Microsoft, AT&T, and Santander already know all about it: being hit by the hacker collective ShinyHunters. What’s known about their latest series of attacks on Salesforce environments, including those of Google, Air France-KLM, LVMH, and Adidas?
In recent weeks, many victims of data breaches have come to light. Google lost records of contacts with SMBs in a Salesforce instance, Air France-KLM disclosed names and air miles data via their CRM, and clothing giant LVMH (Louis Vuitton, Dior, Tiffany) was robbed of regional customer contact records.
The motivation of the alleged perpetrator, ShinyHunters, seems fairly straightforward. Unlike state actors, this group, formed in 2020, appears to be entirely financially motivated. By stealing sensitive data and selling it on the dark web, their business plan is a guaranteed success.
In 2020, Microsoft’s GitHub account was hit, followed by AT&T in 2021. The group also took advantage of the Snowflake attacks by targeting Ticketmaster and Santander, among others.
“Shiny” data
The name ShinyHunters is said to come from Pokémon. In that franchise, shiny monsters are rare (also known as “shinies”) and therefore coveted by collectors. The list of victims below clearly shows that the hacker group is certainly dealing with data that is coveted by cybercriminals and therefore may emit a proverbial sheen:
Google, Cisco, Air France-KLM: the most recent batch
As mentioned, Google was hit recently. Some customer data was stolen by UNC6040, the lesser-known-but-official name of ShinyHunters. According to Google, the stolen data was fairly basic in nature and mostly publicly available, such as company names and phone numbers. However, it is unclear exactly how many customers were affected.
User accounts on Cisco.com also proved to be insecure. An incident of voice phishing (vishing) led to a breach here. Cisco became aware of the attack on July 24, as the company discovered that a CRM system had been compromised. Names, addresses, user IDs on Cisco.com, email addresses, phone numbers, and metadata were stolen. Cisco has not confirmed that it was a Salesforce environment that was specifically affected or that ShinyHunters is the suspected attacker, but the likelihood is very high given the wave of confirmed attacks.
We previously reported on the data breach at Air France-KLM. The airline also lost sensitive data such as email addresses and the status of users in its air miles program. However, only customers who had contacted customer service were affected, and information such as passwords and messages remained confidential.
Elsewhere and earlier: Qantas, Allianz Life, LVMH, Adidas, Chanel, Pandora
In addition to Air France-KLM, fellow airline Qantas was also affected. Here too, passenger data was involved, this time from CRM tables.
Allianz reported in July, just like Qantas, that it had been affected. The North American branch of Allianz Life had to deal with unauthorized CRM access. Again, it has not been confirmed for every victim that Salesforce and ShinyHunters were involved, but the victims reportedly received threatening emails demanding payment to prevent the data from being leaked.
Clothing company LVMH was not the only one in its industry to be targeted by ShinyHunters. Adidas lost customer service tickets, Chanel was robbed of a client care database, and Pandora lost customer profiles.
Conclusion: what now?
It must be said: this data does not appear to be publicly available at this time. However, there is a risk that the sensitive customer data has already been sold to the highest bidder on the dark web. In addition, paying the cybercriminals offers no guarantees: what if they collect a sum from the victim and then simply sell the data on?
Customers will need to be extra alert to suspicious emails, phone calls, and convincing phishing attempts. Potential attackers may know what someone has purchased or which flight they have taken, making a malicious link in a legitimate-looking email more likely to be clicked.