Salesforce Data Theft Alerts

On April 24, ShinyHunters listed Udemy on their dark web leak site, claiming 1.4 million records of PII and internal corporate data stolen from its Salesforce environment. After Udemy declined to negotiate, the group released the dataset publicly on April 27. Have I Been Pwned confirmed 1.4 million email addresses in the dump, including names, addresses, phone numbers, employer information, and instructor payout data.

ShinyHunters listed Zara, Carnival, and 7-Eleven on their dark web site on April 18 with an April 21 ransom deadline. All three refused to pay and had their data publicly dumped. Zara (Inditex) was breached via the Anodot-Snowflake chain — Inditex confirmed "unauthorized access to databases" stemming from "a former technology provider." 7-Eleven had 600,000+ Salesforce records stolen via the group's CRM access campaign. Carnival Corporation had 8.7 million customer records exfiltrated. Also listed in the same wave: Pitney Bowes, Canada Life Assurance Company (5.6M Salesforce records), Aman Resorts, Marcus & Millichap, Alert 360 (2.5M records), and Medtronic (9M records — later removed from the leak site, suggesting payment or negotiation).

High-end luxury e-commerce platform Mytheresa — carrying over 200 designer brands including Gucci, Prada, Bottega Veneta, and Saint Laurent — was breached by ShinyHunters on April 12. The group threatened to leak "sensitive customer PII and transactional history" and warned of "several annoying digital problems" if Mytheresa did not negotiate. The data was subsequently dumped after the ransom deadline expired.

ShinyHunters posted Amtrak on their dark web blog on April 12, claiming 9.4 million Salesforce records containing PII and internal corporate data, with a ransom deadline of April 14. The group gained access via social engineering attacks on Amtrak employees earlier in 2026. Have I Been Pwned subsequently confirmed over 2 million unique email addresses in the leaked dataset, alongside names, physical addresses, and customer support records.

ShinyHunters posted a final warning to Hallmark with an April 2 deadline, claiming nearly 8 million records of PII and internal corporate data stolen via a compromise of Hallmark's Salesforce environment through the Gainsight AppExchange integration. After Hallmark declined to pay, the data was released in mid-April. Have I Been Pwned confirmed 1.7 million unique email addresses across Hallmark Cards and Hallmark+ streaming subscribers. ShinyHunters cited this breach alongside claims of "almost 1,000" total Salesforce victims.

ShinyHunters issued an extortion threat against McGraw-Hill after exploiting a Salesforce environment misconfiguration. The group claimed 45 million records containing PII — Have I Been Pwned independently verified 13.5 million accounts and over 100GB of leaked data. McGraw-Hill stated that core Salesforce accounts and customer databases were not accessed.

ShinyHunters breached Rockstar Games' Snowflake environment via Anodot, a SaaS cloud-cost monitoring tool. Attackers used authentication tokens stolen from the Anodot integration to access Rockstar's data warehouses as a legitimate internal service — going undetected for an extended period. The group claimed nearly 80 million records and set a ransom deadline of April 14, after which they leaked GTA Online and Red Dead Online analytics data. Rockstar confirmed the breach.

ShinyHunters posted a "final warning" on their dark web site on March 22, claiming to hold Ameriprise Financial Salesforce records containing customer PII and over 200GB of compressed SharePoint internal corporate data. The group gave Ameriprise — a Minneapolis wealth management firm overseeing $1.17 trillion in assets — until March 25 to make contact or face a leak. No public statement was made by Ameriprise in response.

ShinyHunters claimed to have compromised between 300 and 400 companies by exploiting overly permissive guest user configurations in Salesforce's Experience Cloud (Aura). Mandiant confirmed the group weaponized AuraInspector — a security audit tool Mandiant itself released in January 2026 — to automate mass scanning and data extraction. Salesforce issued a trust advisory. FINRA issued a cybersecurity alert to member firms. Notable named victims included LexisNexis (3.9M records) and Loblaw (75.1M records claimed).

Infinite Campus, a K-12 student information system serving 3,200+ school districts and 11 million students across 46 states, notified customers of a breach after an employee's Salesforce account was compromised. ShinyHunters posted a "final warning" on March 24 demanding ransom contact by March 25. The company confirmed it would not comply. Exposed data consisted primarily of school staff names and contact details.

One of the largest data thefts ever recorded by volume. ShinyHunters found Google Cloud Platform credentials belonging to Telus Digital buried inside Salesforce data stolen from Salesloft in 2025. Using those GCP credentials, attackers accessed Telus's BigQuery databases and ran TruffleHog to find additional embedded credentials, pivoting across multiple systems. The haul included call-center records, source code, FBI background checks, Salesforce data, AI training data, and voice recordings. ShinyHunters demanded $65 million. Telus refused to engage.

ShinyHunters breached and leaked over 350GB of data from the European Commission's Europa.eu platform, accessing at least one AWS account. CERT-EU attributed the breach to ShinyHunters. Exposed data included PII, internal email communications, sensitive documents, technical data, and records belonging to 42 internal clients and at least 29 EU entities. The Commission confirmed the breach, stating it took immediate steps to contain the incident.

On March 30, 2026, an unnamed threat actor compromised an npm account associated with the widely-used Axios JavaScript HTTP client library, injecting malicious code into the package. Reported by StepSecurity, the attack represents a software supply chain approach — targeting the building blocks of SaaS ecosystems rather than individual organizations. Any Salesforce integration or downstream application relying on the compromised Axios package was potentially affected.

Dutch telecom Odido (formerly T-Mobile Netherlands) was breached via social engineering attacks targeting its Salesforce instances. ShinyHunters ultimately released the full dataset — claiming over 15 million Salesforce records containing full names, physical addresses, email addresses, phone numbers, IBAN numbers, plaintext passwords, passport numbers, and driver's license numbers. Have I Been Pwned confirmed 6.1 million unique email addresses across four data releases.

Grubhub became the first confirmed major victim of the ShinyHunters Salesforce campaign in 2026. Attackers used a fraudulent version of the Salesforce Data Loader application, obtained after social engineering employees via phone calls impersonating IT support, to extract data from Grubhub's Salesforce environment.

A large-scale vishing campaign using voice-cloning and SSO credential harvesting swept through major consumer brands. Panera Bread confirmed 14 million records compromised (5.1M emails verified by HIBP). Match Group confirmed an incident affecting Hinge, Match.com, and OkCupid — approximately 10 million records. Bumble was separately hit with 30GB claimed from Google Drive and Slack. The campaign exploited Okta and Microsoft Entra SSO platforms.

ShinyHunters expanded their SSO credential-harvesting campaign through late 2025 and early 2026, hitting consumer platforms and financial services. SoundCloud was breached in December 2025 with roughly 29.8 million user accounts exposed. Betterment confirmed 1.4 million records stolen. Other victims in the same wave included Crunchbase, CarGurus, Canada Goose, CarMax, Edmunds, and Figure Technology Solutions (~1M records).

After ransom negotiations broke down with multiple Salesforce victims, ShinyHunters released millions of records on the dark web. The FBI simultaneously seized a BreachForums domain used by the group as a data-leak extortion site. Separately, Google confirmed that one of its corporate Salesforce instances was breached — exposing primarily publicly-available SMB customer data.

In mid-2025, a coordinated wave of intrusions targeted Salesforce environments across technology, retail, luxury fashion, aviation, and insurance. The campaign, tracked by Google as UNC6040 and attributed to ShinyHunters, relied entirely on social engineering — primarily voice phishing (vishing) — rather than any Salesforce platform vulnerability. Attackers posed as IT support staff to trick employees into downloading a trojanized Data Loader app. A ransom message claimed 91 organizations were compromised.

Attackers stole OAuth tokens from the Salesloft integration known as Drift, enabling unauthorized access and data exfiltration from 760 customer Salesforce instances. The incident shares significant technical similarity with a later Gainsight/AppExchange attack in which Salesforce was forced to revoke OAuth tokens and temporarily delist related applications. This OAuth-abuse vector represents a distinct and growing second attack pathway beyond social engineering.

Salesforce detected unusual activity related to Gainsight applications connected to its platform. In response, Salesforce revoked OAuth access and refresh tokens for the affected apps and temporarily removed them from AppExchange while the investigation was ongoing. The incident highlighted supply-chain risk through third-party AppExchange integrations and echoed the Drift OAuth theft methodology.

ShinyHunters emerged around 2019 as a financially motivated hacking group, initially targeting consumer platforms and universities using phishing, social engineering, and third-party SaaS exploitation. Prior to the Salesforce-focused campaign, notable victims included AT&T Wireless, Microsoft, Santander, and Ticketmaster — many via abuse of unsecured Snowflake accounts. The group pioneered "pay or leak" extortion as a standard operating procedure. By 2024–2025, they pivoted to enterprise Salesforce environments as a systematic target.