The year 2025 has already seen its share of cyber shocks, but the latest wave of attacks led by the ShinyHunters group has left businesses worldwide on edge. Nearly 91 global companies — spanning luxury fashion, aviation, tech, retail, and insurance — have fallen victim to a data theft campaign that abused Salesforce systems.
How the Breach Happened
ShinyHunters Unlike traditional hacks that exploit software flaws, this incident was fueled by human deception. Attackers posed as IT helpdesk staff in carefully orchestrated vishing (voice phishing) calls. Employees were tricked into authorizing malicious apps through Salesforce’s OAuth process.
Once approved, these fake apps acted like trusted programs, silently siphoning customer records, business contact lists, and sensitive notes. What’s more worrying is that no technical bug existed in Salesforce itself — instead, criminals weaponized trust and familiarity to gain entry.
The Key Players Behind the Attack
Cybersecurity analysts link the operation to ShinyHunters, a notorious collective that has been active since 2020. Their fingerprints — from domain naming styles to attack patterns — closely align with another social-engineering group called Scattered Spider. Some experts even suggest the two may be collaborating under a broader criminal network often referred to as “The Com.”
Big Names Among the Victims
The victim list reads like a who’s who of global enterprises: Google, Adidas, Cartier, Dior, Chanel, Tiffany & Co., Qantas Airways, Allianz Life, Cisco, Pandora, and many more.
- Google confirmed unauthorized access to a Salesforce database containing small and medium business contact data. While no payment details or credentials were exposed, the breach is still significant, especially since Google itself had been studying ShinyHunters’ tactics before realizing it was also compromised.
- Chanel disclosed that attackers accessed U.S. customer information such as names, emails, addresses, and phone numbers. Financial data and login credentials were not impacted.
- Pandora reported a similar compromise via a third-party Salesforce integration, again exposing customer details but not credit card information.
Why This Matters
The breach serves as a wake-up call: security isn’t just about strong firewalls and multi-factor authentication. Social engineering can bypass even the most advanced defenses by manipulating people instead of technology.
OAuth tokens — once granted — can be as powerful as passwords, and in this case, they became the perfect tool for silent data theft.
Lessons for Businesses
To defend against such campaigns, organizations need to go beyond the basics:
- Strictly control connected apps – Only pre-approved apps should be allowed to access Salesforce.
- Upgrade MFA practices – Hardware keys or authenticator apps are stronger than SMS-based methods.
- Harden employee awareness – Regular training on vishing and phishing detection is critical.
- Review vendor dependencies – Third-party integrations should undergo the same level of security scrutiny.
- Limit user privileges – The fewer permissions an account has, the less damage a compromised token can cause.
This breach underscores a simple but uncomfortable truth: even industry giants can fall victim to human-targeted attacks. With groups like ShinyHunters blurring the line between cybercrime and social engineering, the global business community must rethink not just how systems are secured, but how people are protected from deception.
The Salesforce incident is unlikely to be the last — but it may well shape how companies prepare for the next wave of social engineering-driven cyber threats.
