A recent string of breaches tied to cloud CRM systems is turning into something much broader. After earlier reports linked ShinyHunters to attacks on Qantas, Allianz, and LVMH, more companies are now stepping forward.

Google, Pandora, Chanel, and Cisco have each confirmed incidents involving unauthorized access to Salesforce environments or similar third-party platforms.

The attack method has stayed consistent.

Someone impersonates IT support, calls an employee, and convinces them to approve a connected application. This allows attackers to access customer records stored in cloud platforms.

In each reported case, attackers used the connected app access to retrieve structured data.

The stolen information has included names, emails, phone numbers, and internal account metadata. Companies that experienced breaches said the data did not include passwords or financial records.

According to public reporting, ShinyHunters has contacted several of the affected organizations with extortion demands. No public leaks have been reported so far, though researchers continue to monitor for exposure.

Why It Matters: The incidents show how CRM platforms can be used in unexpected ways when access is mismanaged. The attackers did not need to break into Salesforce directly. Instead, the breaches appear to stem from authorized access given under false pretenses. The result is data loss that is difficult to detect until after the fact. The campaign has affected a wide range of industries and continues to evolve.

• Google Confirms Access to One of Its Salesforce Systems: Google reported that attackers were able to view contact information stored in a Salesforce database used by its small business division. The data included company names and contact details. Google has not said how many customers were affected. It also declined to comment on whether it received a ransom demand.

• Customer Records Taken From Pandora and Chanel platforms: Pandora said names, birthdates, and emails were accessed through a third-party platform it uses. Chanel reported a similar incident involving its client care records in the United States. The exposed data included contact information, but no passwords or payment details. Both breaches followed the same general timeline and tactics.

• Cisco Targeted Through a Phone-based Scam: Cisco confirmed that one of its employees was tricked into granting access to a CRM system. The attackers obtained profile data stored in the system, including names, mailing addresses, email addresses, and internal user IDs. Cisco stated that no internal systems were affected and that it revoked the app’s access immediately after the breach was discovered.

• ShinyHunters Continue to Send Private Extortion Messages: The group behind the campaign has not posted any of the stolen data publicly. Instead, it is contacting companies one by one. These messages threaten to release the data unless demands are met. This tactic mirrors earlier campaigns, including the one targeting Snowflake, where long delays between breach and exposure gave attackers more leverage.

• Salesforce Stands by the Security of its Platform: Salesforce has repeated that its own systems have not been compromised. The company continues to advise clients to audit connected applications, enable multi-factor authentication, and apply tighter controls on what integrations can do. The incidents underscore how cloud platforms depend on software as well as how organizations choose to configure and manage them.

Go Deeper -> Google says hackers stole its customers’ data by breaching its Salesforce database – TechCrunch

Cisco Discloses Data Breach Linked to Social Engineering Attack – Cyber Insider

Pandora confirms data breach amid ongoing Salesforce data theft attacks – Bleeping Computer

Fashion giant Chanel hit in wave of Salesforce data theft attacks – Bleeping Computer