This security incident was not the result of a traditional software vulnerability (CVE) but rather a sophisticated “social engineering campaign” attributed to the threat actor group “ShinyHunters”. The attack vector involved targeting employees of Salesforce customers directly through voice phishing (vishing) and text messages (smishing). The primary goal of this initial contact was to deceive an employee with privileged access into authorizing a malicious OAuth application within the company's Salesforce CRM environment.
By successfully tricking an employee into granting these permissions, the attackers gained unauthorized access to the Salesforce instance. This allowed them to exfiltrate data stored within the CRM. According to the disclosures, the compromised data was limited to business contact information, such as names, email addresses, and phone numbers. The primary risk from this breach is the high probability that the threat actor will use this validated contact data to launch more targeted and credible phishing campaigns against employees and customers.
See the resource center.
Status
Research began today, August 19, 2025 and is already available.
Feedback
0 comments
Please sign in to leave a comment.