In 2025, a sophisticated wave of data breaches shook some of the world’s most recognized companies—Qantas, Allianz Life, and LVMH. Investigations reveal these incidents are connected by a common thread: the ShinyHunters cyber extortion group. These attacks have been notable not only for the caliber of targeted organizations but for their focus on Salesforce-connected customer relationship management (CRM) platforms. Importantly, the breaches did not stem from vulnerabilities in Salesforce’s own infrastructure; rather, they exploited weaknesses at the user and organizational level.
Attack Methodology
ShinyHunters employed a combination of advanced social engineering and credential theft to infiltrate the CRM environments of their targets. Members of the group posed as IT support staff, using convincing phone calls to manipulate employees. Victims were persuaded to navigate to Salesforce’s connected app setup page and supply connection codes, thus linking a malicious OAuth application—sometimes disguised as legitimate Salesforce tools such as Data Loader—to their corporate Salesforce instance.
The attackers also operated phishing websites mimicking Okta login portals to harvest employee credentials and multi-factor authentication tokens. The primary targets were sensitive business records—including “Accounts” and “Contacts” objects within the Salesforce platform—enabling extensive data exfiltration.
Organizational Impact
Qantas:
An estimated 5.7 million customer records were compromised. Although Qantas has not publicly cited Salesforce as the point of entry, investigative reporting and court records indicate the attack originated via CRM compromise. The tactics exactly match those documented by Google’s Threat Intelligence analysts in their reporting on ShinyHunters (UNC6040).
Allianz Life:
On July 16, 2025, Allianz Life Insurance Company of North America uncovered unauthorized access to its third-party, cloud-based CRM platform. The breach affected the vast majority of its 1.4 million customers, along with its workforce and affiliated financial professionals. Allianz Life has confirmed that attackers succeeded via social engineering and CRM-side manipulation. Industry investigators widely attribute the attack to ShinyHunters.
LVMH (Louis Vuitton, Dior, Tiffany & Co.):
Multiple LVMH subsidiaries reported data theft originating from unauthorized access to a third-party customer data management solution. While the company has not provided exhaustive details, the circumstances closely align with the ShinyHunters attack pattern targeting Salesforce-connected environments.
Extortion Strategy and Industry Response
ShinyHunters distinguished itself from traditional ransomware gangs by employing “private extortion” tactics. Rather than immediately publishing stolen data, they privately contacted victim organizations, threatening to leak sensitive information unless ransom demands were met. As of July 2025, there has been no widespread public release of the exfiltrated datasets, though the risk persists should negotiations fail—a scenario reminiscent of the group’s earlier Snowflake breach.
Salesforce, for its part, has reiterated that its core platform remains uncompromised. The company emphasized that the breaches are a result of user-side vulnerabilities, particularly around authentication processes and susceptibility to targeted social engineering.
Unmasking Overlaps and Evolving Threats
The ShinyHunters campaign has drawn comparisons with the Scattered Spider (UNC3944) group. Both have made use of sophisticated social engineering, but while Scattered Spider often pursues full network control and ransomware, ShinyHunters is increasingly specialized in CRM data theft and targeted extortion. There is evidence to suggest some personnel and tactical overlaps between the groups.
Recent campaigns indicate that ShinyHunters is evolving, leveraging highly convincing phishing and “extortion-as-a-service” models. Their focus on the weakest link—human error and third-party integrations—underscores a growing threat in cloud-based enterprise environments.
