A hacking group known as ShinyHunters has been linked to a recent breach that compromised the personal data of Salesforce customers. Although the number of affected customers has not been released, Google Threat Intelligence Group (GTIG) said the stolen details appeared to be limited to publicly accessible business information rather than sensitive personal records.

The recent breach is the latest in a series of attacks targeting Salesforce customers.

Analyzing the Salesforce breach

Attackers posed as Salesforce IT personnel and contacted targeted employees by phone — a social engineering tactic known as voice phishing or vishing — to persuade them to download a malicious version of the Salesforce Data Loader OAuth.

After the malware was installed, the hackers allegedly followed up with calls or emails to demand payment in Bitcoin. GTIG also warned that the group could be preparing to release a larger cache of stolen data.

Investigating ShinyHunters

The hacking group known as ShinyHunters first surfaced in 2020. They gained early notoriety after claiming responsibility for stealing more than 200 million records from 13 companies, and have remained active in the years since.

Their operators typically attempt to extort victims with stolen data, and when those efforts fail, they have been observed publishing the information on hacking forums and illicit marketplaces.

A recent Google blog post reads, in part: “GTIG is tracking UNC6040, a financially motivated threat cluster that specializes in voice phishing (vishing) campaigns specifically designed to compromise organizations’ Salesforce instances for large-scale data theft and subsequent extortion.”

It was eventually determined that the threat referred to as UNC6040 is a prominent hacking group known as ShinyHunters. However, they might not be acting alone.

According to some sources, there is at least some crossover between ShinyHunters and Scattered Spider, a group of hackers from the US and the UK. Some of ShinyHunters’ members are also linked to an English-speaking hacking group known as The Com.

Protecting your system from ShinyHunters and other hackers

GTIG recommends various safeguards to protect your system from ShinyHunters and other hackers, including:

• Giving users the least amount of system privileges as possible.
• Controlling how connected apps interact and access your Salesforce environment.
• Restricting the use of VPNs and unknown IP addresses.
• Implementing advanced security controls via Salesforce Shield.
• Requiring multi-factor authentication (MFA) for direct logins.

While these recommendations won’t protect your system from every threat imaginable, they will help you prevent most social engineering and vishing techniques.

What comes next

Given GTIG’s warning of a large-scale data leak, we might be hearing from ShinyHunters sooner rather than later. In the meantime, companies across the globe are scrambling to update their systems, install the latest patches, and enact new security controls meant to protect their Salesforce environments from uninvited guests.

Learn more about the rise of AI-driven cyber threats in our coverage of Black Hat 2025 and Mikko Hypponen’s stark warnings.