ShinyHunters Claims Cisco Breach Exposed Salesforce Records and Cloud Data
ShinyHunters has claimed responsibility for breaching Cisco and stealing more than 3 million Salesforce records along with internal corporate data, GitHub repositories, and contents from AWS S3 buckets, then posted a "FINAL WARNING" on its leak site threatening to publish the data after April 3. Reports said the alleged haul may include information tied to Cisco customers, employees, and personnel from U.S. and foreign government agencies, while screenshots shared by the group purportedly showed access to Cisco-linked AWS infrastructure and multiple connected cloud accounts.
The intrusion was linked in reporting to three alleged access paths involving Salesforce CRM, Salesforce Aura/Experience Cloud, and AWS environments, and to activity tracked as UNC6040 and UNC6395. Threat intelligence cited in the coverage said the attackers have used vishing to trick employees into approving malicious Salesforce OAuth applications, then abused stolen tokens to bypass MFA and move deeper into cloud environments; recommended defenses included auditing connected OAuth apps, revoking suspicious tokens, tightening API access controls, and monitoring for unauthorized Salesforce Data Loader activity. Cisco had not publicly addressed the March 2026 extortion claim at the time of reporting.
Timeline
Apr 1, 2026
Cisco has not publicly addressed the March extortion claim
As of the April 1, 2026 reporting, Cisco had not publicly responded to the March 2026 ShinyHunters extortion claim. Researchers urged immediate Salesforce-focused mitigations such as auditing OAuth apps, revoking suspicious tokens, and monitoring for unauthorized Data Loader activity.
Apr 1, 2026
Reports detail alleged Cisco intrusion paths and stolen data
Subsequent reporting said the alleged Cisco data originated from Salesforce environments and may include records tied to customers, employees, and U.S. and foreign government personnel. The claimed intrusion paths included Salesforce CRM, Salesforce Aura/Experience Cloud, and AWS environments, with screenshots allegedly showing access to Cisco-linked AWS infrastructure.
Mar 31, 2026
ShinyHunters posts Cisco extortion claim with April 3 deadline
In late March 2026, ShinyHunters posted a 'FINAL WARNING' on its leak site claiming responsibility for breaches affecting Cisco and threatening to leak data after April 3, 2026. The group alleged compromise of more than 3 million Salesforce records along with internal data, GitHub repositories, and AWS S3 buckets.
Aug 1, 2025
Cisco describes vishing campaign targeting employee access
Cisco previously disclosed a vishing campaign in which attackers targeted employees to gain access to internal systems and customer data. Later reporting connected this activity to tactics used by ShinyHunters-linked clusters abusing Salesforce OAuth access.
Aug 1, 2025
Google designates ShinyHunters activity cluster as UNC6040
Google Threat Intelligence Group assigned the ShinyHunters-linked intrusion activity the cluster name UNC6040 in August 2025. The designation was used in later reporting about Salesforce-focused intrusions and extortion activity.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Organizations
Affected Products
Sources
1 more from sources like cybernews
Related Stories
Salesforce Data Breach and Ransomware Group Data Leak Site Targeting Salesloft Drift Integrations
A ransomware group known as Scattered Lapsus$ Hunters, also referred to as ShinyHunters, has launched a darkweb data-leak site to pressure victims of a significant Salesforce data breach into paying extortion demands. The group claims to have stolen 1.5 billion Salesforce records from 760 companies that integrated their Salesforce customer relationship management (CRM) software with the Salesloft Drift artificial intelligence chatbot. The leak site, which debuted on a Friday, lists 39 victim organizations, including major brands such as Cisco, Disney, KFC, Ikea, Marriott, McDonald's, Walgreens, Albertsons, and Saks Fifth Avenue. The attackers are demanding separate ransoms from Salesforce itself to prevent the release of data pertaining to the remaining 721 affected companies. Samples of the stolen data published by the group include extensive personally identifiable information (PII), such as names, dates of birth, nationalities, passport numbers, full contact information, and employment histories. Cybersecurity researcher Milivoj Rajić has tested multiple samples of the leaked data and confirmed their validity, indicating the breach is authentic and the data is genuine. Additional compromised data includes shipping information, marketing lead data, customer support case records, chat transcripts, flight details, and car ownership records. The attack specifically targeted organizations that had integrated Salesforce with the Salesloft Drift AI chatbot, suggesting a possible exploitation of integration points or third-party application vulnerabilities. The public exposure of such a large volume of sensitive data significantly increases the risk of identity theft, fraud, and further targeted attacks against both individuals and organizations. The ransomware group’s strategy of publishing a leak site and naming high-profile victims is designed to maximize pressure and reputational damage, thereby increasing the likelihood of ransom payments. The incident highlights the risks associated with third-party integrations in cloud environments, especially when sensitive customer data is involved. Security teams at affected organizations are likely conducting forensic investigations, assessing the scope of the breach, and notifying impacted customers. The breach underscores the importance of robust access controls, regular security assessments of third-party integrations, and rapid incident response capabilities. Salesforce and Salesloft Drift users are advised to review their security configurations and monitor for suspicious activity. The event has drawn significant attention from the cybersecurity community due to the scale of the breach and the high-profile nature of the victims. Organizations are being urged to remain vigilant and to implement additional security measures to protect against similar attacks in the future.
1 months ago
Salesforce-Targeted Data Breaches Impacting Google, Workday, and Others via Social Engineering
A coordinated wave of cyberattacks in 2025 targeted organizations using Salesforce’s CRM platform, resulting in significant data breaches at major companies including Google and Workday. Attackers exploited the inherent trust and connectivity of cloud-based CRM systems, focusing on social engineering rather than technical vulnerabilities. Workday confirmed that attackers accessed a database containing business contact information for up to 11,000 corporate customers and 70 million individual user records, with the breach discovered in early August 2025. Google also disclosed that its Salesforce instance used for Google Ads leads was compromised, leading to the theft of over 2.5 million customer records, including business contact details and sales notes for small and mid-sized clients. Cisco and other organizations were also listed among the victims of this campaign. The threat group responsible, identified as UNC6040 and associated with ShinyHunters, used telephone-based social engineering (vishing) to trick employees into granting access or sharing credentials. Attackers convinced targets to use a modified, unauthorized version of the Salesforce Data Loader app, which enabled them to exfiltrate sensitive data from Salesforce environments. Mandiant, working with Google, provided proactive defense recommendations, emphasizing that the attacks did not exploit Salesforce vulnerabilities but rather relied on manipulating end users. The attackers’ tactics included delayed extortion demands, sometimes occurring months after the initial compromise. The breaches highlighted the risks of interconnected cloud services and the importance of robust identity and access management. Security experts stressed the need for organizations to harden their Salesforce and other cloud assets against social engineering. The incidents underscored the growing trend of targeting SaaS platforms through human factors rather than technical flaws. Lessons from these breaches include the necessity of employee training, multi-factor authentication, and vigilant monitoring of third-party integrations. The scale and sophistication of the attacks demonstrated the evolving threat landscape for cloud-based business applications. Organizations are urged to review their incident response plans and ensure that all users are aware of the risks posed by social engineering campaigns. The breaches serve as a warning for enterprises to reassess their security posture around cloud CRM platforms and to implement layered defenses against both technical and human-centric threats.
Today
McGraw Hill breach exposed 13.5 million accounts after Salesforce webpage misconfiguration
McGraw Hill confirmed that attackers accessed a limited set of internal data through a misconfigured Salesforce-hosted webpage, after the **ShinyHunters** extortion group claimed responsibility and threatened to publish stolen information unless a ransom was paid. The company said the incident was tied to a broader issue affecting multiple organizations using Salesforce-hosted environments and maintained that its Salesforce accounts, customer databases, courseware, internal systems, Social Security numbers, financial account information, and student data from its educational platforms were not impacted. After the extortion deadline passed, data tied to **13.5 million** McGraw Hill user accounts was reportedly leaked publicly, with **Have I Been Pwned** saying the dump contained more than **100GB** of files, including unique email addresses and some names, physical addresses, and phone numbers. The leak contradicted earlier company statements that the exposed data was limited and non-sensitive, while ShinyHunters separately claimed to hold **45 million** Salesforce records; McGraw Hill said it secured the affected webpages, brought in external cybersecurity experts, and is working with Salesforce to strengthen protections.
2 days ago