In the first half of 2025, a highly coordinated cyberattack campaign targeted dozens of companies using Salesforce, including major players in technology, fashion, aviation, and insurance. Attackers claim to have compromised data from 91 organizations worldwide. Victims include Adidas, Cartier, Google, Louis Vuitton, Dior, Chanel, Tiffany & Co., Qantas Airways, Air France–KLM, Allianz Life, Cisco, and Pandora.
At TecnetOne, we closely monitor incidents like these because they highlight an uncomfortable truth: you don’t always need to exploit a technical vulnerability to steal data. In this case, the entire attack relied on social engineering, not on flaws in Salesforce’s infrastructure.
According to the Google Threat Intelligence Group (GTIG), attackers combined vishing (voice phishing) calls with abuse of Salesforce’s Connected Apps feature. Posing as IT support staff, they called employees and instructed them to follow “urgent” steps to fix supposed problems.
During these calls, victims were directed to the Connected Apps authorization page and asked to enter an 8-digit code. Unknowingly, they were granting access to a malicious app controlled by the attackers—often disguised as a legitimate Salesforce Data Loader or with fake names like “My Ticket Portal.”
Once permissions were granted, the attackers gained API access to the Salesforce environment and could exfiltrate large amounts of data: customer profiles, contact lists, loyalty program details, and internal information. In some cases, these credentials were even used to infiltrate Office 365 and other cloud platforms.
Sequence of attack for the Data Loader (Source: Google Threat Intelligence Group)
The group, identified as UNC6040 and linked to the alias ShinyHunters, used a Telegram channel called Scattered Lapsu$ Hunters to post samples of stolen data and pressure companies. These “previews” act as a public warning: if the ransom isn’t paid, the rest of the information will be leaked or sold.
In August, the group escalated its activities by posting screenshots of negotiations with victims, adding more pressure.
You might also be interested in: Chanel and Pandora: New Targets of Cyberattacks
Google confirmed that one of its Salesforce CRM environments was compromised, affecting prospective Google Ads customers. The exposed data included business names, phone numbers, and internal notes, but no payment details or Ads account information.
ShinyHunters claimed the stolen database contained 2.55 million records (possibly with duplicates) and that they worked alongside another group, Scattered Spider, to gain initial access. Together, they now call themselves “Sp1d3rHunters.”
Reports indicate the group sent Google a “demand” for 20 Bitcoins (around $2.3 million), though they later claimed it was “just for fun” and they had no real intention to negotiate. Regardless, they confirmed the use of custom tools—including Python scripts—to extract Salesforce data faster, instead of relying solely on the Data Loader.
Establishing a connection with the Data Loader controlled by the threat actor requires the victim to enter an authentication code. (Source: Google Threat Intelligence Group)
At TecnetOne, we always emphasize that social engineering is one of the most dangerous threats because it targets the weakest link: people. This case is a clear example.
Recommendations to protect yourself: