Prolific threat group ShinyHunters, previously reported on by Obrela, is in the middle of an ongoing threat campaign following a year of inactivity. Targeting Salesforce instances, the group has been exploiting a number of significant global organizations and extorting victims.
Description:
ShinyHunters was likely formed in 2020 and achieved numerous hacks against large organizations in the following 4 years (Ticketmaster, AT&T, Microsoft, Santander), through targeted phishing campaigns and exploitation of legitimate credentials for cloud services. Following an apparent hiatus from summer 2024, the group has resumed activities with a renewed set of tactics such as highly targeted voice phishing (vishing) and social engineering attacks, including signs that suggest a partnership with the equally major and highly publicized threat group Scattered Spider.
In its new threat campaign, ShinyHunters is specifically targeting and exploiting organizations making use of Salesforce-hosted databases, crafting related phishing domains and credential harvesting pages to gain organizational access, along with the highly effective vishing attacks and VPN obfuscation that are characteristic of Scattered Spider’s toolset.
Recent victims of Salesforce-based exploitations include HR firm Workday, Google, Cisco, Qantas, and numerous retailers (Pandora, Louis Vuitton, Chanel, Adidas). Some analyses suggest that the next potential targets are financial services and technology service providers. Salesforce Security has released a blog post detailing protection guidelines against the attacks, which can be found below.
Recommendations:
- Review the Salesforce security bulletin for specific guidance: https://www.salesforce.com/blog/protect-against-social-engineering/.
- For similar applications, consider the following:
- Enforce Multi-Factor Authentication (MFA) universally.
- Enforce IP-based access restrictions.
- Manage and limit access to connected applications following a principle of least privilege
References:
- https://www.obrela.com/advisory/shinyhunters-data-breach-activity-increase/
- https://www.salesforce.com/blog/protect-against-social-engineering/
- https://reliaquest.com/blog/threat-spotlight-shinyhunters-data-breach-targets-salesforce-amid-scattered-spider-collaboration/
- https://techcrunch.com/2025/08/18/hr-giant-workday-says-hackers-stole-personal-data-in-recent-breach/
- https://cloud.google.com/blog/topics/threat-intelligence/voice-phishing-data-extortion
