A coordinated cyberattack campaign targeting Salesforce integrations has compromised data at several major global brands, including Google, Chanel, Qantas, Allianz, LVMH, and Cisco.
The breaches began in May 2025 and are still unfolding. According to Google Threat Intelligence Group (GTIG), the initial intrusions were carried out by a financially motivated group known as UNC6040, which used voice phishing (vishing) to trick employees into authorizing malicious OAuth applications that impersonated trusted Salesforce tools.
In the weeks that followed, a separate threat cluster, UNC6240, began contacting victims with extortion demands. This group consistently identified itself as ShinyHunters, a name previously associated with major data-theft campaigns. The two clusters are believed to be linked, either through shared operators or close coordination.
These attacks did not exploit a vulnerability in Salesforce. Instead, they highlight how attackers can abuse trusted integrations, impersonate legitimate apps, and exploit non-human identities to move silently through SaaS environments, often without triggering traditional security alerts.
The Vorlon team has been actively monitoring ShinyHunters, working closely with our Salesforce customers to investigate potential signs of related activity and to implement alerts that can detect suspicious behavior tied to this threat and similar attacks. Now, we’re sharing our tips so you can detect and respond to ShinyHunters-style threats in your own SaaS environment.
The ShinyHunters campaign relies on a blend of social engineering, OAuth impersonation, and API-based data exfiltration. The attackers often use a lookalike version of the Salesforce Data Loader tool, authorized through a deceptive but legitimate OAuth flow. Because these attacks do not exploit a traditional vulnerability, they can be difficult to detect without deep visibility into your Salesforce environment.
Here are signs your organization may have been impacted:
Start by reviewing logs from Salesforce Event Monitoring, if available. Look for Bulk API jobs, large volume data exports, and report generation by unexpected users, all of which may indicate compromise.
Whether you’ve spotted suspicious behavior or want to proactively harden your environment, here are key steps to detect and prevent ShinyHunters-style attacks:
1. Audit and monitor OAuth applications
2. Alert on new OAuth app registrations
3. Track OAuth scope elevation events
4. Watch for unreviewed package installations
5. Implement proactive security controls
If you’re already a Vorlon customer with Salesforce connected, the good news is you’re covered. Our platform has preconfigured detection and alerting for ShinyHunters-style activity, including:
These detections are already live and actively monitored in your environment.
➡️ If you’d like to review your current coverage or investigate specific signs of risk, contact your Customer Success representative. We’re here to support your response and readiness efforts.
If you use Salesforce and want to understand your exposure to tactics used in the ShinyHunters campaign, we’re here to help.
Vorlon is offering a free assessment based on your available logs and metadata. No agents, no production impact. Just clear answers.
We’ll help you:
Request your free assessment and get expert guidance from our security team.
The attacks targeting Salesforce environments follow a well-orchestrated and technically subtle progression. Rather than exploiting a software vulnerability, the attackers abuse OAuth trust, desktop application behavior, and user psychology to quietly gain and maintain access to sensitive CRM data.
Step 1: Social engineering via vishing
The attack typically begins with a phone-based social engineering (vishing) call, in which the attacker impersonates a company’s IT support team. The employee, often a Salesforce administrator or support staff, is told to perform an “urgent” troubleshooting or configuration task.
During the call, the attacker directs the victim to Salesforce’s Connected Apps authorization page and then asks the victim to enter a code to connect a desktop application that appears legitimate.
Step 2: Impersonation of a trusted app
The application being authorized is not what it seems. It is a lookalike version of Salesforce’s Data Loader, a legitimate admin tool used to bulk import and export CRM data. The attacker’s version mimics the interface and behavior of the real tool but is under their control.
Critically, the malicious app reuses the same OAuth client ID and redirect URI as the legitimate Data Loader. Because desktop apps use loopback redirect URIs (e.g., http://localhost) and cannot securely store secrets, any application on the device can impersonate a trusted one, as long as it knows the client ID and redirect URI.
This approach bypasses consent screens and avoids raising alerts, since the OAuth flow appears to be initiated from a known, pre-approved application.
Step 3: OAuth token issuance and silent access
Once the victim completes the login flow, Salesforce issues valid OAuth tokens to the attacker-controlled app. From an audit and monitoring perspective, this access appears routine:
This makes the attack invisible to most traditional security controls.
Step 4: API-based data exfiltration
With valid tokens in hand, the attacker uses either a modified version of Data Loader or custom-built automation scripts to extract data from Salesforce. The process often starts with small queries to avoid detection, then escalates to bulk exports of:
The exfiltration is frequently routed through TOR or VPN-based infrastructure to further obscure the source of the access.
Step 5: Optional lateral movement
In some cases, the attacker uses harvested credentials or session data to pivot into other cloud environments, such as identity platforms or productivity suites. This lateral movement may target services like Okta or Microsoft 365, leveraging the trust and access already granted to the compromised user.
This multi-stage attack takes advantage of the legitimate behavior of OAuth flows, combined with a high-trust application and a low-friction user experience. It highlights the urgent need for organizations to implement tighter controls around:
Organizations affected by this campaign typically lack sufficient connected app governance, OAuth visibility, and non-human identity monitoring, which are common security gaps that enable these attacks to succeed.
A full set of indicators of compromise (IOCs), including IP addresses and behavioral patterns associated with this campaign, is available from Google Threat Intelligence Group.
Attributing cyberattacks is rarely straightforward, and the recent wave of Salesforce-related intrusions is no exception. In short, the Salesforce attacks are not the work of a single actor, but rather a fluid collaboration between skilled social engineers and data extortionists.
Based on public reporting from Google Threat Intelligence Group (GTIG), security researchers, and the attackers' direct claims, here’s what is known so far.
Threat Actor Quick Reference
|
Name |
First Reported |
Role/Description |
|
UNC6040 |
June 2025 (GTIG) |
Initial access group. Executes vishing attacks, installs malicious OAuth apps, and exfiltrates Salesforce data. |
|
UNC6240 |
July 2025 (GTIG) |
Handles extortion. Sends ransom emails and calls. Claims to be ShinyHunters. |
|
ShinyHunters |
2020+ (multiple) |
Cybercrime brand used in extortion. Linked to previous campaigns (e.g., Snowflake). Possibly a collective or extortion-as-a-service operation. |
|
Scattered Spider |
2022+ (Mandiant) |
Known for social engineering and MFA bypass. Tactics overlap with this campaign. May share members with ShinyHunters. |
|
Sp1d3rHunters |
August 2025 |
Self-described identity used by attackers. Represents the merger or collaboration of ShinyHunters and Scattered Spider. |
|
“The Com” |
Ongoing (underground) |
Cybercriminal forum/community. Believed to be a common space for recruitment and coordination among English-speaking threat actors. |
UNC6040: The initial intrusion group
The campaign’s initial access activity has been attributed by Google to a financially motivated group tracked as UNC6040. This group is known for conducting highly targeted voice phishing (vishing) attacks, impersonating IT support staff to trick employees into authorizing malicious OAuth applications in Salesforce, often disguised versions of Salesforce Data Loader. These apps give the attackers API-level access, allowing them to export large volumes of data without triggering typical security alerts.
UNC6040’s tactics have evolved over time. Early intrusions relied on Salesforce trial accounts and basic phishing infrastructure. More recent attacks involve the use of compromised third-party accounts, custom-built automation scripts, and TOR-based exfiltration to evade detection (Google).
UNC6240 and the “ShinyHunters” brand
In many cases, extortion attempts have followed weeks or months after the initial breach. These activities, such as emails or calls demanding Bitcoin payments, have been attributed to a separate threat cluster, tracked as UNC6240 by Google. UNC6240 consistently claims to be ShinyHunters, a well-known cybercrime group previously linked to data theft and extortion campaigns involving Snowflake, AT&T, and others (BleepingComputer).
Google has not confirmed whether UNC6040 and UNC6240 are operated by the same individuals, but acknowledges the close coordination between them. The "ShinyHunters" name appears to function more like a brand, used to amplify pressure and draw from the group’s prior notoriety.
Scattered Spider and the emergence of “Sp1d3rHunters”
The tactics used, especially vishing, OAuth abuse, and help desk impersonation, initially led some researchers to suspect Scattered Spider (UNC3944), a threat actor known for high-profile social engineering attacks in sectors like aviation and hospitality. ShinyHunters has since claimed in interviews and Telegram posts that they are working directly with Scattered Spider to conduct these attacks, stating that Scattered Spider provides initial access, while ShinyHunters handles exfiltration and extortion.
The attackers now refer to themselves as “Sp1d3rHunters,” a name that blends both brands and reflects what appears to be a merged or collaborative effort. Whether this represents a formal partnership or simply overlapping members operating under different banners remains unclear.
A decentralized collective
The broader picture emerging is that of a decentralized, loosely affiliated network, possibly operating as an extortion-as-a-service collective. Members may include former affiliates of groups like Lapsus$, and are likely active in English-speaking cybercrime forums such as “The Com.” Infrastructure overlaps, shared toolkits, and consistent branding suggest close ties, even if the operational boundaries between these groups are blurry.
Threat actors are collaborating, and we in the security community need to do the same.
ShinyHunters’ activity was evasive, but not invisible. Signs of abuse, like large data exports or suspicious app registrations, could have been spotted in the logs.
The problem is that many Salesforce customers couldn’t access those logs. Like many SaaS vendors, Salesforce charges extra for the type of logs that capture API calls, integration activity, and data exfiltration behavior. In some cases, customers must file a support ticket to request access. That process can take hours or even days, which is far too long when every minute counts.
This isn’t unique to Salesforce. According to Vorlon’s research, 50% of SaaS vendors either charge licensing fees or require manual steps to access critical security logs.
“This breach isn’t just about one attacker or one platform. SaaS providers are not living up to their role in a shared security model. If customers can’t access logs instantly and without barriers, they are powerless. That’s simply unacceptable.”—Amir Khayat, CEO and Co-Founder of Vorlon
As APIs and integrations become the primary attack surface in SaaS, the fact that this activity is often unlogged, gated, or delayed is a serious flaw in the SaaS shared responsibility model.
Security teams aren’t asking for a premium feature. They’re asking for basic visibility into what’s happening across their ecosystem, especially in the channels attackers now abuse most.
The ShinyHunters campaign is not just a Salesforce issue. It brings to light a broader SaaS ecosystem security problem. These attackers exploited the interconnected nature of modern SaaS environments, where API keys, service accounts, and third-party apps often operate without oversight.
Traditional tools focused on endpoints or static misconfigurations are useless here. Security teams need continuous monitoring, identity-aware detection, and real-time visibility across all human and non-human actors in their SaaS stack, especially for platforms like Salesforce that serve as critical business infrastructure.
We’ll continue tracking this campaign and helping customers respond. But the best defense is visibility, and Vorlon gives you the map.
Vorlon gives security and GRC teams the visibility they need to detect and respond to attacks like the ShinyHunters campaign before damage is done. By continuously analyzing OAuth activity, non-human identities, and data flows across your SaaS stack, Vorlon helps uncover signs of compromise that traditional tools miss.
If you're already a Vorlon customer, these detections are live in your environment. If you're not, now is the time to close the gaps.
Join us on August 22 for a special executive webinar featuring S&P Global’s Justin Lam and Vorlon CEO Amir Khayat. We’ll discuss the ShinyHunters campaign, explore new research on SaaS and AI risk convergence, and share practical steps security teams can take to improve visibility and response.
Last updated: August 11, 2025
We are actively tracking the unfolding campaign linked to ShinyHunters (UNC6040), which continues to impact organizations leveraging Salesforce and other connected SaaS platforms. Below is a running timeline of confirmed breaches and related incidents. This section will be updated as more disclosures surface.
🔹 Adidas
🔹 Louis Vuitton, Dior, Tiffany & Co. (LVMH Group)
🔹 Pandora
🔹 Qantas
🔹 Allianz Life
🔹 Chanel
🔹 Air France & KLM
🔹 Cisco (July 2025)
This campaign continues to unfold and may impact additional organizations. Vorlon is actively monitoring for new breach disclosures and will update this timeline regularly.
With over 20 years in cybersecurity, Mike Cioffi has worked across various areas, focusing on security operations tools, processes, and methodologies. He has held roles at Palo Alto Networks, Intel Security, and McAfee, honing his skills in optimizing cyber workflows and building efficiencies into security frameworks. Passionate about eliminating mundane security tasks, he strives to make cyber operations more efficient. At Vorlon, he focuses on helping enterprises gain better visibility and context into their third-party app ecosystem and the data flowing between them.