The ShinyHunters Salesforce Attack: Vishing & OAuth Abuse Blamed for Qantas, Allianz, LVMH Breaches
Threat actors operating under the name ShinyHunters have orchestrated a series of cyberattacks targeting major corporations, including Qantas, Allianz Life, LVMH, and Adidas. Each incident centers around attempts to infiltrate client Salesforce environments through sophisticated social engineering tactics—most notably, voice phishing (vishing).
According to Google’s Threat Intelligence Group (GTIG), the cybercriminals—tracked as UNC6040—posed as IT support personnel, calling employees and directing them to a Salesforce-connected apps configuration page. There, victims were urged to enter a so-called “connection code,” effectively linking a malicious application—disguised as a legitimate tool such as “Data Loader” or “My Ticket Portal”—to the target’s Salesforce infrastructure.
Additional tactics included phishing websites mimicking Okta login interfaces, designed to harvest credentials and multi-factor authentication tokens. This strategy granted attackers unfettered access to company databases containing sensitive client and contact information.
In rapid succession, several companies disclosed breaches involving their cloud-based CRM systems. Louis Vuitton, Dior, and Tiffany & Co. confirmed unauthorized access to platforms managing customer data. Tiffany’s South Korean branch notified clients of a breach involving a third-party provider. Allianz Life acknowledged that an attacker accessed their CRM environment on July 16, 2025. While Qantas declined to name the affected platform, local media confidently reported Salesforce as the system in question. Court documents revealed breaches in the “Accounts” and “Contacts” tables—hallmarks of a typical Salesforce environment.
As of publication, no data leaks or public ransom demands have surfaced. However, journalists report that the attackers, identifying themselves as ShinyHunters, have reached out to victims via email, threatening to release stolen data unless compensated—a tactic reminiscent of their previous Snowflake attacks.
The situation is further complicated by the blurred lines between ShinyHunters and Scattered Spider (UNC3944), another group active in aviation, retail, and insurance sectors. However, while Scattered Spider conducts full-scale intrusions and deploys ransomware, ShinyHunters focus on targeted attacks against cloud platforms followed by extortion.
Some experts speculate an overlap between the groups: they may frequent the same cybercrime forums or even share members. Certain analysts trace their roots to the now-defunct Lapsus$ gang. Another theory posits that ShinyHunters operate as extortion-as-a-service providers—demanding ransoms on behalf of other hackers and taking a cut. They’ve allegedly employed this model in attacks on Oracle Cloud, PowerSchool, NitroPDF, Wattpad, MathWay, and others.
Despite arrests linked to ShinyHunters and the Breached v2 operation, the attacks persist. More companies are receiving emails that begin with a chilling declaration: “We are ShinyHunters,” underscoring the group’s collective—and resilient—nature.
Salesforce, for its part, has issued a formal statement asserting that the platform itself was neither breached nor vulnerable. Responsibility for security, they emphasized, rests with customers—who must actively defend against social engineering. Recommended safeguards include IP allowlisting, enforcing multi-factor authentication, restricting third-party app permissions, and leveraging Salesforce Shield for activity monitoring. Assigning a dedicated security officer is also advised to expedite incident response.
The ShinyHunters campaign marks a new chapter in the evolution of cyber threats: one where hybrid social engineering methods exploit not code, but human psychology and access mismanagement.