Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

ShinyHunters Salesforce vishing data-theft campaign

Campaign
First reported
Last updated
Happening score
H score 44
1 unique sources, 1 articles

Summary

Hide ▲

The ShinyHunters extortion group is running an active Salesforce customer data-theft campaign that uses vishing and malicious OAuth apps, putting multiple organizations at risk of credential theft and extortion.

Related Happenings

BlackFile vishing extortion campaign targeting retail and hospitality organizations

Campaign
First: 24.04.2026 21:26 Last: 24.04.2026 21:26 Sources 1

About this happening: The **BlackFile** campaign is driving **vishing-based data theft and extortion** against **retail and hospitality organizations**, putting employee credentials and enterprise data...

Open Happening

Over a dozen companies data exposed after SaaS integration provider Snowflake breach

Data Leak
First: 07.04.2026 22:39 Last: 07.04.2026 22:39 Sources 1

About this happening: A stolen-token attack from a **SaaS integration provider breach** has led to data theft claims affecting **over a dozen companies**, creating immediate exposure and extortion risk...

Open Happening

Aura customer data exposed after Aura breach

Data Leak
First: 19.03.2026 00:56 Last: 19.03.2026 00:56 Sources 1

About this happening: Aura confirmed a **data leak** that exposed nearly **900,000 customer records**, creating privacy and phishing risk for affected customers. The exposed set included **names**, **e...

Open Happening

ShinyHunters Salesforce Experience Cloud misconfiguration campaign

Campaign
First: 10.03.2026 12:00 Last: 10.03.2026 12:00 Sources 1

About this happening: ShinyHunters is running an **active** **Salesforce Experience Cloud** campaign that exploits overly permissive guest-user settings to harvest data from **hundreds of companies**,...

Latest development: 16.04.2026 13:35

ShinyHunters leaked data tied to McGraw Hill after breaching the company's Salesforce environment earlier this month, and McGraw Hill said the intrusion exposed a limited set of data from a webpage hosted by Salesforce on its platform while not affecting its Salesforce accounts, courseware, customer databases, or internal systems. Have I Been Pwned said more than 100GB of files later appeared publicly and contained data linked to 13.5 million accounts.

Open Happening

ShinyHunters vishing campaign targeting SSO accounts

Campaign
First: 02.02.2026 15:46 Last: 02.02.2026 15:46 Sources 1

About this happening: The **ShinyHunters** group ran a **voice phishing** campaign against **single sign-on (SSO) accounts** at **Okta, Microsoft, and Google**, widening risk across **more than 100 hig...

Latest development: 26.05.2026 22:46

ShinyHunters claims it breached Charter Communications on April 1 by vishing an employee's Microsoft Entra account, then used that access to export millions of consumer and business customer records from the company's Salesforce instance; Charter says no sensitive personal information or CPNI was exfiltrated.

Open Happening

Timeline

  1. 02.09.2025 22:54 2 articles · 8mo ago

    ShinyHunters targets Salesforce customers with vishing and malicious OAuth apps

    Initial Disclosure

    ShinyHunters has been targeting Salesforce customers in data-theft attacks since the start of the year by using voice phishing (vishing) to trick employees into linking malicious OAuth apps with their company's Salesforce instances. The campaign has been linked to breaches affecting Google, Cisco, Qantas, Allianz Life, Farmers Insurance, Workday, Adidas, and LVMH subsidiaries Louis Vuitton, Dior, and Tiffany & Co., with stolen databases later used for extortion.

    Show sources
    Open in new tab