The hacking group ShinyHunters takes the spotlight again. This time tied to a wave of social engineering attacks that targeted Salesforce systems at major companies like Qantas, Allianz Life, and LVMH. The group exploited human trust, not software flaws, to access sensitive customer data across industries.
Vishing Attacks Open the Door
According to reports, attackers used vishing (voice phishing) to impersonate internal IT staff. Employees were tricked into visiting Salesforce’s Connected Apps setup page and instructed to input a code. Thus, granting access to a rogue app disguised as “Salesforce Data Loader” or “My Ticket Portal.”
Once installed, these malicious OAuth apps allowed the attackers to exfiltrate customer data from the companies’ Salesforce environments.
A Trail of Victims
Allianz Life
On or before July 16, 2025, hackers accessed the data of nearly 1.4 million U.S. customers. The breach compromised personal information, including full names, addresses, birthdates, and policy numbers. No ransomware was involved, but the data appears to be used for extortion.
Qantas
The Australian airline confirmed a cyberattack affected its CRM platform. While details are limited, security researchers have linked the incident to ShinyHunters’ Salesforce exploitation tactics. The compromised data reportedly includes frequent flyer information and customer contact records.
LVMH Subsidiaries
Luxury brands like Louis Vuitton, Dior, and Tiffany Korea disclosed that unauthorized actors accessed client data. Though specifics are scarce, security firms suggest that a similar OAuth app method was used, exploiting Salesforce-connected vendors.
Not Salesforce’s Fault, But Still a Risk
Salesforce has emphasized that its core infrastructure remains secure. The breaches stem from user-side manipulation, where employees unwittingly installed malicious apps. This highlights the growing threat of social engineering—even on secure platforms.
ShinyHunters’ Strategy Evolves
Previously known for breaches at Tokopedia, Microsoft, and AT&T, ShinyHunters now seems to be operating as part of UNC6040, a financially motivated threat actor. The group now shifts toward targeting CRM systems and extorting companies privately, avoiding public leaks unless ransom demands are ignored.
Security Recommendations
Experts advise organizations using Salesforce to:
- Disable self-authorized connected apps
- Enforce strong MFA across all users
- Restrict app permissions to the minimum required
- Educate staff on voice phishing tactics
- Monitor OAuth installs and CRM activity logs regularly
Final Thoughts
The ShinyHunters Salesforce breach marks a dangerous evolution in cybercrime, where voice phishing is weaponized to bypass technical defenses. With high-profile victims and millions of customer records at stake, this attack reminds us that social engineering is still one of the most effective tools in a hacker’s arsenal. Organizations must harden user-side policies, not just their software stack, to stay protected.
