All news with #shinyhunters tag

Salesforce Flags Unauthorized Access via Gainsight OAuth

🔒 Salesforce reported detected 'unusual activity' involving Gainsight-published applications that used OAuth connections to its platform and said the activity may have enabled unauthorized access to some customers' Salesforce data. The company revoked all active access and refresh tokens for affected apps and temporarily removed those listings from the AppExchange while it investigates. Gainsight also pulled its app from the HubSpot Marketplace as a precaution. Security analysts have linked the activity to the ShinyHunters (UNC6240) group and are urging customers to review and revoke suspicious third-party integrations.

ShinySp1d3r RaaS Emerges - New Encryptor by ShinyHunters

🕷️ An in-development build of the ShinySp1d3r ransomware-as-a-service has surfaced, revealing a Windows encryptor developed by threat actors linked to ShinyHunters and affiliates. The sample shows ChaCha20 file encryption with RSA-2048 key protection, per-file headers beginning with "SPDR" and ending with "ENDS", and automated propagation methods via SCM, WMI, and GPO. The build includes process-killing, EtwEventWrite hooking, free-space overwriting, shadow-copy deletion, anti-analysis measures, and deploys a ransom note (R3ADME_1Vks5fYe.txt) plus a wallpaper; Linux and ESXi versions are reportedly in progress.

Checkout.com Apologizes After Breach, Donates Ransom

🔒 Checkout.com publicly disclosed a breach after the ShinyHunters group accessed data from a legacy third‑party cloud storage system used prior to 2020, and issued an apology taking responsibility for the error. The company said fewer than 25% of current merchants were affected, confirmed no payment card data was taken, and refused the ransom demand. Instead of paying, it donated the ransom amount to Carnegie Mellon University and the University of Oxford Security Center to support research into cybercrime.

Checkout.com Refuses Ransom After ShinyHunters Breach

🔒 Checkout.com confirmed that the criminal group ShinyHunters accessed a legacy third-party cloud file storage system used in 2020 and earlier and is attempting to extort the company. The exposed materials reportedly include merchant onboarding documents and internal operational files, and Checkout estimates the data affects less than 25% of its current merchant base while also touching former customers. Rather than paying, the firm said it will donate the ransom amount to Carnegie Mellon University and the University of Oxford Cyber Security Center and invest in strengthening its security.

Scattered Lapsus$ Hunters: Risks to Retail & Hospitality

🔒 Scattered Lapsus$ Hunters, with core actors such as Bling Libra, claim responsibility for large-scale theft of Salesforce customer data and launched a public data leak site in early October 2025. The group operates an extortion-as-a-service model, recruiting affiliates to send targeted executive extortion messages and taking revenue shares from payments. Recent activity included a Clearnet domain seizure by law enforcement and threatening deadlines for victim disclosures. Retail and hospitality organizations face heightened risks of identity theft, account takeover, returns and loyalty fraud; Unit 42 recommends secrets scanning, zero trust controls, least privilege and participation in industry ISACs.

Salesforce Refuses Ransom After Massive Data Theft

🔒 Salesforce confirmed it will not engage with or pay extortion demands after a large-scale theft of customer data this year. Threat actors calling themselves Scattered Lapsus$ Hunters published a data-leak site to extort 39 companies, claiming nearly one billion records stolen. The breaches stemmed from two campaigns: late-2024 social engineering using malicious OAuth apps and an August 2025 campaign abusing stolen SalesLoft/Drift tokens to exfiltrate CRM and support-ticket data. The leak site appears to have been shut down and its domain redirected to nameservers previously associated with law enforcement seizures.

ShinyHunters Joins Extortion Effort After Red Hat Breach

🔐 Red Hat is facing renewed extortion after a breach of its GitLab instance used by Red Hat Consulting was claimed to have exposed nearly 570GB of compressed data across thousands of repositories, including about 800 Customer Engagement Reports (CERs). The Crimson Collective initially claimed the theft and says it received no ransom response. The group announced a collaboration with Scattered Lapsus$ Hunters and has used the newly launched ShinyHunters leak site to press extortion demands, publishing CER samples and setting an October 10 deadline. Red Hat did not respond to inquiries.

ShinyHunters Leak Salesforce Data; Many Companies Exposed

🔓 An extortion group claiming affiliation with ShinyHunters, Scattered Spider, and Lapsus$ has launched a public data leak site listing 39 companies allegedly compromised via Salesforce breaches. The site publishes sample records and urges victims to pay before an October 10 deadline, while also demanding that Salesforce pay to prevent disclosure of roughly 1 billion records. The attackers say they used OAuth-based voice-phishing and stolen tokens to access customer data. Victims named include FedEx, Disney/Hulu, Google, Cisco, and many other major brands.

Allianz Life July Data Breach Affects Nearly 1.5 Million

🔐Allianz Life has completed its investigation into a July cyberattack and says 1,497,036 people were impacted. A malicious actor accessed a third-party cloud-based CRM on July 16, 2025, and obtained names, addresses, dates of birth, and Social Security numbers. While some reporting linked the intrusion to a Salesforce-targeted wave attributed to ShinyHunters, Allianz Life has not confirmed that attribution. Notified individuals are offered two years of free identity monitoring from Kroll and guidance to enable credit monitoring or consider freezing credit.

Stellantis: Customer Contact Data Stolen in Salesforce Hack

🔒 Stellantis confirmed unauthorized access to a third-party platform supporting its North American customer service operations, and said attackers stole customer contact information. The company stated the compromised system did not contain financial or other sensitive personal data and that it activated incident response procedures and notified authorities. Reports link the incident to a broader wave of Salesforce-related intrusions claimed by ShinyHunters, and customers are being urged to watch for phishing attempts.

ShinyHunters Claims 1.5B Salesforce Records Stolen via Drift

🔒 The ShinyHunters extortion group claims they stole approximately 1.5 billion Salesforce records from 760 companies by abusing compromised Salesloft Drift and Drift Email OAuth tokens exposed in a Salesloft GitHub breach. The attackers reportedly accessed Account, Contact, Case, Opportunity, and User tables and searched exfiltrated data for secrets to pivot further. Google/Mandiant and the FBI are tracking the activity as UNC6040/UNC6395, and Salesforce urges customers to enable MFA, enforce least privilege, and manage connected apps carefully.

ShinyHunters Breach Hits Gucci, McQueen and Balenciaga

🔒 Luxury fashion groups Gucci, Alexander McQueen and Balenciaga have had customer data exposed in an attack linked to the ShinyHunters group. A sample of files shared with the BBC reportedly included thousands of genuine customer records and spending details, and the group claims data on 7.4 million email addresses. Kering confirmed temporary unauthorized access in June but said no financial information or government identifiers were involved. Security experts warn the data could fuel follow-on fraud, especially if sold on criminal forums.

Wealthsimple Reports Customer Data Breach Linked to Salesloft

🔒 Wealthsimple disclosed a data breach detected on August 30 after attackers accessed a trusted third-party software package. The company said less than 1% of customers had personal information exposed, including contact details, government IDs, account numbers, IP addresses, Social Insurance Numbers, and dates of birth. Wealthsimple stated no funds or passwords were taken; impacted customers are being offered two years of complimentary credit and identity protection and were advised to enable two-factor authentication and remain alert for phishing.

Workiva Discloses Data Theft Linked to Salesforce Breach

🔒 Workiva notified customers that attackers who accessed a third-party CRM exfiltrated a limited set of business contact data, including names, email addresses, phone numbers, and support ticket content. The company said the Workiva platform and any data within it were not accessed or compromised. Workiva warned customers to remain vigilant for spear‑phishing and reiterated it will not request passwords by text or phone. BleepingComputer reported the incident is tied to recent Salesforce breaches attributed to the ShinyHunters group.