Blog
Home

The Salesforce Supply-Chain Nightmare: Inside ShinyHunters’ Biggest Campaign Ever (760 Victims and Counting)

ShinyHunters 2025: How a single phone call and fake Salesforce update stole 1.5 billion records from 760+ companies — and why they just launched their own ransomware. Inside the biggest SaaS supply-chain attack ever.

11/20/20252 min read

They don’t need zero-days.
They don’t drop malware that triggers EDR.
They just pick up the phone, pretend to be Salesforce support, and convince someone to install a “critical update.”That single social-engineering play — combined with industrial-scale GitHub secret scanning — just gave ShinyHunters access to more than 760 Salesforce instances, 1.5 billion customer records, and companies including Google, Cisco, Qantas, LVMH, Adidas, Red Hat, and Workday.And in the same month (November 2025), they officially graduated from pure data-extortion to full-blown ransomware by launching ShinySp1d3r RaaS.This is the most dangerous evolution we’ve seen from an English-speaking cybercrime brand since LockBit peaked.

Who (or What) Is ShinyHunters Today?
ShinyHunters is no longer a “group” in the traditional sense. It’s a brand, a franchise, and an ecosystem that includes:

  • Core members (believed to be partially French, highly technically skilled)

  • Affiliates from The Com / BreachForums

  • Overlapping actors with Scattered Spider (UNC3944) and LAPSUS$

  • A formal supergroup called Scattered LAPSUS$ Hunters (formed mid-2025)

Think of it as the cybercrime equivalent of a streetwear label: anyone can slap the logo on if they pay the cut.

The 2025 Salesforce Campaign – Anatomy of the Biggest SaaS Supply-Chain Attack Ever

Primary vectors used:

  1. Vishing + Malicious Salesforce Data Loader
    Attackers call mid-level sales or RevOps employees, spoof caller ID, and claim there is an “urgent patch” for Salesforce. Victim is sent a legitimate-looking Data Loader executable that has been trojanized. Once run, it silently exfiltrates OAuth tokens.

  2. GitHub Secret Scanning at Scale
    Using modified TruffleHog pipelines, they harvested exposed OAuth tokens for third-party apps (Gainsight, Drift, Salesloft, etc.) from thousands of public and private repositories.

  3. Rogue OAuth Apps + API Abuse
    With valid tokens, they register malicious apps, spoof user agents, and export entire customer databases without ever tripping traditional malware detection.

Result: 760+ compromised Salesforce tenants in a single coordinated campaign that is still ongoing.

From Data Broker to Ransomware Operator: ShinySp1d3r RaaS

In November 2025, ShinyHunters quietly debuted ShinySp1d3r, their own ransomware-as-a-service platform with:

  • Windows, Linux, and ESXi encryptors

  • Dynamic ransom notes and desktop wallpaper changer

  • 70/30 affiliate split (victim pays → affiliate keeps 70 %)

  • Explicit rule: no attacks on Russia or CIS countries (classic post-LockBit playbook)

They are already listing victims on a new dark-web leak site.

Why Most Defenses Are Still Blind to This Threat.

  • The traffic is 100 % legitimate Salesforce API calls

  • The Data Loader binary is signed or minimally modified → no static malware signature

  • OAuth consent is granted voluntarily by the victim

  • Third-party app risk is rarely in scope for most security teams

In short: it looks exactly like normal business activity.

Immediate Actions Every Organization Should Take (Do These This Week)

  1. Audit every third-party OAuth app in Salesforce
    Revoke anything you didn’t explicitly approve in the last 90 days.

  2. Block unknown / unsigned Salesforce Data Loader versions via AppLocker or Intune.

  3. Enforce callback verification policy
    No IT/SaaS support call is valid unless you call back on a published number.

  4. Scan all GitHub repos (public + private) for exposed secrets
    Use TruffleHog, GitGuardian, or Nightfall defensively — today.

  5. Enable Salesforce Event Monitoring + set alerts for

    • Mass Record Export

    • New OAuth app registration

    • Logins from anomalous ASN / user-agent

  6. Rotate all long-lived Salesforce integration tokens and move to short-lived certificates where possible.

The New Reality

In 2025, the most devastating breaches no longer start with a buffer overflow or a phishing link.They start with a phone call that sounds exactly like your vendor. ShinyHunters didn’t break Salesforce.
They just convinced 760 companies to open the door and hand over the keys.Trust-but-verify is dead in the SaaS era.
We are now firmly in verify-then-maybe-trust territory. Stay sharp.

ShinyHunters 2025: The Group That Hacked 760 Companies with a Single Phone Call — and Just Launched Their Own Ransomware