{ "id": "4951a166-2ac1-4f66-a04c-628a63014377", "created_at": "2026-04-06T00:12:00.259335Z", "updated_at": "2026-04-10T13:12:42.015052Z", "deleted_at": null, "sha1_hash": "975676b2b72bc2c43b183189c10733d50c595554", "title": "ShinyHunters behind Salesforce data theft attacks at Qantas, Allianz Life, and LVMH", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3022053, "plain_text": "ShinyHunters behind Salesforce data theft attacks at Qantas, Allianz\r\nLife, and LVMH\r\nBy Lawrence Abrams\r\nPublished: 2025-07-30 · Archived: 2026-04-05 17:27:02 UTC\r\nA wave of data breaches impacting companies like Qantas, Allianz Life, LVMH, and Adidas has been linked to the\r\nShinyHunters extortion group, which has been using voice phishing attacks to steal data from Salesforce CRM instances.\r\nIn June, Google's Threat Intelligence Group (GTIG) warned that threat actors tracked as UNC6040 were targeting Salesforce\r\ncustomers in social engineering attacks.\r\nIn these attacks, the threat actors impersonated IT support staff in phone calls to targeted employees, attempting to persuade\r\nthem into visiting Salesforce's connected app setup page. On this page, they were told to enter a \"connection code\", which\r\nlinked a malicious version of Salesforce's Data Loader OAuth app to the target's Salesforce environment.\r\nhttps://www.bleepingcomputer.com/news/security/shinyhunters-behind-salesforce-data-theft-attacks-at-qantas-allianz-life-and-lvmh/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/shinyhunters-behind-salesforce-data-theft-attacks-at-qantas-allianz-life-and-lvmh/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nIn some cases, the Data Loader component was renamed to \"My Ticket Portal,\" to make it more convincing in the attacks.\r\nPrompt to enter connection code\r\nSource: Google\r\nGTIG says that these attacks were usually conducted through vishing (voice phishing), but credentials and MFA tokens were\r\nalso stolen through phishing pages that impersonated Okta login pages.\r\nAround the time of this report, multiple companies reported data breaches involving third-party customer service or cloud-based CRM systems.\r\nLVMH subsidiaries Louis Vuitton, Dior, and Tiffany \u0026 Co. each disclosed unauthorized access to a customer information\r\ndatabase, with Tiffany Korea notifying customers the attackers breached a \"vendor platform used for managing customer\r\ndata.\"\r\nAdidas, Qantas, and Allianz Life also reported breaches involving third-party systems, with Allianz confirming it was a\r\nthird-party customer relationship management platform.\r\n\"On July 16, 2025, a malicious threat actor gained access to a third-party, cloud-based CRM system used by Allianz Life\r\nInsurance Company of North America (Allianz Life),\" an Allianz Life spokesperson told BleepingComputer.\r\nWhile BleepingComputer has learned that the Qantas data breach also involved a third-party customer relationship\r\nmanagement platform, the company will not confirm it is Salesforce. However, previous reporting from local media claims\r\nthe data was stolen from Qantas' Salesforce instance.\r\nFurthermore, court documents state that the threat actors targeted \"Accounts\" and \"Contacts\" database tables, both of which\r\nare Salesforce objects.\r\nWhile none of these companies have publicly named Salesforce, BleepingComputer has since confirmed that all were\r\ntargeted in the same campaign detailed by Google.\r\nThe attacks have not led to public extortion or data leaks yet, with BleepingComputer learning that the threat actors are\r\nattempting to privately extort companies over email, where they name themselves as ShinyHunters.\r\nhttps://www.bleepingcomputer.com/news/security/shinyhunters-behind-salesforce-data-theft-attacks-at-qantas-allianz-life-and-lvmh/\r\nPage 3 of 6\n\nIt is believed that when these extortion attempts fail, the threat actors will release stolen information in a long wave of leaks,\r\nsimilar to ShinyHunter's previous Snowflake attacks.\r\n\"We have not identified any data leak sites associated with this activity,\" Genevieve Stark, Head of Cybercrime, and\r\nInformation Operations Intelligence Analysis at GTIG, told BleepingComputer.\r\n\"It is plausible that the threat actor intends to sell the data instead of sharing it publicly. This approach would align with\r\nprior ShinyHunters Group activity.\"\r\nGoogle say they are now tracking Salesforce data-theft attacks under multiple threat group designations.\r\n\"GTIG attributes multiple incidents impacting Salesforce instances to UNC6040. In at least some cases, the follow-on\r\nextortion activity, which we attribute to the distinct threat cluster UNC6240, has used the ShinyHunters brand,\" Stark told\r\nBleepingComputer.\r\n\"The extortion activity is attributed to UNC6240 instead of UNC6040 due to a significant time gap between the initial data\r\ntheft activity and the subsequent extortion activity. We have not confirmed the nature of the relationship between these\r\nintrusions and the prior use of this handle on underground forums.\"\r\nWho is ShinyHunters\r\nThe breaches have caused confusion among the cybersecurity community and the media, including BleepingComputer, with\r\nthe attacks attributed to Scattered Spider (tracked by Mandiant as UNC3944), as those threat actors were also targeting the\r\naviation, retail, and insurance sectors around the same time and demonstrated similar tactics.\r\nHowever, threat actors associated with Scattered Spider tend to perform full-blown network breaches, culminating with data\r\ntheft and, sometimes, ransomware. ShinyHunters, tracked as UNC6040, on the other hand, tends to focus more on data-theft\r\nextortion attacks targeting a particular cloud platform or web application.\r\nIt is BleepingComputer's and some security researchers' belief that both UNC6040/UNC6240 and UNC3944 consist of\r\noverlapping members that communicate within the same online communities. The threat group is also believed to overlap\r\nwith \"The Com,\" a network of experienced English-speaking cybercriminals.\r\n\"According to Recorded Future intelligence, the overlapping TTPs between known Scattered Spider and ShinyHunters\r\nattacks indicate likely some crossover between the two groups,\" Allan Liska, an Intelligence Analyst for Recorded Future,\r\ntold BleepingComputer.\r\nOther researchers have told BleepingComputer that ShinyHunters and Scattered Spider appear to be operating in lockstep,\r\ntargeting the same industries at the same time, making it harder to attribute attacks.\r\nSome also believe that both groups have ties to threat actors from the now-defunct Lapsus$ hacking group, with reports\r\nindicating that one of the recently arrested Scattered Spider hackers was also in Lapsus$.\r\nAnother theory is that ShinyHunters is acting as an extortion-as-a-service, where they extort companies on behalf of other\r\nthreat actors in exchange for a revenue share, similar to how ransomware-as-a-service gangs operate.\r\nThis theory is supported by previous conversations BleepingComputer has had with ShinyHunters, where they claimed not\r\nto be behind a breach, but just acting as the seller of the stolen data.\r\nThese breaches include PowerSchool, Oracle Cloud, the Snowflake data-theft attacks, AT\u0026T, NitroPDF, Wattpad, MathWay,\r\nand many more.\r\nhttps://www.bleepingcomputer.com/news/security/shinyhunters-behind-salesforce-data-theft-attacks-at-qantas-allianz-life-and-lvmh/\r\nPage 4 of 6\n\nShinyHunters leaking attempting to sell AT\u0026T data breach\r\nSource: BleepingComputer\r\nTo muddy the waters further, there have been numerous arrests of people linked to the name \"ShinyHunters,\" including\r\nthose who have been arrested for the Snowflake data-theft attacks, breaches at PowerSchool, and the operation of the\r\nBreached v2 hacking forum.\r\nYet even after these arrests, new attacks occur with companies receiving extortion emails stating, \"We are ShinyHunters,\"\r\nreferring to themselves as a \"collective.\"\r\nProtecting Salesforce instances from attacks\r\nIn a statement to BleepingComputer, Salesforce emphasized that the platform itself was not compromised, but rather,\r\ncustomers' accounts are being breached via social engineering.\r\n\"Salesforce has not been compromised, and the issues described are not due to any known vulnerability in our platform.\r\nWhile Salesforce builds enterprise-grade security into everything we do, customers also play a critical role in keeping their\r\ndata safe — especially amid a rise in sophisticated phishing and social engineering attacks,\" Salesforce told\r\nBleepingComputer.\r\n\"We continue to encourage all customers to follow security best practices, including enabling multi-factor authentication\r\n(MFA), enforcing the principle of least privilege, and carefully managing connected applications. For more information,\r\nplease visit: https://www.salesforce.com/blog/protect-against-social-engineering/.\"\r\nSalesforce is urging customers to strengthen their security posture by:\r\nEnforcing trusted IP ranges for logins\r\nFollowing the principle of least privilege for app permissions\r\nEnabling multi-factor authentication (MFA)\r\nRestricting use of connected apps and managing access policies\r\nUsing Salesforce Shield for advanced threat detection, event monitoring, and transaction policies\r\nAdding a designated Security Contact for incident communication\r\nFurther details on these mitigations can be found in Salesforce's guidance linked above.\r\nUpdate 8/1/25: Added information from GTIG.\r\nhttps://www.bleepingcomputer.com/news/security/shinyhunters-behind-salesforce-data-theft-attacks-at-qantas-allianz-life-and-lvmh/\r\nPage 5 of 6\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/shinyhunters-behind-salesforce-data-theft-attacks-at-qantas-allianz-life-and-lvmh/\r\nhttps://www.bleepingcomputer.com/news/security/shinyhunters-behind-salesforce-data-theft-attacks-at-qantas-allianz-life-and-lvmh/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.bleepingcomputer.com/news/security/shinyhunters-behind-salesforce-data-theft-attacks-at-qantas-allianz-life-and-lvmh/" ], "report_names": [ "shinyhunters-behind-salesforce-data-theft-attacks-at-qantas-allianz-life-and-lvmh" ], "threat_actors": [ { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "c071c8cd-f854-4bad-b28f-0c59346ec348", "created_at": "2023-11-08T02:00:07.132524Z", "updated_at": "2026-04-10T02:00:03.422366Z", "deleted_at": null, "main_name": "ShinyHunters", "aliases": [], "source_name": "MISPGALAXY:ShinyHunters", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6f7f2ed5-f30d-4a99-ab2d-f596c1d413b2", "created_at": "2025-10-24T02:04:50.086223Z", "updated_at": "2026-04-10T02:00:03.770068Z", "deleted_at": null, "main_name": "GOLD CRYSTAL", "aliases": [ "Scattered LAPSUS$ Hunters", "ShinyCorp", "ShinyHunters" ], "source_name": "Secureworks:GOLD CRYSTAL", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "be5097b2-a70f-490f-8c06-250773692fae", "created_at": "2022-10-27T08:27:13.22631Z", "updated_at": "2026-04-10T02:00:05.311385Z", "deleted_at": null, "main_name": "LAPSUS$", "aliases": [ "LAPSUS$", "DEV-0537", "Strawberry Tempest" ], "source_name": "MITRE:LAPSUS$", "tools": [ "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "d4b9608d-af69-43bc-a08a-38167ac6306a", "created_at": "2023-01-06T13:46:39.335061Z", "updated_at": "2026-04-10T02:00:03.291149Z", "deleted_at": null, "main_name": "LAPSUS", "aliases": [ "Lapsus", "LAPSUS$", "DEV-0537", "SLIPPY SPIDER", "Strawberry Tempest", "UNC3661" ], "source_name": "MISPGALAXY:LAPSUS", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2347282d-6b88-4fbe-b816-16b156c285ac", "created_at": "2024-06-19T02:03:08.099397Z", "updated_at": "2026-04-10T02:00:03.663831Z", "deleted_at": null, "main_name": "GOLD RAINFOREST", "aliases": [ "Lapsus$", "Slippy Spider ", "Strawberry Tempest " ], "source_name": "Secureworks:GOLD RAINFOREST", "tools": [ "Mimikatz" ], "source_id": "Secureworks", "reports": null }, { "id": "52d5d8b3-ab13-4fc4-8d5f-068f788e4f2b", "created_at": "2022-10-25T16:07:24.503878Z", "updated_at": "2026-04-10T02:00:05.014316Z", "deleted_at": null, "main_name": "Lapsus$", "aliases": [ "DEV-0537", "G1004", "Slippy Spider", "Strawberry Tempest" ], "source_name": "ETDA:Lapsus$", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null }, { "id": "d8dff631-87b0-4320-8352-becff28dbcf1", "created_at": "2022-10-25T16:07:24.565038Z", "updated_at": "2026-04-10T02:00:05.034516Z", "deleted_at": null, "main_name": "ShinyHunters", "aliases": [], "source_name": "ETDA:ShinyHunters", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "70929bd1-2bf9-4689-bfff-2bc6b113d3ed", "created_at": "2026-01-20T02:00:03.666874Z", "updated_at": "2026-04-10T02:00:03.916254Z", "deleted_at": null, "main_name": "UNC6040", "aliases": [], "source_name": "MISPGALAXY:UNC6040", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434320, "ts_updated_at": 1775826762, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/975676b2b72bc2c43b183189c10733d50c595554.pdf", "text": "https://archive.orkl.eu/975676b2b72bc2c43b183189c10733d50c595554.txt", "img": "https://archive.orkl.eu/975676b2b72bc2c43b183189c10733d50c595554.jpg" } }