ShinyHunters Salesforce extortion campaign against global companies in 2025
Campaign
Summary
Hide ▲
Show ▼
The ShinyHunters campaign now includes a Qantas breach disclosed after the airline found a June 30, 2025 intrusion in a third-party platform used by one customer service contact center. Qantas says attackers accessed systems holding customers’ PII before containment, affecting about 5.7 million passengers, and it links the incident to broader UNC6040 / ShinyHunters activity that has also hit Adidas, Pandora, Cisco, and others through Salesforce entry points. The airline says no payment card numbers, financial information, passport numbers, or Qantas account credentials were exposed, but it reduced executive short-term compensation by 15% after the breach.
Cases
Related Happenings
7-Eleven hit by network compromise
Incident
First: 19.05.2026 17:16
Last: 19.05.2026 17:16
Sources 1
About this happening:
**7-Eleven** is a **victim-focused breach incident** in which an **unauthorized third party** accessed systems used to store **franchisee documents** on **April 8, 2026**, trigger...
7-Eleven hit by network compromise
IncidentAbout this happening: **7-Eleven** is a **victim-focused breach incident** in which an **unauthorized third party** accessed systems used to store **franchisee documents** on **April 8, 2026**, trigger...
7-Eleven franchisee-docs and Salesforce data leak
Data Leak
First: 18.05.2026 14:25
Last: 18.05.2026 14:25
Sources 1
About this happening:
**7-Eleven** confirmed a **April 8, 2026** intrusion into systems used to store **franchisee documents**, and **ShinyHunters** later claimed the theft of **more than 600,000 Sales...
7-Eleven franchisee-docs and Salesforce data leak
Data LeakAbout this happening: **7-Eleven** confirmed a **April 8, 2026** intrusion into systems used to store **franchisee documents**, and **ShinyHunters** later claimed the theft of **more than 600,000 Sales...
Latest development: 26.05.2026 10:01
Have I Been Pwned analyzed the leaked 7-Eleven data and estimated that the breach exposed personal information for 185,300 people, including names, dates of birth, unique email addresses, phone numbers, and physical addresses. The exposed archive was tied to ShinyHunters' extortion campaign against 7-Eleven and followed the group's leak-site posting after ransom demands were not met.
Grafana Labs Says GitHub hit by cyberattack
Incident
First: 17.05.2026 10:13
Last: 17.05.2026 10:13
Sources 1
About this happening:
A **Grafana Labs** incident was later tied to the **Mini Shai-Hulud** supply-chain campaign against **TanStack npm packages**. Grafana said an unauthorized party used a token to a...
Grafana Labs Says GitHub hit by cyberattack
IncidentAbout this happening: A **Grafana Labs** incident was later tied to the **Mini Shai-Hulud** supply-chain campaign against **TanStack npm packages**. Grafana said an unauthorized party used a token to a...
TeamPCP campaign expands across multiple victims
Campaign
First: 15.05.2026 13:54
Last: 15.05.2026 13:54
Sources 1
About this happening:
The **TeamPCP / Mini Shai-Hulud** supply-chain operation is actively compromising **hundreds of packages**, exposing **downstream developers** to **malware delivery** and **creden...
TeamPCP campaign expands across multiple victims
CampaignAbout this happening: The **TeamPCP / Mini Shai-Hulud** supply-chain operation is actively compromising **hundreds of packages**, exposing **downstream developers** to **malware delivery** and **creden...
ShinyHunters school-by-school extortion campaign targeting Canvas institutions
Campaign
First: 11.05.2026 13:05
Last: 11.05.2026 13:05
Sources 1
About this happening:
ShinyHunters intensified a **school-by-school extortion campaign** against **Canvas-related institutions**, increasing pressure on schools and universities as the group threatened...
ShinyHunters school-by-school extortion campaign targeting Canvas institutions
CampaignAbout this happening: ShinyHunters intensified a **school-by-school extortion campaign** against **Canvas-related institutions**, increasing pressure on schools and universities as the group threatened...
Timeline
-
15.01.2026 17:45 2 articles · 4mo ago
ShinyHunters Salesforce extortion campaign against global companies in 2025
Initial DisclosureThe early phase centered on **2025** attacks against **Salesforce portals** using **social engineering** and **voice phishing** to obtain credentials. That foothold then enabled lateral movement and data theft for extortion.
Show sources
- Hackers Increasingly Shun Encryption in Favour of Pure Data Theft and Extortion — www.infosecurity-magazine.com — 15.01.2026 17:45
- Grubhub confirms hackers stole data in recent security breach — www.bleepingcomputer.com — 15.01.2026 23:38
-
01.10.2025 17:56 2 articles · 7mo ago
Allianz Life says July 16 breach impacted 1.5 million
Victim Impact UpdateAllianz Life says a malicious threat actor gained access to a cloud-based system on July 16, 2025, obtained personal information for customers, financial professionals, and select employees, and later determined that 1,497,036 people were impacted; the insurer is notifying affected individuals and offering two years of free identity theft monitoring by Kroll, and the activity is likely tied to the ShinyHunters Salesforce attack wave.
Show sources
- Allianz Life says July data breach impacts 1.5 million people — www.bleepingcomputer.com — 01.10.2025 17:56
- Qantas Reduces Executive Pay Following Cyberattack — www.darkreading.com — 09.09.2025 22:17