ShinyHunters Claims Cisco Breach Exposed Salesforce Records and Cloud Data
ShinyHunters has claimed responsibility for breaching Cisco and stealing more than 3 million Salesforce records along with internal corporate data, GitHub repositories, and contents from AWS S3 buckets, then posted a "FINAL WARNING" on its leak site threatening to publish the data after April 3. Reports said the alleged haul may include information tied to Cisco customers, employees, and personnel from U.S. and foreign government agencies, while screenshots shared by the group purportedly showed access to Cisco-linked AWS infrastructure and multiple connected cloud accounts.
The intrusion was linked in reporting to three alleged access paths involving Salesforce CRM, Salesforce Aura/Experience Cloud, and AWS environments, and to activity tracked as UNC6040 and UNC6395. Threat intelligence cited in the coverage said the attackers have used vishing to trick employees into approving malicious Salesforce OAuth applications, then abused stolen tokens to bypass MFA and move deeper into cloud environments; recommended defenses included auditing connected OAuth apps, revoking suspicious tokens, tightening API access controls, and monitoring for unauthorized Salesforce Data Loader activity. Cisco had not publicly addressed the March 2026 extortion claim at the time of reporting.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Cisco has not publicly addressed the March extortion claim
As of the April 1, 2026 reporting, Cisco had not publicly responded to the March 2026 ShinyHunters extortion claim. Researchers urged immediate Salesforce-focused mitigations such as auditing OAuth apps, revoking suspicious tokens, and monitoring for unauthorized Data Loader activity.
Reports detail alleged Cisco intrusion paths and stolen data
Subsequent reporting said the alleged Cisco data originated from Salesforce environments and may include records tied to customers, employees, and U.S. and foreign government personnel. The claimed intrusion paths included Salesforce CRM, Salesforce Aura/Experience Cloud, and AWS environments, with screenshots allegedly showing access to Cisco-linked AWS infrastructure.
ShinyHunters posts Cisco extortion claim with April 3 deadline
In late March 2026, ShinyHunters posted a 'FINAL WARNING' on its leak site claiming responsibility for breaches affecting Cisco and threatening to leak data after April 3, 2026. The group alleged compromise of more than 3 million Salesforce records along with internal data, GitHub repositories, and AWS S3 buckets.
Cisco describes vishing campaign targeting employee access
Cisco previously disclosed a vishing campaign in which attackers targeted employees to gain access to internal systems and customer data. Later reporting connected this activity to tactics used by ShinyHunters-linked clusters abusing Salesforce OAuth access.
Google designates ShinyHunters activity cluster as UNC6040
Google Threat Intelligence Group assigned the ShinyHunters-linked intrusion activity the cluster name UNC6040 in August 2025. The designation was used in later reporting about Salesforce-focused intrusions and extortion activity.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
ICE confirms use of Paragon spyware in drug trafficking cases | brief | SC Media
scworld.com
Open sourceShinyHunters issues final warning to Cisco over alleged data theft | brief | SC Media
scworld.com
Open sourceMassive Cisco breach claimed by ShinyHunters | brief | SC Media
scworld.com
Open sourceShinyHunters Hackers Claim Theft of 3M+ Cisco Records, Threaten Public Leak
hackread.com
Open sourceCisco Source Code and Data Leak Allegedly Claimed by ShinyHunters - Cyber Security News
cybersecuritynews.com
Open sourceCisco threatened by ShinyHunters after alleged data heist | Cybernews
cybernews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
ShinyHunters Extorts Charter and ZenBusiness After SaaS Account Breaches
Charter Communications confirmed a data breach after **ShinyHunters** threatened to leak allegedly stolen data, with the group claiming it accessed the company on April 1 through a voice-phishing attack that compromised an employee's Microsoft Entra account and opened a path into Charter's Salesforce environment. The attackers said they stole **40 million customer records**, including names, contact details, plan information, support ticket data, and some customer proprietary network information, while Charter said it notified authorities and, based on the data published, no sensitive personal information or CPNI was exfiltrated. The Charter incident follows a broader ShinyHunters extortion campaign targeting enterprise single sign-on accounts and connected SaaS platforms, especially **Salesforce**. In a separate case, the group claimed it stole several terabytes of data from **ZenBusiness** via platforms including Salesforce, Snowflake, and Mixpanel, and threatened to publish the data unless the company responded. Reporting also linked the campaign to claims involving Ameriprise Financial, Infinite Campus, Bumble, Hinge, Match, OkCupid, Mercer Advisors, Beacon Pointe Advisors, and attacks affecting Instructure's Canvas platform, underscoring a repeatable pattern of social engineering, SaaS data theft, and leak-site extortion.
May 30, 2026
Salesforce Data Breach and Ransomware Group Data Leak Site Targeting Salesloft Drift Integrations
A ransomware group known as Scattered Lapsus$ Hunters, also referred to as ShinyHunters, has launched a darkweb data-leak site to pressure victims of a significant Salesforce data breach into paying extortion demands. The group claims to have stolen 1.5 billion Salesforce records from 760 companies that integrated their Salesforce customer relationship management (CRM) software with the Salesloft Drift artificial intelligence chatbot. The leak site, which debuted on a Friday, lists 39 victim organizations, including major brands such as Cisco, Disney, KFC, Ikea, Marriott, McDonald's, Walgreens, Albertsons, and Saks Fifth Avenue. The attackers are demanding separate ransoms from Salesforce itself to prevent the release of data pertaining to the remaining 721 affected companies. Samples of the stolen data published by the group include extensive personally identifiable information (PII), such as names, dates of birth, nationalities, passport numbers, full contact information, and employment histories. Cybersecurity researcher Milivoj Rajić has tested multiple samples of the leaked data and confirmed their validity, indicating the breach is authentic and the data is genuine. Additional compromised data includes shipping information, marketing lead data, customer support case records, chat transcripts, flight details, and car ownership records. The attack specifically targeted organizations that had integrated Salesforce with the Salesloft Drift AI chatbot, suggesting a possible exploitation of integration points or third-party application vulnerabilities. The public exposure of such a large volume of sensitive data significantly increases the risk of identity theft, fraud, and further targeted attacks against both individuals and organizations. The ransomware group’s strategy of publishing a leak site and naming high-profile victims is designed to maximize pressure and reputational damage, thereby increasing the likelihood of ransom payments. The incident highlights the risks associated with third-party integrations in cloud environments, especially when sensitive customer data is involved. Security teams at affected organizations are likely conducting forensic investigations, assessing the scope of the breach, and notifying impacted customers. The breach underscores the importance of robust access controls, regular security assessments of third-party integrations, and rapid incident response capabilities. Salesforce and Salesloft Drift users are advised to review their security configurations and monitor for suspicious activity. The event has drawn significant attention from the cybersecurity community due to the scale of the breach and the high-profile nature of the victims. Organizations are being urged to remain vigilant and to implement additional security measures to protect against similar attacks in the future.
Mar 21, 2026
Klue OAuth Supply-Chain Breach Exposed Salesforce Data Across Multiple Customers
Attackers breached **Klue**, a market intelligence platform, by abusing a compromised legacy integration credential and planting malicious code that harvested customer OAuth tokens from Klue's integration infrastructure. The stolen tokens were then used to access connected **Salesforce** environments through the Klue Battlecards app and exfiltrate CRM data via Salesforce REST API queries, with reporting describing automated Python-based collection, burst querying, and use of endpoints such as `/services/data/v59.0/query/*`. Klue said it detected unauthorized activity on June 12, revoked affected credentials and tokens, removed the malicious code, disabled impacted integrations, engaged CrowdStrike, and notified law enforcement, while **Salesforce** separately disabled the Klue Battlecards connection and said the incident did not result from a vulnerability in the Salesforce platform itself. The breach has been linked by Huntress and other responders to the **Icarus** extortion group, which allegedly sent ransom emails and threatened to leak stolen data on its site. Publicly disclosed victims include Huntress, Recorded Future, Jamf, Tanium, HackerOne, OneTrust, Snyk, Sprout Social, Gong, Insurity, and others, with exposed information generally limited to business CRM records such as contacts, account data, quotes, sales communications, and contract-related details. Affected companies said there was no evidence that core products, internal infrastructure, passwords, payment card data, engineering systems, or customer security telemetry were compromised, but several warned that the stolen contact data could be used in follow-on phishing and social engineering campaigns.
Jun 23, 2026