Hackers Behind Salesforce Breach Publish Leak Site With 39 Victims

ShinyHunters focus on customer accounts, not Salesforce itself, in a large-scale extortion campaign

Khaled Hassan

Khaled Hassan

Featured Image

Salesforce Data Breach: ShinyHunters Extort 39 Global Companies" on a dark background

Graphic showing Salesforce logo with a warning sign related to the ShinyHunters attack

Introduction

Another big cybersecurity story is making headlines. This time, it’s Salesforce customers under fire. A hacker group called ShinyHunters has launched a leak site and claims to have stolen data from 39 different companies. Their aim? Extortion—pay up or see your data published online.

The important part: Salesforce itself wasn’t hacked. Instead, attackers went after customer accounts and integrations, mainly by tricking people and abusing connected apps.

Who Are ShinyHunters?

ShinyHunters is a well-known hacking group that’s been around since 2020, responsible for several major data leaks. They usually show up on dark web forums with massive stolen databases.

In this campaign, they’re using methods similar to Scattered Spider (UNC6040)—focusing on people and third-party connections instead of breaking into Salesforce’s core systems.

How Did the Attack Happen

Hackers didn’t exploit a Salesforce bug. Instead, they used a mix of social engineering and tool abuse:

Phone Scams (Vishing)

Attackers called employees, pretended to be tech support, and convinced them to give access.

Fake Connected Apps

They got companies to approve malicious apps through OAuth, which handed them valid tokens

Data Loader Abuse

They reportedly used modified versions of Salesforce’s Data Loader to pull huge amounts of data quickly

Companies Impacted

The ShinyHunters leak site lists 39 companies. Some of the most notable include:

  • Google – confirmed exposure of Salesforce data tied to small business partners.
  • Chanel – admitted its U.S. customer database was compromised.
  • Other names include Adidas, Louis Vuitton, Cisco, Qantas, Allianz Life, Disney, Ikea, and McDonald’s.

Important: being listed doesn’t always mean a full-scale breach—investigations are still ongoing.


Salesforce and Law Enforcement Response

Salesforce logo sign on company headquarters building, linked to ShinyHunters data breach response

Salesforce confirmed its systems remain secure despite ShinyHunters’ extortion campaign

Salesforce has stated its main systems remain secure. The attacks targeted customer environments and integrations.The FBI warned of active campaigns by groups like UNC6040 and UNC6395 against Salesforce customers.Google Threat Intelligence described it as a data extortion operation and urged organizations to check their connected apps.

Potential Impact of the Breach

Loss of Customer Trust

If private data is exposed, customers may lose confidence.

Regulatory Penalties

Companies could face fines under strict data protection laws.

Financial Costs

Handling incident response, legal issues, and remediation can be expensive

Reputational Damage

Negative press and brand image damage may hurt future business

How to Protect Your Company

Infographic with four security steps: Audit OAuth Apps, Enable Multi-Factor Authentication, Train Employees, and Monitor Log

Four key steps businesses can take to protect themselves after the ShinyHunters Salesforce breach

1. Audit OAuth Apps

Review all connected apps and revoke suspicious or unnecessary permissions.


2. Enable Multi-Factor Authentication (MFA)

Require MFA for all users, especially those with admin rights.


3. Train Employees

Educate staff to spot phishing or vishing attempts before granting access.


4. Monitor Logs

Keep an eye on Salesforce activity logs for unusual behavior.


5. Restrict Access


Limit who can use tools like Data Loader and reduce the number of admins

Conclusion

not the platform itself.

If your company uses Salesforce, don’t wait for a scare like this. Audit your apps, enforce strong login security, and train your employees to spot scams.

Bottom line: Salesforce wasn’t hacked, but attackers took advantage of poor security practices. Now’s the time to lock things down.

FAQs

Was Salesforce hacked?
No. Salesforce’s core systems remain secure. The attacks targeted customer accounts, integrations, and employees.

Which companies were affected by the ShinyHunters breach?
The leak site listed 39 companies, including Google, Chanel, Adidas, Cisco, Louis Vuitton, Disney, Ikea, and McDonald’s.

How did hackers steal Salesforce data?
They tricked employees with phone scams, abused OAuth permissions, and used modified Data Loader tools to extract large datasets.

What should companies do right now?
Review OAuth apps, enable MFA, train employees, and monitor system logs for unusual activity.

Could my company be at risk?
If you use Salesforce and haven’t reviewed your connected apps or security settings recently, then yes—you could be vulnerable.

background
Let's hack you before real hackers do

Stay secure with DeepStrike penetration testing services. Reach out for a quote or customized technical proposal today

Contact Us