A coordinated series of data breaches affecting major corporations, including Qantas, Adidas, Allianz Life, and luxury group LVMH, has been traced to a cyber extortion group known as ShinyHunters. The attackers used voice phishing techniques to access Salesforce CRM systems, manipulating employees into linking malicious applications to their environments.
Vishing, Fake Portals, and OAuth Exploits
According to Google’s Threat Intelligence Group (GTIG), the attackers, tracked as UNC6040, posed as internal IT support staff during phone calls with targeted employees. Victims were persuaded to visit Salesforce’s connected app setup page and enter a “connection code” that granted access to a disguised version of Salesforce’s Data Loader app. In some cases, the tool was rebranded as “My Ticket Portal” to avoid suspicion.
Fraud Resilience Framework by Algoritha Sets New Benchmark in Next-Gen Fraud Risk Management (FRM)
This campaign also used phishing pages impersonating Okta login interfaces to steal credentials and multi-factor authentication (MFA) tokens. GTIG confirmed that these attacks were voice phishing-driven but had supplementary credential theft vectors. While the companies impacted did not publicly name Salesforce, technical details and court filings reveal that “Accounts” and “Contacts” database tables, specific to Salesforce, were compromised.
Global Fallout Across Industries
LVMH subsidiaries Louis Vuitton, Dior, and Tiffany & Co. reported unauthorised access through a vendor managing customer data. Allianz Life acknowledged a breach involving a third-party, cloud-based CRM platform on July 16, 2025. Qantas, according to court records, had data accessed through its Salesforce instance, though it has not officially confirmed this.
ShinyHunters has been contacting affected firms directly via email, demanding ransoms without publicly leaking data—yet. Analysts fear a staged release if extortion demands go unmet, similar to the group’s previous operations, including the Snowflake and PowerSchool incidents.
Salesforce clarified that its platform remains uncompromised and urged users to adopt stricter access controls. Recommended actions include enabling MFA, limiting connected apps, restricting IP logins, and designating security contacts.
Experts note overlapping tactics with another group, Scattered Spider (UNC3944), suggesting shared membership or operational coordination within cybercriminal forums. Some researchers also link these groups to former members of the disbanded Lapsus$ hacking collective.