It has been confirmed that the recent wave of CRM-focused breaches affecting companies like Qantas, LVMH, Allianz Life, and Adidas is the work of ShinyHunters.

For weeks, attribution remained speculative, with some analysts pointing to Scattered Spider due to similarities in tactics and targets. However, according to Google’s Threat Intelligence Team, ShinyHunters, or UNC6040, has begun identifying itself in private extortion emails sent to victim organizations.

These emails directly reference the breach campaign.

Attackers impersonated internal IT support over the phone and guided employees to the connected app setup page within Salesforce. There, employees were asked to enter a connection code that authorized a rogue OAuth application, often disguised as a help desk tool.

This granted the attackers access to contact and account records without triggering standard security alerts.

Why It Matters: Attribution shifts an incident from reactive response to strategic defense. Now that ShinyHunters is confirmed as the actor behind this campaign, organizations can fine-tune detection, monitor for similar TTPs, and anticipate extortion patterns. It also reinforces that social engineering remains the Achilles’ heel of even the most secure cloud platforms.

• OAuth abuse enabled stealth access to sensitive customer data: Attackers exploited Salesforce’s connected app functionality by posing as IT support and directing employees to enter a connection code. This linked a rogue version of Salesforce’s Data Loader, often renamed “My Ticket Portal,” to the victim’s environment. The method bypassed traditional perimeter defenses and allowed attackers to quietly extract data from CRM tables like Contacts and Accounts.

• Extortion remains private, but the threat of leaks is growing: So far, none of the stolen data has been released publicly, but ShinyHunters has been contacting victims directly and demanding payment. Based on the group’s previous activity, researchers expect large-scale leaks if companies refuse to pay. This low-profile extortion model allows attackers to delay detection and avoid initial public scrutiny.

• Scattered Spider’s expanding infrastructure sheds light on ShinyHunters’ methods: Over 500 phishing domains linked to Scattered Spider have been uncovered. These mimic the spoofed Salesforce login flows used by ShinyHunters, pointing to possible shared tooling or infrastructure. Many researchers believe these groups share members or operate in tandem within private cybercriminal forums. Some even suspect ShinyHunters may act as an extortion broker, handling ransom demands for other threat actors.

• Salesforce Reinforces Customer Security Responsibilities: Salesforce maintains that its platform was not compromised and places the responsibility on customers to secure their environments. The company is urging organizations to enforce multi-factor authentication, restrict IP access, limit app permissions, and actively monitor activity using tools like Salesforce Shield. It also recommends reviewing how connected apps are authorized and managed. Salesforce is encouraging customers to view OAuth security and app trust governance as essential components of their cloud security posture.

Go Deeper -> ShinyHunters behind Salesforce data theft attacks at Qantas, Allianz Life, and LVMH – Bleeping Computer

Scattered Spider’s Expanding Web: 500+ Phishing Domains and One Simple Way to Stop Them – Token