A campaign of cyber attacks orchestrated via social engineering against users’ Salesforce instances is now being attributed to the ShinyHunters cyber crime gang with growing confidence, and the list of victims seems to be growing by the day.
To date, multiple compromised organisations have been linked to these attacks. Among them are fashion brands including Adidas; LVMH brands Dior, Louis Vuitton, and Tiffany & Co; jewellery company Pandora, insurance companies such as Allianz, and airlines such as Qantas and Air France-KLM.
Even the technology sector is not immune to ShinyHunters’ “affections”. Google has also reported that it was hit by the operation, revealing on 5 August that one of its corporate Salesforce instances was breached and data on small and medium-sized enterprise (SME) customers taken – although thankfully this was mostly publicly available business information such as business names and contact numbers.
Who are ShinyHunters and what do they want?
Since April 2025, an audacious series of cyber attacks orchestrated by the English-speaking hacking collective Scattered Spider – particularly an incident in which the gang breached the systems of high street stalwart Marks & Spencer (M&S) – has brought social engineering attacks to mainstream attention.
Absent definitive proof that enables the threat intel community to attribute cyber incidents, a number of the ShinyHunters attacks had been speculatively linked to Scattered Spider. But Scattered Spider does not have a monopoly on social engineering, and with the body of evidence in this particular campaign pointing more firmly to ShinyHunters, it is worth learning more about this group.
The ShinyHunters gang appears to have formed in 2020 as a hack-and-leak operation, drip feeding millions of stolen records into the public domain. Its objectives beyond that goal are unclear, although the group is clearly now branching out into outright extortion.
Historic ShinyHunters victims, either claimed or confirmed, include AT&T Wireless, Microsoft, Santander and Ticketmaster. Many of these victims were likely breached via abuse of unsecured accounts held with cloud data management platform Snowflake. Note that this is not evidence Snowflake itself was breached, merely of unsecure usage of its products and services.
ShinyHunters has also been linked to the various incarnations of the infamous BreachForums data leak forum. The most recent development in this particular story was the June 2025 indictment by the US authorities of a prominent hacker known as IntelBroker, allegedly a 25-year-old British national named Kai West, and concurrent arrests in France of others associated with ShinyHunters.
Intriguingly, the Google Threat Intelligence Group (GTIG) assesses that ShinyHunters and Scattered Spider may share some behind-the-scenes links, as both gangs demonstrate evidence of affiliation with The Com.
The Com is a wider hacking ring comprising multiple disparate and often rival groups. According to the FBI, it organises on various forums including Discord and Telegram, and its members – many of whom are likely minors – engage in various forms of cyber criminality.
GTIG has observed various elements of attacker-controlled infrastructure in use across multiple cyber attacks conducted by groups with ties to The Com, as well as overlapping tactics (social engineering in particular), the targeting of Okta credentials and a focus on victimising English-speaking users at multinational organisations by impersonating IT helpdesk staff – all hallmarks of Scattered Spider and ShinyHunters breaches.
According to GTIG, it is plausible that these similarities have arisen between associated actors operating in the same core community, rather than suggesting direct collaboration between Scattered Spider and ShinyHunters.
What is social engineering?
Social engineering is a tried-and-tested hacking technique in which targeted victims are convinced into giving up access to their employers’ secrets by various means.
Commonly used methods of social engineering include targeted phishing emails that attempt to trick their recipients into downloading something dangerous such as malware or ransomware, or supplying sensitive information such as their IT system credentials.
Other social engineers will create pretexts to game their targets. As we have seen, in the digital realm they often impersonate IT helpdesks or support services, or they may offer something – which often seems too good to be true – to spark interest, which is a classic bait-and-switch technique used by real-world scammers too.
Social engineering doesn’t just full under the banner of IT and cyber security – it far predates the information age. Throughout human history, scammers have deployed social engineering techniques. In the age of myth, when the ancient Greeks left a huge wooden horse at the gates of Troy, they were betting that the Trojans…
Source link
