ShinyHunters voice-phishing extortion through Salesforce-connected accounts

ShinyHunters is using voice phishing to trick targets into connecting a malicious app to their organization’s Salesforce portal, which gives the group access to customer data for ransom. Google later tracked the activity as UNC6040 and warned that the actors were extorting victims over stolen Salesforce data. The group escalated the pressure with a victim-shaming blog called Scattered LAPSUS$ Hunters that listed more than three dozen companies and said stolen Salesforce data would be published unless ransom was paid. Named entries included Toyota, FedEx, Disney/Hulu, and UPS, and the listed breach dates ranged from May to September 2025. The same material says the group claimed responsibility for a Discord breach and a Red Hat intrusion involving a GitLab server and more than 28,000 Git code repositories. The extortion threat also included a stated deadline of October 10 for publication of stolen Salesforce data if demands were not met. Available evidence shows an active social-engineering and data-extortion operation against enterprise accounts, but the full reach and any unreleased victim data remain unquantified.