ShinyHunters escalated its long-running Salesforce CRM extortion operation this weekend by publishing what it claims are more than three million Cisco Systems CRM records, making Cisco the highest-profile confirmed target of the UNC6040 vishing campaign to date. The dump lands days after ShinyHunters’ April 3 “final warning” deadline against Cisco expired and follows the group’s April 14 extortion of McGraw-Hill over a parallel Salesforce misconfiguration. Between the two campaigns, ShinyHunters now claims compromise of roughly 300–400 organizations, pulling in Google, Adidas, Qantas, Allianz Life, Workday, Pandora, Chanel, TransUnion, and multiple LVMH brands.

What was stolen

The Cisco dataset published on the group’s leak site includes:

  • 3M+ Salesforce records with PII tied to Cisco procurement, sales engagements, and partner relationships. Published samples reference the FBI, DHS, IRS, NASA, the Australian Defence Ministry, and Indian government agencies — meaning this is federal-customer data, not just Cisco’s internal employee information.
  • AWS asset references — S3 bucket names and EC2 volume listings consistent with Cisco naming conventions. Screenshots show over 100 volumes, several newly provisioned March 16–17, 2026.
  • GitHub repository names and other internal system identifiers sufficient to map Cisco’s development footprint.

Cisco has so far confirmed only that a threat actor obtained access to a “third-party CRM” via vishing; the company disputes the 3M record count and has not corroborated the AWS/GitHub components of the claim.

Attack vector: UNC6040’s OAuth playbook

Google Threat Intelligence Group (GTIG) tracks this campaign as UNC6040. The pattern is now well documented across every confirmed victim:

  1. Vishing the help desk. Operators call employees impersonating IT support — often during a fabricated “MFA reset” or “Salesforce outage” — and walk the target through authorizing a malicious OAuth connected app that masquerades as Salesforce’s legitimate Data Loader utility. Scattered Spider and Lapsus$ members are participating in the voice ops.
  2. OAuth token grant, not password theft. Because the victim approves the connected app themselves, the attacker walks away with a long-lived refresh token that survives password resets and most conditional-access policies. No credentials are phished, and MFA never fires again after the initial consent.
  3. Bulk extraction via Data Loader. The malicious app uses Salesforce Bulk API 2.0 to exfiltrate entire Account, Contact, Opportunity, and Case objects — often tens of millions of rows — in hours. In some victims, ShinyHunters also hit Salesforce Aura unauthenticated endpoints (a second, older misconfiguration class) for additional records.
  4. Pivot into connected clouds. AWS keys, SSH keys, and GitHub tokens stored inside CRM Case attachments, Opportunity notes, and custom objects are mined to pivot into the victim’s production infrastructure. This is how ShinyHunters arrived at S3 buckets and EC2 volumes for the Cisco victim — the keys were already in the CRM.

The campaign is a SaaS-supply-chain attack in every meaningful sense: attackers abuse a trusted third-party connected-app model shared across the industry, and OAuth consent bypasses every on-prem control.

Impact

Any organization running Salesforce — particularly with open Aura communities, Experience Cloud sites, or permissive connected-app allowlists — is in-scope. The specific risks right now:

  • Federal customer exposure. Cisco’s dump confirms UNC6040 data can include U.S. government procurement contacts, project codenames, and contract metadata. Agencies listed in the leak should assume targeted follow-on phishing.
  • Credential sprawl inside CRMs. Engineering teams routinely paste cloud access keys, GitHub PATs, and kubeconfig snippets into Salesforce Cases for customer support. Those secrets are now assumed compromised if you were hit.
  • Persistent OAuth grants. Revoking the user’s password does nothing. The malicious app keeps refreshing tokens until it is explicitly uninstalled from Setup → Connected Apps OAuth Usage.

What to do right now

  1. Audit Connected Apps. In Salesforce Setup, open Connected Apps OAuth Usage and revoke any “Data Loader” or similarly named app that was granted in the last 90 days and is not centrally managed. ShinyHunters uses names like My Ticket Portal, Data Loader, and Salesforce Inspector variants.
  2. Rotate tokens, not just passwords. Revoke all user OAuth tokens (OAuthToken object), rotate API keys referenced anywhere in CRM records, and rotate any AWS/GitHub creds that were ever pasted into a Case or Opportunity.
  3. Lock down Aura endpoints. Audit any Experience Cloud / Communities sites for unauthenticated Aura endpoints exposing getItems, ApexActionController, or controller calls that leak object records. Salesforce’s recommended hardening is in KB article 000395236.
  4. Require admin approval for new Connected Apps. Set Permitted Users to “Admin approved users are pre-authorized” on every connected app, and disable end-user OAuth consent where policy allows.
  5. Train against vishing. The consistent social-engineering hook is a fake IT helpdesk callback during a claimed Salesforce outage. Escalate any call requesting OAuth app approval to a named security contact out-of-band.

Monitor the CISA KEV catalog and Salesforce’s Trust status page for emergency advisories. ShinyHunters has shown no sign of slowing down — expect additional named victims through the end of the month.

Sources: Security Boulevard, HackRead, The Register, Help Net Security, Google Cloud Threat Intelligence, Rescana.