ShinyHunters Campaign - Salesforce Exposure Risk Chelsea Deaner This security incident was not the result of a traditional software vulnerability (CVE) but rather a sophisticated “social engineering campaign” attributed to the threat actor group “ShinyHunters”. The attack vector involved targeting employees of Salesforce customers directly through voice phishing (vishing) and text messages (smishing). The primary goal of this initial contact was to deceive an employee with privileged access into authorizing a malicious OAuth application within the company's Salesforce CRM environment.By successfully tricking an employee into granting these permissions, the attackers gained unauthorized access to the Salesforce instance. This allowed them to exfiltrate data stored within the CRM. According to the disclosures, the compromised data was limited to business contact information, such as names, email addresses, and phone numbers. The primary risk from this breach is the high probability that the threat actor will use this validated contact data to launch more targeted and credible phishing campaigns against employees and customers.What To Do Alert your teams - Brief all Salesforce and Workday users about this active threat. Verify caller identity - Instruct employees to independently verify any unexpected calls requesting credentials through official channels. Review access logs - Monitor Salesforce login activity for unusual patterns or unauthorized access. Strengthen authentication - Ensure MFA is enabled and consider additional security controls. Report suspicious activity - Document and report any suspicious calls to your security team immediately. Assess third parties - Use the Companies List > Service Provider filter in Bitsight to identify vendors, subsidiaries, and other critical organizations using Salesforce. While not evidence of compromise, understanding which organizations in your ecosystem rely on Salesforce can help you stay alert to potential targeting as this threat evolves. Resources Salesforce, Protect Your Salesforce Environment from Social Engineering Threats Bitsight, Flash Report - August 19, 2025 - Workday's CRM Platform Breached by Hackers Using Social Engineering Tactics Related articles ShinyHunters Campaign - Salesforce Exposure Risk– August 19, 2025 How is the TLS/SSL Certificates Risk Vector Assessed? Vulnerability Trends Report Self-Published Companies Setting a DMARC Policy Feedback 0 comments Please sign in to leave a comment.