A campaign of cyber attacks orchestrated via social engineering against users’ Salesforce instances is now being attributed to the ShinyHunters cyber crime gang with growing confidence, and the list of victims seems to be growing by the day.
To date, multiple compromised organisations have been linked to these attacks. Among them are fashion brands including Adidas; LVMH brands Dior, Louis Vuitton, and Tiffany & Co; jewellery company Pandora, insurance companies such as Allianz, and airlines such as Qantas and Air France-KLM.
Even the technology sector is not immune to ShinyHunters’ “affections”. Google has also reported that it was hit by the operation, revealing on 5 August that one of its corporate Salesforce instances was breached and data on small and medium-sized enterprise (SME) customers taken – although thankfully this was mostly publicly available business information such as business names and contact numbers.
Who are ShinyHunters and what do they want?
Since April 2025, an audacious series of cyber attacks orchestrated by the English-speaking hacking collective Scattered Spider – particularly an incident in which the gang breached the systems of high street stalwart Marks & Spencer (M&S) – has brought social engineering attacks to mainstream attention.
While there has been absent proof that enables the threat intel community to definitively attribute cyber incidents, a number of the ShinyHunters attacks had been speculatively linked to Scattered Spider. But Scattered Spider does not have a monopoly on social engineering, and with the body of evidence in this particular campaign pointing more firmly to ShinyHunters, it is worth learning more about this group.
The ShinyHunters gang appears to have formed in 2020 as a hack-and-leak operation, drip feeding millions of stolen records into the public domain. Its objectives beyond that goal are unclear, although the group is clearly now branching out into outright extortion.
Historic ShinyHunters victims, either claimed or confirmed, include AT&T Wireless, Microsoft, Santander and Ticketmaster. Many of these victims were likely breached via abuse of unsecured accounts held with cloud data management platform Snowflake. Note that this is not evidence Snowflake itself was breached, merely of unsecure usage of its products and services.
ShinyHunters has also been linked to the various incarnations of the infamous BreachForums data leak forum. The most recent development in this particular story was the June 2025 indictment by the US authorities of a prominent hacker known as IntelBroker, allegedly a 25-year-old British national named Kai West, and concurrent arrests in France of others associated with ShinyHunters.
Intriguingly, the Google Threat Intelligence Group (GTIG) assesses that ShinyHunters and Scattered Spider may share some behind-the-scenes links, as both gangs demonstrate evidence of affiliation with The Com.
The Com is a wider hacking ring comprising multiple disparate and often rival groups. According to the FBI, it organises on various forums including Discord and Telegram, and its members – many of whom are likely minors – engage in various forms of cyber criminality.
GTIG has observed various elements of attacker-controlled infrastructure in use across multiple cyber attacks conducted by groups with ties to The Com, as well as overlapping tactics (social engineering in particular), the targeting of Okta credentials and a focus on victimising English-speaking users at multinational organisations – all hallmarks of Scattered Spider and ShinyHunters breaches.
According to GTIG, it is plausible that these similarities have arisen between associated actors operating in the same core community, rather than suggesting direct collaboration between Scattered Spider and ShinyHunters.
What is social engineering?
Social engineering is a tried-and-tested hacking technique in which targeted victims are convinced into giving up access to their employers’ secrets by various means.
Commonly used methods of social engineering include targeted phishing emails that attempt to trick their recipients into downloading something dangerous such as malware or ransomware, or supplying sensitive information such as their IT system credentials.
Other social engineers will create pretexts to game their targets. As we have seen, in the digital realm they often impersonate IT helpdesks or support services, or they may offer something – which often seems too good to be true – to spark interest, which is a classic bait-and-switch technique used by real-world scammers too.
Social engineering doesn’t just full under the banner of IT and cyber security – it far predates the information age. Throughout human history, scammers have deployed social engineering techniques. In the age of myth, when the ancient Greeks left a huge wooden horse at the gates of Troy, they were betting that the Trojans would accept it as a generous peace offering. What else is this but a form of social engineering?
Ultimately, social engineering succeeds because it exploits a number of underlying human traits. We want to trust and be helpful to others, we are susceptible to circumstances that induce fear or urgency and cause us to bypass the more rational parts of our psyches, we are curious and greedy animals, and we tend to have a certain respect for people who appear to be in a position of authority – such as an IT support agent.
So ,as a tactic for evading your target’s defences, social engineering is a winner.
How is ShinyHunters attacking its victims?
There has been some difficulty in precise attribution surrounding the current ShinyHunters campaign – as we will explore – but the facts show that it broadly began sometime in the past few months, although it first came to wider attention in June when, ironically with hindsight, GTIG reported on a series of cyber attacks in which a threat actor breached victims through the Salesforce Data Loader application.
Salesforce Data Loader is a client application designed to support bulk import or export of data records, therefore, given the access to valuable information it affords, it is easy to see why it would be targeted by cyber criminals.
In the attacks described by GTIG, the threat actors breached their targets’ systems by impersonating IT support staff in telephone calls. This technique is a form of social engineering attack known as voice phishing – or, simply, vishing.
During the calls, victims were informed of an apparent open Salesforce issue and guided to the official Salesforce page for connected apps. The caller then instructed them to connect a malicious, trojanised version of Data Loader controlled by the threat actor to their organisation’s Salesforce portal. Its infrastructure hosted an Okta phishing panel designed to trick victims into visiting it from mobile devices or work computers to supply credentials and multifactor authentication (MFA) codes needed to do so.
With access obtained, the threat actor was able to use the Data Loader application programming interface (API) to query and exfiltrate sensitive data directly from its victims’ Salesforce environments. GTIG reported the gang used IP addresses linked to the legitimate Mullvad virtual private network (VPN) service to access and exfiltrate the data.
The gang has also been observed deploying custom applications – typically Python scripts that work in a similar way to Data Loader and exfiltrate data via the Tor anonymisation service, a tactic that may be designed to make tracking and attribution harder.
GTIG has also observed the group shifting away from using Salesforce trial accounts set up via webmail services to using compromised accounts at other organisations to register the malware.
In the final stages of the cyber attack, the cyber criminals approach the victim with an extortion demand – typically a bitcoin payment within 72 hours. In some instances, said GTIG, more than a month has passed between the point at which they exfiltrated data and at which they made their approach.
This gap may be an indication of crossover or collaboration within the wider Com network; GTIG has attributed the initial intrusion activity to a group tagged as UNC6040, and the extortion activity to a group tagged as UNC6240, which has “consistently” claimed to be ShinyHunters. This could indicate a partnership between two distinct groups to monetise the stolen data, but there is insufficient evidence to make a firm determination.
GTIG further suggested that ShinyHunters may be preparing to escalate its campaign by launching a data leak site to increase pressure on its victims.
What is Salesforce doing about it?
Despite its products and services being exploited in the ShinyHunters attacks, it is very important to be aware that Salesforce is not in any way to blame. The intrusions are not the result of any reported failing on its part or any zero-day vulnerability in its software.
Salesforce has not commented on any of the distinct attacks accredited to ShinyHunters – to do so explicitly may invite legal trouble in future – but it has reaffirmed its guidance for its users on protecting their environments. In the preamble to this guidance, the software house acknowledged Salesforce acknowledged the use of the trojanised Data Loader app in some instances.
“Cyber security is a shared responsibility between a provider and their customers,” wrote the firm’s cyber team. “While Salesforce builds enterprise-grade security into every part of our platform, customers play a vital role in protecting their data – especially amid a recent rise in sophisticated social engineering and phishing attacks targeting Salesforce customers.”
What steps can I take now?
Broadly speaking, Salesforce’s guidance on safeguarding customer environments against the ShinyHunters threat draws on wider cyber security best practice and established guidance.
The software giant has set out five key steps that its customers could and should be taking, if they have not already done so:
- Salesforce customers should start by restricting login IP ranges to their enterprise and VPN network to make sure that unidentified or non-trusted IPs are flatly denied access, or at the very least challenged. If circumstances call for it, admins may also wish to restrict login IP addresses at the profile level, meaning individual users can only login from allowed IP addresses.
- Admins should adhere to the Principle of Least Privilege (Polp) guidelines whereby users are given only the permissions they need to perform their jobs, limiting their access to sensitive information – there is no reason why somebody in HR would need sales or marketing data, for example. Its guidance sets out various steps admins can take under this umbrella, but concerning Data Loader specifically, the number of users allowed to mass import, update or delete records should be restricted.
- Admins should set up and enforce MFA as a matter of course. Even if threat actors are able to defeat it through social engineering, it remains a useful extra layer of defence – especially against pureplay phishing attacks.
- Admins may wish to consider exploring Salesforce’s proprietary Shield security tool suite, which includes features such as event monitoring, threat detection, transaction security policy management and data management.
- Finally, Salesforce advises that all Signature and Premier-level customers have a dedicated security contact, while standard users are encouraged to maintain a current sysadmin, so that its teams can reach out to the right person should it identify an incident.