ShinyHunters Exploits Salesforce, Detection and Response Tips

A coordinated cyberattack campaign targeting Salesforce integrations has compromised data at several major global brands, including Google, Chanel, Qantas, Allianz, LVMH, and Cisco.

The breaches began in May 2025 and are still unfolding. According to Google Threat Intelligence Group (GTIG), the initial intrusions were carried out by a financially motivated group known as UNC6040, which used voice phishing (vishing) to trick employees into authorizing malicious OAuth applications that impersonated trusted Salesforce tools.

In the weeks that followed, a separate threat cluster, UNC6240, began contacting victims with extortion demands. This group consistently identified itself as ShinyHunters, a name previously associated with major data-theft campaigns. The two clusters are believed to be linked, either through shared operators or close coordination.

These attacks did not exploit a vulnerability in Salesforce. Instead, they highlight how attackers can abuse trusted integrations, impersonate legitimate apps, and exploit non-human identities to move silently through SaaS environments, often without triggering traditional security alerts.

“Most enterprises lack visibility into how data and access are managed across their interconnected SaaS ecosystems. The attackers are using valid credentials and sanctioned tools to do exactly what the system allows them to do. That’s what makes it so dangerous.”

Amir Khayat, CEO and co-founder, Vorlon

The Vorlon team has been actively monitoring ShinyHunters, working closely with our Salesforce customers to investigate potential signs of related activity and to implement alerts that can detect suspicious behavior tied to this threat and similar attacks. Now, we’re sharing our tips so you can detect and respond to ShinyHunters-style threats in your own SaaS environment.

How to know if you were impacted by the ShinyHunters Salesforce attacks

The ShinyHunters campaign relies on a blend of social engineering, OAuth impersonation, and API-based data exfiltration. The attackers often use a lookalike version of the Salesforce Data Loader tool, authorized through a deceptive but legitimate OAuth flow. Because these attacks do not exploit a traditional vulnerability, they can be difficult to detect without deep visibility into your Salesforce environment.

Here are signs your organization may have been impacted:

Unfamiliar connected apps that appear as Salesforce Data Loader or “My Ticket Portal”
Dormant OAuth apps with broad permissions (e.g., refresh_token full)
Unusual or excessive API activity, especially involving large dataset exports
Login attempts from unexpected IP addresses, geographies, or at unusual times
Unauthorized package installations that bypassed Salesforce’s security review process

Start by reviewing logs from Salesforce Event Monitoring, if available. Look for Bulk API jobs, large volume data exports, and report generation by unexpected users, all of which may indicate compromise.

How to detect and respond if you’re at risk

Whether you’ve spotted suspicious behavior or want to proactively harden your environment, here are key steps to detect and prevent ShinyHunters-style attacks:

1. Audit and monitor OAuth applications

Review all connected apps, especially those created in the last 12-18 months
Look for unused, ambiguous, or overlapping app names
Identify apps with elevated access scopes (refresh_token full)
Remove unnecessary or high-risk OAuth apps

2. Alert on new OAuth app registrations

Set up alerting whenever a new OAuth or connected app is created
Treat apps that resemble trusted tools (like Data Loader) as high risk

3. Track OAuth scope elevation events

Monitor for apps that escalate access scopes unexpectedly
Flag any changes to full API access as potential indicators of compromise

4. Watch for unreviewed package installations

Salesforce logs the URI nonSecurityReviewedManagedPackageInstalled when a package is installed without a security review
Investigate any such event, especially when linked to admin accounts or tools like Data Loader

5. Implement proactive security controls

Restrict login IP ranges to trusted enterprise or VPN networks
Apply the principle of least privilege for app and user access
Require and enforce multi-factor authentication (MFA). Even if imperfect, it raises the bar for attackers
Regularly review third-party app access and monitor for anomalies

For Vorlon customers using Salesforce

If you’re already a Vorlon customer with Salesforce connected, the good news is you’re covered. Our platform has preconfigured detection and alerting for ShinyHunters-style activity, including:

OAuth app drift and dormant app detection
New connected app creation alerts
Scope elevation tracking (e.g., refresh_token full)
Unreviewed package installation alerts
API behavior anomalies tied to impersonation, TOR traffic, and bulk exports

These detections are already live and actively monitored in your environment.

➡️ If you’d like to review your current coverage or investigate specific signs of risk, contact your Customer Success representative. We’re here to support your response and readiness efforts.

Worried About Exposure? Get a Free Risk Assessment

If you use Salesforce and want to understand your exposure to tactics used in the ShinyHunters campaign, we’re here to help.

Vorlon is offering a free assessment based on your available logs and metadata. No agents, no production impact. Just clear answers.

We’ll help you:

Identify suspicious OAuth activity
Surface signs of impersonated apps or scope escalations
Map potential data access and exfiltration patterns

Request your free assessment and get expert guidance from our security team.

ShinyHunters Salesforce attack Tactics, Techniques, and Procedures (TTP)

The attacks targeting Salesforce environments follow a well-orchestrated and technically subtle progression. Rather than exploiting a software vulnerability, the attackers abuse OAuth trust, desktop application behavior, and user psychology to quietly gain and maintain access to sensitive CRM data.

Step 1: Social engineering via vishing

The attack typically begins with a phone-based social engineering (vishing) call, in which the attacker impersonates a company’s IT support team. The employee, often a Salesforce administrator or support staff, is told to perform an “urgent” troubleshooting or configuration task.

During the call, the attacker directs the victim to Salesforce’s Connected Apps authorization page and then asks the victim to enter a code to connect a desktop application that appears legitimate.

Step 2: Impersonation of a trusted app

The application being authorized is not what it seems. It is a lookalike version of Salesforce’s Data Loader, a legitimate admin tool used to bulk import and export CRM data. The attacker’s version mimics the interface and behavior of the real tool but is under their control.

Critically, the malicious app reuses the same OAuth client ID and redirect URI as the legitimate Data Loader. Because desktop apps use loopback redirect URIs (e.g., http://localhost) and cannot securely store secrets, any application on the device can impersonate a trusted one, as long as it knows the client ID and redirect URI.

This approach bypasses consent screens and avoids raising alerts, since the OAuth flow appears to be initiated from a known, pre-approved application.

Step 3: OAuth token issuance and silent access

Once the victim completes the login flow, Salesforce issues valid OAuth tokens to the attacker-controlled app. From an audit and monitoring perspective, this access appears routine:

No new connected app is created
No unusual IP address may be observed (if the app runs locally)
No elevated permissions are requested

This makes the attack invisible to most traditional security controls.

Step 4: API-based data exfiltration

With valid tokens in hand, the attacker uses either a modified version of Data Loader or custom-built automation scripts to extract data from Salesforce. The process often starts with small queries to avoid detection, then escalates to bulk exports of:

Contact lists
Customer profiles
Loyalty program data
Internal business notes or sales records

The exfiltration is frequently routed through TOR or VPN-based infrastructure to further obscure the source of the access.

Step 5: Optional lateral movement

In some cases, the attacker uses harvested credentials or session data to pivot into other cloud environments, such as identity platforms or productivity suites. This lateral movement may target services like Okta or Microsoft 365, leveraging the trust and access already granted to the compromised user.

Key security gaps and lessons learned

This multi-stage attack takes advantage of the legitimate behavior of OAuth flows, combined with a high-trust application and a low-friction user experience. It highlights the urgent need for organizations to implement tighter controls around:

Who can authorize high-privilege desktop applications
What client IDs are trusted within their environment
And how OAuth token behavior is monitored across users and non-human identities

Organizations affected by this campaign typically lack sufficient connected app governance, OAuth visibility, and non-human identity monitoring, which are common security gaps that enable these attacks to succeed.

A full set of indicators of compromise (IOCs), including IP addresses and behavioral patterns associated with this campaign, is available from Google Threat Intelligence Group.

Who’s behind the Salesforce vishing attacks?

Attributing cyberattacks is rarely straightforward, and the recent wave of Salesforce-related intrusions is no exception. In short, the Salesforce attacks are not the work of a single actor, but rather a fluid collaboration between skilled social engineers and data extortionists.

Based on public reporting from Google Threat Intelligence Group (GTIG), security researchers, and the attackers' direct claims, here’s what is known so far.

Threat Actor Quick Reference

Name	First Reported	Role/Description
UNC6040	June 2025 (GTIG)	Initial access group. Executes vishing attacks, installs malicious OAuth apps, and exfiltrates Salesforce data.
UNC6240	July 2025 (GTIG)	Handles extortion. Sends ransom emails and calls. Claims to be ShinyHunters.
ShinyHunters	2020+ (multiple)	Cybercrime brand used in extortion. Linked to previous campaigns (e.g., Snowflake). Possibly a collective or extortion-as-a-service operation.
Scattered Spider	2022+ (Mandiant)	Known for social engineering and MFA bypass. Tactics overlap with this campaign. May share members with ShinyHunters.
Sp1d3rHunters	August 2025	Self-described identity used by attackers. Represents the merger or collaboration of ShinyHunters and Scattered Spider.
“The Com”	Ongoing (underground)	Cybercriminal forum/community. Believed to be a common space for recruitment and coordination among English-speaking threat actors.

UNC6040: The initial intrusion group

The campaign’s initial access activity has been attributed by Google to a financially motivated group tracked as UNC6040. This group is known for conducting highly targeted voice phishing (vishing) attacks, impersonating IT support staff to trick employees into authorizing malicious OAuth applications in Salesforce, often disguised versions of Salesforce Data Loader. These apps give the attackers API-level access, allowing them to export large volumes of data without triggering typical security alerts.

UNC6040’s tactics have evolved over time. Early intrusions relied on Salesforce trial accounts and basic phishing infrastructure. More recent attacks involve the use of compromised third-party accounts, custom-built automation scripts, and TOR-based exfiltration to evade detection (Google).

UNC6240 and the “ShinyHunters” brand

In many cases, extortion attempts have followed weeks or months after the initial breach. These activities, such as emails or calls demanding Bitcoin payments, have been attributed to a separate threat cluster, tracked as UNC6240 by Google. UNC6240 consistently claims to be ShinyHunters, a well-known cybercrime group previously linked to data theft and extortion campaigns involving Snowflake, AT&T, and others (BleepingComputer).

Google has not confirmed whether UNC6040 and UNC6240 are operated by the same individuals, but acknowledges the close coordination between them. The "ShinyHunters" name appears to function more like a brand, used to amplify pressure and draw from the group’s prior notoriety.

Scattered Spider and the emergence of “Sp1d3rHunters”

The tactics used, especially vishing, OAuth abuse, and help desk impersonation, initially led some researchers to suspect Scattered Spider (UNC3944), a threat actor known for high-profile social engineering attacks in sectors like aviation and hospitality. ShinyHunters has since claimed in interviews and Telegram posts that they are working directly with Scattered Spider to conduct these attacks, stating that Scattered Spider provides initial access, while ShinyHunters handles exfiltration and extortion.

The attackers now refer to themselves as “Sp1d3rHunters,” a name that blends both brands and reflects what appears to be a merged or collaborative effort. Whether this represents a formal partnership or simply overlapping members operating under different banners remains unclear.

A decentralized collective

The broader picture emerging is that of a decentralized, loosely affiliated network, possibly operating as an extortion-as-a-service collective. Members may include former affiliates of groups like Lapsus$, and are likely active in English-speaking cybercrime forums such as “The Com.” Infrastructure overlaps, shared toolkits, and consistent branding suggest close ties, even if the operational boundaries between these groups are blurry.

Official responses

Salesforce released a customer advisory and confirmed the breaches were not due to a system vulnerability, but to the use of compromised credentials.
Salesforce guidance: Customers are urged to review and secure all integrations, rotate credentials, and enable MFA.
Chanel and other victims notified regulators, began customer outreach, and launched investigations with law enforcement and cybersecurity experts.
Law enforcement is actively investigating, and regulatory authorities are monitoring the situation.

Lack of access to API activity in logs hinders detection efforts

Threat actors are collaborating, and we in the security community need to do the same.

ShinyHunters’ activity was evasive, but not invisible. Signs of abuse, like large data exports or suspicious app registrations, could have been spotted in the logs.

The problem is that many Salesforce customers couldn’t access those logs. Like many SaaS vendors, Salesforce charges extra for the type of logs that capture API calls, integration activity, and data exfiltration behavior. In some cases, customers must file a support ticket to request access. That process can take hours or even days, which is far too long when every minute counts.

This isn’t unique to Salesforce. According to Vorlon’s research, 50% of SaaS vendors either charge licensing fees or require manual steps to access critical security logs.

“This breach isn’t just about one attacker or one platform. SaaS providers are not living up to their role in a shared security model. If customers can’t access logs instantly and without barriers, they are powerless. That’s simply unacceptable.”—Amir Khayat, CEO and Co-Founder of Vorlon

As APIs and integrations become the primary attack surface in SaaS, the fact that this activity is often unlogged, gated, or delayed is a serious flaw in the SaaS shared responsibility model.

Security teams aren’t asking for a premium feature. They’re asking for basic visibility into what’s happening across their ecosystem, especially in the channels attackers now abuse most.

The bigger picture: This is a SaaS ecosystem security problem

The ShinyHunters campaign is not just a Salesforce issue. It brings to light a broader SaaS ecosystem security problem. These attackers exploited the interconnected nature of modern SaaS environments, where API keys, service accounts, and third-party apps often operate without oversight.

Traditional tools focused on endpoints or static misconfigurations are useless here. Security teams need continuous monitoring, identity-aware detection, and real-time visibility across all human and non-human actors in their SaaS stack, especially for platforms like Salesforce that serve as critical business infrastructure.

We’ll continue tracking this campaign and helping customers respond. But the best defense is visibility, and Vorlon gives you the map.

Vorlon: Built for SaaS threats like this

Vorlon gives security and GRC teams the visibility they need to detect and respond to attacks like the ShinyHunters campaign before damage is done. By continuously analyzing OAuth activity, non-human identities, and data flows across your SaaS stack, Vorlon helps uncover signs of compromise that traditional tools miss.

If you're already a Vorlon customer, these detections are live in your environment. If you're not, now is the time to close the gaps.

Join us for our upcoming webinar with 451 Research

Join us on August 22 for a special executive webinar featuring S&P Global’s Justin Lam and Vorlon CEO Amir Khayat. We’ll discuss the ShinyHunters campaign, explore new research on SaaS and AI risk convergence, and share practical steps security teams can take to improve visibility and response.

Timeline of the coordinated Salesforce data theft attacks

Last updated: August 11, 2025

We are actively tracking the unfolding campaign linked to ShinyHunters (UNC6040), which continues to impact organizations leveraging Salesforce and other connected SaaS platforms. Below is a running timeline of confirmed breaches and related incidents. This section will be updated as more disclosures surface.

May 2025

🔹 Adidas

Details: One of the earliest known victims. Attackers gained access to Salesforce systems containing customer engagement data.
Impact: Customer names and contact data believed to be accessed. Full scope under investigation.
Source: BleepingComputer

🔹 Louis Vuitton, Dior, Tiffany & Co. (LVMH Group)

Details: Initially reported as isolated regional incidents, these breaches were later confirmed to be linked and traced to the ShinyHunters campaign.
Impact: Customer databases were accessed, exposing names, contact info, and other personal identifiers.
Source: BleepingComputer

June 2025

🔹 Pandora

Details: Attackers accessed Pandora’s Salesforce environment, extracting marketing and customer information.
Impact: Customer contact details were exposed. Investigation into sensitive PII exposure is ongoing.
Source: BleepingComputer

July 2025

🔹 Qantas

Details: Attackers obtained access to Salesforce records containing passenger and loyalty data.
Impact: Exposed information included names, travel itineraries, and loyalty program details.
Source: BleepingComputer

🔹 Allianz Life

Details: Salesforce environment compromised via hijacked sessions.
Impact: Contact and policyholder data was accessed.
Source: BleepingComputer

🔹 Chanel

Details: A breach was first reported in June, with confirmation reported on August 4, 2025 that the breach appears to be related to its Salesforce platform and the recent ShinyHunters activity.
Impact: Both customer and employee data was stolen.
Source: BleepingComputer

August 2025

🔹 Google

Details: On August 6, 2025 Google confirmed that ShinyHunters were behind the unauthorized access to one of it’s own Salesforce systems used for SMB outreach.
Impact: Limited to business contact info; no sensitive internal Google data was accessed.
Source: BleepingComputer

🔹 Air France & KLM

Details: Attackers accessed customer data for both airlines’ frequent flyer programs, Flying Blue, via a third-party service provider. The method was session hijacking and unauthorized access to integrated SaaS systems which is consistent with the Salesforce/ShinyHunters campaign.
Impact: Names, contact info, loyalty program details, and account status may have been exposed.
Source: BleepingComputer

Likely Related

🔹 Cisco (July 2025)

Details: Cisco disclosed a breach involving Cisco.com account credentials. While not explicitly attributed to Salesforce, only a “CRM system,” attackers used stolen session tokens which is very similar to methods used in the ShinyHunters campaign.
Impact: Contact info and registration data were exposed.
Source: BleepingComputer

We’ll keep watching

This campaign continues to unfold and may impact additional organizations. Vorlon is actively monitoring for new breach disclosures and will update this timeline regularly.

About the author

With over 20 years in cybersecurity, Mike Cioffi has worked across various areas, focusing on security operations tools, processes, and methodologies. He has held roles at Palo Alto Networks, Intel Security, and McAfee, honing his skills in optimizing cyber workflows and building efficiencies into security frameworks. Passionate about eliminating mundane security tasks, he strives to make cyber operations more efficient. At Vorlon, he focuses on helping enterprises gain better visibility and context into their third-party app ecosystem and the data flowing between them.