Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label LVMH hack. Show all posts
ShinyHunters
Adidas data breach Allianz Life breach Data Breach LVMH hack Qantas cyberattack Salesforce data breach ShinyHunters

ShinyHunters’ Voice Phishing Attacks Target Salesforce Users, Breaches Hit Qantas, LVMH, Adidas, and Allianz

 

A recent wave of high-profile data breaches affecting global brands such as Qantas, Allianz Life, LVMH, and Adidas has been traced to the ShinyHunters extortion group. The group has been exploiting voice phishing tactics to compromise Salesforce CRM instances, according to Google’s Threat Intelligence Group (GTIG).

In June, GTIG reported that a threat actor tracked as UNC6040 was conducting sophisticated social engineering campaigns targeting Salesforce users. The attackers posed as IT support over phone calls, directing victims to the Salesforce connected app setup page and instructing them to enter a “connection code.” This action granted access to a malicious version of Salesforce’s Data Loader OAuth app. In some cases, the Data Loader tool was disguised as “My Ticket Portal” to appear legitimate.

While most attacks involved vishing (voice phishing), credentials and MFA tokens were also stolen through fake Okta login pages. Around this time, several companies disclosed breaches involving third-party customer service or cloud CRM systems.

LVMH subsidiaries Louis Vuitton, Dior, and Tiffany & Co. confirmed unauthorized access to customer databases, with Tiffany Korea stating the breach stemmed from “a vendor platform used for managing customer data.” Similarly, Adidas, Qantas, and Allianz Life reported incidents linked to external systems. Allianz Life confirmed that on July 16, 2025, a “malicious threat actor gained access to a third-party, cloud-based CRM system used by Allianz Life Insurance Company of North America.”

Although Qantas has not confirmed whether Salesforce was involved, local media reports claim the stolen data came from its Salesforce instance. Court filings also reveal that the attackers targeted “Accounts” and “Contacts” — both native Salesforce database objects.

BleepingComputer has since verified that all affected companies were targeted as part of the same campaign highlighted by Google. So far, the breaches have not resulted in public data leaks, with ShinyHunters allegedly attempting private email extortion. Experts warn that if these efforts fail, mass data leaks similar to the group’s previous Snowflake incidents could follow.

"We have not identified any data leak sites associated with this activity," said Genevieve Stark, Head of Cybercrime and Information Operations Intelligence Analysis at GTIG. "It is plausible that the threat actor intends to sell the data instead of sharing it publicly. This approach would align with prior ShinyHunters Group activity."

Google notes that it is tracking these incidents under separate designations: UNC6040 for the initial breaches and UNC6240 for the subsequent extortion attempts.

The ShinyHunters group has long been associated with large-scale data theft and extortion schemes. Their methods sometimes overlap with those used by Scattered Spider (UNC3944), another notorious hacking group targeting sectors like aviation, retail, and insurance. While Scattered Spider typically conducts full network breaches — sometimes deploying ransomware — ShinyHunters often focus on cloud-based platforms and web applications.

Some security researchers believe there is significant crossover between UNC6040/UNC6240 and UNC3944, with both groups potentially sharing members or operating within the same online circles. The network is also suspected to overlap with “The Com,” a cybercriminal collective of English-speaking hackers.

Theories suggest that ShinyHunters may operate as an extortion-as-a-service model, conducting extortion campaigns for other hacking groups in exchange for a profit share. The group has been tied to past breaches at PowerSchool, Oracle Cloud, Snowflake, AT&T, Wattpad, and others. Even after multiple arrests of individuals linked to the name, fresh attacks continue, with the group often identifying itself as a “collective.”

Salesforce maintains that its systems remain uncompromised, with the breaches resulting from social engineering targeting customer accounts rather than platform vulnerabilities.

"Salesforce has not been compromised, and the issues described are not due to any known vulnerability in our platform… customers also play a critical role in keeping their data safe — especially amid a rise in sophisticated phishing and social engineering attacks," the company told BleepingComputer.

 
Read more »
Subscribe to: Posts (Atom)