When CRM Becomes a Cybersecurity Target: ShinyHunters Behind Salesforce Data Theft at Allianz Life, Qantas, and LVMH

In today’s digital economy, customer data is one of the most valuable assets an organization holds. That’s why CRM platforms like Salesforce have become critical to business operations—and an attractive target for cybercriminals.

Recently, the notorious hacking group ShinyHunters has been linked to a string of cyberattacks exploiting Salesforce systems at major global organizations, including Allianz Life, Qantas, LVMH, and others. The incident is a wake-up call: even the most trusted enterprise systems can become vulnerabilities without robust defense and user vigilance.

Who Are the ShinyHunters?

ShinyHunters is a well-known threat actor group infamous for breaching large corporations and leaking stolen data online. According to Google’s Threat Intelligence Group, this campaign has been linked to a subgroup known as UNC6040, which shares similarities with another group called Scattered Spider (UNC3944)—both known for leveraging advanced social engineering tactics to breach secure environments.

The Attack Method: Vishing to Capture Credentials

Instead of exploiting system vulnerabilities, attackers used vishing (voice phishing). They impersonated IT staff or support agents and convinced employees to install a fake Salesforce Data Loader application with names like “My Ticket Portal.” These fake tools harvested login credentials and multi-factor authentication (MFA) tokens.

Once attackers had access, they used legitimate-looking tools and permissions to exfiltrate massive amounts of customer data via Salesforce's APIs—without triggering traditional security alarms.

Impacted Organizations: Millions Affected

Allianz Life (USA)

• Over 1.4 million individuals affected
• Data includes personal information of customers, employees, and agents
• The company confirmed that the breach came through a third-party service provider’s use of Salesforce, not Allianz’s internal network
• Victims are being offered identity protection and credit monitoring for up to 24 months

Qantas (Australia)

• Approximately 5.7 million customers impacted
• Leaked data includes names, emails, Frequent Flyer numbers, dates of birth, addresses, gender, and dietary preferences
• Legal documents suggest attackers accessed Salesforce “Accounts” and “Contacts” objects

LVMH & Adidas

• Also targeted through Salesforce, with data exposure likely
• Specific breach details have not yet been publicly disclosed

Key Takeaway: The Weakest Link Is Still Human

These incidents underscore that in the modern threat landscape, it’s not always the system that’s breached—but the people using it.

Even the most secure platforms can be compromised through clever manipulation, impersonation, and trust exploitation.

What Organizations Should Do Now

1. Adopt a Zero Trust Model

Never trust by default—verify every access attempt, internally and externally.

2. Educate Employees Regularly

Provide frequent training on phishing, vishing, and other social engineering threats.

3. Apply Least Privilege Access

Ensure users only have access to the data and tools they need—nothing more.

4. Monitor Behavior in Real-Time

Use AI and anomaly detection tools to flag unusual activity, especially in critical platforms like Salesforce.

Final Thoughts

This attack isn’t just about a data leak—it’s a powerful reminder that enterprise systems are only as secure as the people using them.

In a world where data is currency, the safest organizations are those that trust nothing and verify everything.