Who is behind the Salesforce social engineering attacks?

The attacks are attributed to the ShinyHunters group, which has been conducting coordinated voice phishing (vishing) campaigns to compromise Salesforce instances across multiple major corporations globally.

Which major companies have been affected by the ShinyHunters Salesforce attacks?

The campaign has successfully compromised major corporations including Cisco, Chanel, Pandora, Google, KLM, and Air France. These attacks resulted in theft of data stored on the respective Salesforce instances via malicious connected app permissions.

How does the ShinyHunters Salesforce attack sequence work?

The attack follows a four-step sequence: First, hackers target English-speaking employees with Salesforce permissions using LinkedIn scraping and stolen datasets. Second, they make phishing voice calls impersonating IT support with urgent backstories. Third, victims are guided to enter an 8-digit connection code on Salesforce's Connected Apps page. Finally, this authorizes a malicious OAuth application that grants full access to query and exfiltrate sensitive CRM data.

Who are the typical targets of these Salesforce social engineering attacks?

The hackers targeted English-speaking employees within multinational corporations who would have access to grant permissions for new Salesforce Connected Apps. Sales and customer success senior personnel are likely targets, identified through a combination of LinkedIn scraping and stolen/scraped datasets to locate relevant employees' phone numbers.

Why are these Salesforce attacks so effective?

The attacks are effective because users are directed to a trusted Salesforce URL, removing the typical 'fake URL' indicator of phishing. Although the IT call is unexpected, targets trust it because they're instructed to use an official Salesforce platform. The technique exploits the legitimate OAuth authorization process that users are familiar with.

Do traditional security measures like MFA protect against these Salesforce attacks?

No, MFA and zero trust make no difference in this attack because the user has directly granted permissions to another application through legitimate OAuth channels. The attack bypasses traditional security controls by exploiting the trusted application authorization process rather than compromising credentials.

What should organizations do to protect against these Salesforce social engineering attacks?

Organizations globally should raise awareness of this attack technique among employees since it can be reused or adapted for various cloud platforms. The attack confirms that this social engineering approach is very successful and requires specific defensive measures beyond traditional cybersecurity tools.

What are the recommended countermeasures for these voice phishing attacks?

Since the attack is partially low-tech (phone calls), countermeasures should be correspondingly practical: implement call-back procedures or other verification methods when receiving ad-hoc requests from anyone representing IT or authoritative functions. Organizations should also implement comprehensive monitoring of connected applications and OAuth authorizations with automated alerting for new application connections.

How does the malicious OAuth application work in these Salesforce attacks?

The 8-digit connection code provided during the phone call authorizes a malicious OAuth application, typically a modified version of Salesforce's Data Loader tool, to access the organization's Salesforce environment. Once authorized, this grants threat actors full access to query, export, and exfiltrate sensitive data directly from the compromised Salesforce customer environments.

Can this attack technique be used against other cloud platforms besides Salesforce?

Yes, granting access to OAuth applications is possible for the majority of cloud platforms, making this technique adaptable to various other scenarios beyond Salesforce. The success of this attack series demonstrates the effectiveness of social engineering approaches targeting legitimate application authorization processes across cloud services.

Attack

Hackers breach Salesforce instances of major corporations through voice phishing

Q: What is the ShinyHunters Salesforce social engineering campaign?

A sophisticated and wide-reaching social engineering campaign is targeting Salesforce customer relationship management (CRM) instances. The attack has compromised major corporations like Cisco, Chanel, Pandora, Google, KLM, and Air France using voice phishing techniques to gain access to entire CRM databases.

published: Aug. 7, 2025

Take action: Always verify any urgent call from "IT" or anyone representing authority. The urgent call technique paired with pressure tactics and abuse of the ability of most users to grant access to apps is extremely dangerous.

Learn More

A wide reaching social engineering campaign is targeting Salesforce customer relationship management (CRM) instances. The attack has compromised major corporations like Cisco, Chanel, Pandora, Google, KLM and Air France.

The attacks are attributed to the ShinyHunters. The hackers used voice phishing (vishing) techniques to persuade employees of the targeted companies to connect malicious versions of Salesforce Connected Apps to their Salesforce instance, granting access to hackers to the entire content of the CRM instance.

The attacks resulted in theft of the data stored on the respective Salesforce instances via the permissions granted to the malicious connected app.

https://storage.googleapis.com/gweb-cloudblog-publish/images/salesforce-vishing-fig2.max-800x800.png

Attack sequence:

Target location: The hackers targeted English speaking employees within multinational corporations who would have access to grant permissions for a new Salesforce Connected Apps. It's very possible that sales and customer success senior people were targeted via a combination of linkedin scraping and stolen/scraped datasets to locate the phones of relevant employees.
Phishing voice call - attackers impersonated internal IT support personnel and using various back stories including urgent IT issues or compliance deadlines guided the victims to navigate to Salesforce's Connected Apps setup page (see image above).
Connecting a malicious app - The employees were instructed to enter an 8-digit connection code provided by the attacker during the phone call.
Steal data - The entered code authorized a malicious OAuth application, typically a modified version of Salesforce's Data Loader tool, to access the organization's Salesforce environment. Once authorized, the malicious application granted the threat actors full access to query, export, and exfiltrate sensitive data directly from the compromised Salesforce customer environments.

The users were led to a trusted Salesforce URL, so one of the indicators of 'fake URL' was missing from the phishing call. So although unexpected, the call fro "IT" was probably trusted because the target was just instructed to open a trusted Salesforce URL.

Organizations globally should raise this event to their employees since the technique can be reused or adapted for various other scenarios. Granting access to an OAuth application is possible for the majority of cloud platforms, and this series of attacks confirms that the attack is very successful.

MFA and zero trust make no difference, because the user has granted permissions directly to another application.

Since the attack is partially low-tech (phone call), the counter measures are also commensurately low-tech. Organizations should consider call-back procedures or other verification when an ad-hoc request is received from someone representing IT or any authoritative function within the organization.

Organizations should also implement comprehensive monitoring of connected applications and OAuth authorizations, with automated alerting for new application connections.

Hackers breach Salesforce instances of major corporations through voice phishing

Read More
GreyNouse reports DrayTek routers actively attacked using old …
Critical Cisco Smart Licensing Utility flaws actively exploited …
Organizations attacked via Windows PHP remote code execution …
Critical vulnerability in CrushFTP actively exploited
Critical RCE Vulnerability Exploited in Legacy D-Link DSL …