Hackers stole sensitive data from 2.8 million customers and business partners in an attack on insurer Allianz Life. The information was taken from Salesforce, the CRM system used by the company.
The attack is part of a broader campaign by the hacker group ShinyHunters. This campaign has affected several prominent organizations in recent weeks.
Allianz Life reported in July that personal data belonging to the majority of its 1.4 million customers had been stolen from an external supplier. Shortly afterwards, it emerged that this incident was linked to a wave of Salesforce attacks. The campaign also affected Google, Cisco, Air France-KLM, LVMH, Adidas, Chanel, Pandora, and Qantas.
The scale of this series of incidents is huge. Google lost customer data from SME clients from a Salesforce instance. However, Google emphasized that most of the stolen data was already public. Cisco fell victim to a phishing attack in which login details were stolen and a CRM system was compromised, resulting in the theft of names, addresses, email addresses, and phone numbers.
Air France-KLM saw customer email addresses and air miles status leaked, among other things. LVMH, Adidas, Chanel, and Pandora lost customer and service data.
ShinyHunters has been active for five years
ShinyHunters, active since 2020, focuses primarily on financial gain. By stealing sensitive data and selling it on the dark web, or by extorting victims, the group generates considerable income. The group has previously been linked to breaches at Microsoft, AT&T, and Santander. And to the Snowflake attacks on Ticketmaster, among others. Their name refers to shiny Pokémon. The name is thus a metaphor for the valuable data they seek.
According to BleepingComputer, during the attack on Allianz Life, criminals stole complete Salesforce tables containing accounts and contacts. This included names, addresses, dates of birth, tax numbers, and professional details of intermediaries. Research indicates that ShinyHunters uses social engineering to trick employees into giving a malicious OAuth app access to Salesforce. Hackers can then download databases without exploiting technical vulnerabilities.
Although not all of the stolen data has been made public yet, there is a risk that it will still be sold on the dark web. Customers are advised to be alert to phishing and other targeted fraud attempts.