Home/ Blog/ Platform & Technology Transformation/ Urgent Alert for Salesforce Users: Beware of ShinyHunters Voice-Phishing Scam

Urgent Alert for Salesforce Users: Beware of ShinyHunters Voice-Phishing Scam

Urgent Alert for Salesforce Users Blog Banner
Salesforce is not compromised, but a highly coordinated wave of cyberattacks led by ShinyHunters (UNC6040), often in collaboration with Scattered Spider (UNC3944), has been exploiting human error and trust to infiltrate enterprise Salesforce environments.

By Rafat Khan, CRM Delivery Head, Nihilent Limited

Urgent Alert for Salesforce Users: Beware of ShinyHunters Voice-Phishing Scam

Salesforce is not compromised, but a highly coordinated wave of cyberattacks led by ShinyHunters (UNC6040), often in collaboration with Scattered Spider (UNC3944), has been exploiting human error and trust to infiltrate enterprise Salesforce environments. The threat actors use vishing (voice phishing) to impersonate IT support and trick employees into granting access to a malicious connected app that looks like Salesforce’s legitimate Data Loader. This enables OAuth API access, bypasses MFA, and leads to data exfiltration from corporate CRMs.

Victims of these sophisticated campaigns include Google, Adidas, Chanel, Qantas, Allianz Life, Pandora, LVMH brands, among others. Despite the nature of the stolen data—often business contact info—it’s sufficient to fuel extortion, phishing, and impersonation scams.

What Salesforce Customers Should Do Immediately:

  1. Audit and Restrict Connected Apps

    • Review and prune all connected apps-remove any that are unnecessary or
      unfamiliar.

    • Restrict admin-only approval of new connected apps; disable self-installations.

  2. Educate Your Team

    • Train employees to recognize vishing attempts: genuine IT will never ask for credentials or codes over the phone.

    • Encourage staff to hang up and call back using official numbers if uncertain.

  3. Enforce MFA and Least Privilege

    • Ensure multi-factor authentication is enabled across the board.

    • Limit users’ permissions to the minimum required, to reduce the blast radius if a compromise occurs.

  4. Monitor for Suspicious Activity

    • Look for unexpected authorization of connected apps or anomalies in
      Salesforce logs.

    • Be alert for mentions of your organization on ShinyHunters or criminal data-leak forums, it could precede a leak or extortion attempt.

  5. Implement a Layered Defense Strategy

    • Don’t rely solely on technical defenses-combine them with user awareness, strict app governance, and tight identity controls.

    • Regularly revisit your shared responsibility model: Salesforce protects the platform—but securing how your organization uses it is on you.

If you find this alert useful, please share it with your network awareness as the first line of defense.

Most Read
Nihilent
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.