The cyber extortion group ShinyHunters has intensified its ongoing campaign targeting major enterprises by launching a dedicated data leak site to publicly extort at least 39 victims of widespread Salesforce breaches1. This escalation follows a series of sophisticated attacks where the group, tracked by the FBI as UNC6040, has compromised corporate Salesforce environments to steal sensitive data, subsequently demanding ransoms reported to reach seven figures2. The campaign has prompted an official warning from the Federal Bureau of Investigation (FBI), which details two distinct threat groups exploiting different methods to gain unauthorized access to Salesforce instances5.
The core attack method employed by UNC6040 involves a sophisticated social engineering scheme that abuses Salesforce’s OAuth implementation. Attackers, often using AI-powered voice agents from platforms like Bland AI and Vapi, place calls to employees, impersonating IT support staff addressing enterprise-wide connectivity issues3, 5. The employee is persuaded to navigate to the legitimate Salesforce “Connected App” setup page (`/setup/connect`) and enter a “connection code” provided by the attacker. This action links a malicious, attacker-controlled application—frequently a modified version of the Salesforce Data Loader—to the company’s Salesforce environment, granting persistent access without needing to bypass multi-factor authentication directly2, 3. Google’s Threat Intelligence Group has observed an evolution in these tactics, noting a shift from using standard Salesforce tools to custom Python scripts and from creating trial accounts to using compromised accounts from unrelated organizations to register malicious apps8.
FBI Warns of Dual Threat Groups
The FBI’s FLASH alert from September 12, 2025, formally designates two groups involved in this campaign: UNC6040 (associated with ShinyHunters) and a second, distinct group known as UNC63955. While UNC6040 relies on voice phishing, UNC6395 utilized a different initial access vector. In August 2025, this group exploited compromised OAuth tokens for the Salesloft Drift application, an AI chatbot integrated with Salesforce. Using these stolen tokens, they gained direct access to victims’ Salesforce instances to exfiltrate data5, 9. This method impacted several high-profile cybersecurity firms, including Cloudflare, Zscaler, and Palo Alto Networks, with a focus on stealing support case data that often contains sensitive credentials and API keys. Salesloft, in collaboration with Salesforce, revoked all active tokens for the Drift application on August 20, 2025, terminating this specific access vector5.
Expanding Victim List and Third-Party Risk
The list of confirmed victims is extensive and cross-sector, demonstrating the wide reach of these attacks. Major corporations such as Google, Qantas, Allianz Life, LVMH, Adidas, and Air France have been impacted1, 2. Google confirmed in August 2025 that a corporate Salesforce instance used for small and medium business contact information was compromised, though it stated the stolen data was confined to basic, largely public business information6, 8. The breach at HR technology firm Workday highlights the significant risk posed by interconnected third-party platforms. Workday confirmed that attackers compromised a third-party CRM system, widely reported to be Salesforce, and stole employee contact information. Critically, Workday emphasized there was “no indication of access to customer tenants or the data within them,” illustrating how a breach in a connected service can provide attackers with valuable data even if core primary systems remain secure4, 10.
Mitigation and Detection Strategies
A multi-layered defense strategy is required to counter these threats, focusing on people, process, and technology. The FBI recommends specific mitigations, including training call center employees to recognize and report these sophisticated phishing attempts, as the attack exploits the helpful nature of employees who believe they are assisting legitimate IT requests5, 10. From a technical standpoint, enforcing strict access controls is paramount. This includes requiring phishing-resistant multi-factor authentication (MFA), such as FIDO2 security keys, and implementing the principle of least privilege3, 5. Organizations should also enforce IP-based access restrictions for critical cloud applications and rigorously monitor API usage for anomalous behavior indicative of data exfiltration.
Organizations using Salesforce must pay particular attention to their configuration and monitoring practices. A critical step is to restrict permissions for authorizing connected apps (e.g., “Customize Application,” “Manage Connected Apps”) to a very limited number of essential personnel and to conduct regular audits to remove unused or unknown applications3, 8. Leveraging Salesforce Shield can provide advanced monitoring and policy enforcement capabilities, and implementing Transaction Security Policies can help alert on or block large, suspicious data exports3. Continuous monitoring of network logs and browser session activity for the Indicators of Compromise (IOCs) provided by the FBI, which include over 100 IP addresses and specific malicious URLs, is also essential for early detection5.
The launch of a dedicated data leak site by ShinyHunters marks a significant escalation in their extortion campaign, increasing public pressure on the nearly 40 known victims. This development, coupled with the official FBI warning, underscores the severe and persistent threat posed by these groups to enterprise cloud environments. The continuous adaptation of their tactics, including the use of AI-powered vishing and the exploitation of third-party integrations, means that organizations must maintain a vigilant and proactive security posture. A combination of comprehensive employee training, rigorous technical controls, and continuous monitoring is necessary to defend against these evolving attacks that target human trust as much as technological systems.
