ShinyHunters Salesforce Cyber Attacks: What You Need to Know

ShinyHunters Salesforce Cyber Attacks: What You Need to Know

A recent campaign of cyber attacks orchestrated via social engineering against users' Salesforce instances is now being attributed to the ShinyHunters cyber crime gang with growing confidence, and the list of victims seems to be growing by the day. To date, multiple compromised organisations have been linked to these attacks. Among them are fashion brands including Adidas; LVMH brands Dior, Louis Vuitton, and Tiffany & Co; jewellery company Pandora, insurance companies such as Allianz, and airlines such as Qantas and Air France-KLM. Even the technology sector is not immune to ShinyHunters' "affections". Google has also reported that it was hit by the operation, revealing on 5 August that one of its corporate Salesforce instances was breached and data on small and medium-sized enterprise (SME) customers taken – although thankfully this was mostly publicly available business information such as business names and contact numbers.

Who are ShinyHunters and what do they want? Since April 2025, an audacious series of cyber attacks orchestrated by the English-speaking hacking collective Scattered Spider – particularly an incident in which the gang breached the systems of high street stalwart Marks & Spencer (M&S) – has brought social engineering attacks to mainstream attention. Absent definitive proof that enables the threat intel community to attribute cyber incidents, a number of the ShinyHunters attacks had been speculatively linked to Scattered Spider. But Scattered Spider does not have a monopoly on social engineering, and with the body of evidence in this particular campaign pointing more firmly to ShinyHunters, it is worth learning more about this group.

The ShinyHunters gang appears to have formed in 2020 as a hack-and-leak operation, drip feeding millions of stolen records into the public domain. Its objectives beyond that goal are unclear, although the group is clearly now branching out into outright extortion. Historic ShinyHunters victims, either claimed or confirmed, include AT&T Wireless, Microsoft, Santander and Ticketmaster. Many of these victims were likely breached via abuse of unsecured accounts held with cloud data management platform Snowflake. Note that this is not evidence Snowflake itself was breached, merely of unsecure usage of its products and services.

ShinyHunters has also been linked to the various incarnations of the infamous BreachForums data leak forum. The most recent development in this particular story was the June 2025 indictment by the US authorities of a prominent hacker known as IntelBroker, allegedly a 25-year-old British national named Kai West, and concurrent arrests in France of others associated with ShinyHunters. Intriguingly, the Google Threat Intelligence Group (GTIG) assesses that ShinyHunters and Scattered Spider may share some behind-the-scenes links, as both gangs demonstrate evidence of affiliation with The Com. The Com is a wider hacking ring comprising multiple disparate and often rival groups.

According to the FBI, it organises on various forums including Discord and Telegram, and its members – many of whom are likely minors – engage in various forms of cyber criminality. GTIG has observed various elements of attacker-controlled infrastructure in use across multiple cyber attacks conducted by groups with ties to The Com, as well as overlapping tactics (social engineering in particular), the targeting of Okta credentials and a focus on victimising English-speaking users at multinational organisations by impersonating IT helpdesk staff – all hallmarks of Scattered Spider and ShinyHunters breaches.

Social engineering is a tried-and-tested hacking technique in which targeted victims are convinced into giving up access to their employers' secrets by various means. Commonly used methods of social engineering include targeted phishing emails that attempt to trick their recipients into downloading something dangerous such as malware or ransomware, or supplying sensitive information such as their IT system credentials.

Other social engineers will create pretexts to game their targets. As we have seen, in the digital realm they often impersonate IT helpdesks or support services, or they may offer something – which often seems too good to be true – to spark interest, which is a classic bait-and-switch technique used by real-world scammers too.

Social engineering doesn’t just full under the banner of IT and cyber security – it far predates the information age. Throughout human history, scammers have deployed social engineering techniques. In the age of myth, when the ancient Greeks left a huge wooden horse at the gates of Troy, they were betting that the Trojans would accept it as a generous peace offering. What else is this but a form of social engineering? Ultimately, social engineering succeeds because it exploits a number of underlying human traits.

How is ShinyHunters attacking its victims?

There has been some difficulty in precise attribution surrounding the current ShinyHunters campaign but the facts show that it broadly began sometime in the past few months, although it first came to wider attention in June when, ironically with hindsight, GTIG reported on a series of cyber attacks in which a threat actor breached victims through the Salesforce Data Loader application. Salesforce Data Loader is a client application designed to support bulk import or export of data records, therefore, given the access to valuable information it affords, it is easy to see why it would be targeted by cyber criminals.

In the attacks described by GTIG, the threat actors breached their targets' systems by impersonating IT support staff in telephone calls. This technique is a form of social engineering attack known as voice phishing – or, simply, vishing. During the calls, victims were informed of an apparent open Salesforce issue and guided to the official Salesforce page for connected apps.

The caller then instructed them to connect a malicious, trojanised version of Data Loader controlled by the threat actor to their organisation's Salesforce portal. Its infrastructure hosted an Okta phishing panel designed to trick victims into visiting it from mobile devices or work computers to supply credentials and multifactor authentication (MFA) codes needed to do so.

With access obtained, the threat actor was able to use the Data Loader application programming interface (API) to query and exfiltrate sensitive data directly from its victims' Salesforce environments. GTIG reported the gang used IP addresses linked to the legitimate Mullvad virtual private network (VPN) service to access and exfiltrate the data.

The gang has also been observed deploying custom applications – typically Python scripts that work in a similar way to Data Loader and exfiltrate data via the Tor anonymisation service, a tactic that may be designed to make tracking and attribution harder. GTIG has also observed the group shifting away from using Salesforce trial accounts set up via webmail services to using compromised accounts at other organisations to register the malware.

In the final stages of the cyber attack, the cyber criminals approach the victim with an extortion demand – typically a bitcoin payment within 72 hours. In some instances, said GTIG, more than a month has passed between the point at which they exfiltrated data and at which they made their approach.

What is Salesforce doing about it?

Despite its products and services being exploited in the ShinyHunters attacks, it is very important to be aware that Salesforce is not in any way to blame. The intrusions are not the result of any reported failing on its part or any zero-day vulnerability in its software. Salesforce has not been explicitly accused of any of the distinct attacks accredited to ShinyHunters – to do so explicitly may invite legal trouble in future.

However, the software house has reaffirmed its guidance for its users on protecting their environments. In the preamble to this guidance, the cyber team wrote: "Cyber security is a shared responsibility between a provider and their customers... While Salesforce builds enterprise-grade security into every part of our platform, customers play a vital role in protecting their data – especially amid a recent rise in sophisticated social engineering and phishing attacks targeting Salesforce customers."

What steps can I take now?

Broadly speaking, Salesforce's guidance on safeguarding customer environments against the ShinyHunters threat draws on wider cyber security best practice and established guidance. The software giant has set out five key steps that its customers could and should be taking, if they have not already done so:

  • Read more on Hackers and cybercrime prevention
  • British hacker IntelBroker faces years in a US prison cell
  • Scattered Spider widens web to target insurance sector Platform Engineering - MuleSoft: A reengineering evolution in Salesforce Scattered Spider retail attacks spreading to US, says Google

These steps aim to help users protect their Salesforce environments from similar threats in the future. Users should be vigilant when receiving unsolicited calls or messages claiming to be related to Salesforce and never follow instructions that ask them to connect a malicious application to their organisation's Salesforce portal.

Closing Thoughts

ShinyHunters' campaign is an important reminder of the evolving nature of cyber threats. As social engineering techniques continue to advance, it is crucial for individuals and organisations to stay informed and take proactive measures to protect themselves.