and rapid incident response.

The extortion-as-a-service model employed by ShinyHunters could inspire other cybercriminal groups, leading to a surge in coordinated extortion campaigns targeting SaaS platforms. Cloud providers like Salesforce will face mounting pressure to enhance platform-integrated protections against fraudulent OAuth authorizations and suspicious app installations.

For enterprises, investing in advanced threat detection tools, strict access policies, and continuous user education will become non-negotiable. Collaboration between cloud providers, security researchers, and law enforcement will be essential to dismantle these overlapping threat groups and prevent data leaks that could undermine customer trust on a massive scale.

In sum, the ShinyHunters saga underscores the urgent need to rethink cloud security beyond code—human factors and sophisticated social attacks have become the weakest link, and addressing them will define the future of enterprise cybersecurity.