Allianz Life Salesforce Data Breach: Scattered Spider & ShinyHunters Attack
Over 2.8M Allianz Life records were exposed via a Salesforce CRM breach linked to Scattered Spider & ShinyHunters. Discover how it happened, who’s behind it, and how to harden SaaS security.
Note: This campaign is still ongoing, with new breaches surfacing daily.
What Happened: In one of 2025’s most significant Salesforce data breaches, hackers linked to Scattered Spider and ShinyHunters (also known as UNC6040) exfiltrated over 2.8 million Allianz Life customer and partner records. This incident is part of a wider UNC6040 campaign, with past victims including Google, Adidas, Air France, and other industry giants.
Attacks In-Depth: These attacks signal a troubling escalation, with ShinyHunters joining forces with another threat group, Scattered Spider, to expand reach and capability
According to ShinyHunters, “They provide us with initial access and we conduct the dump and exfiltration of the Salesforce CRM instances” (source: Bleeping Computer)
Attack Techniques: TheShinyHunters threat group is notorious for advanced vishing attacks that exploit human error to gain Salesforce CRM access, bypassing technical defenses.
Data Target: The groups focus on Salesforce environments for initial access and lateral movement, exfiltrating large datasets of customer and partner information for sale, extortion or public leak.
Prior Incidents: Approximately 20 organizations across Europe and the Americas—including sectors like retail, education, hospitality, aviation, fashion, luxury, finance, and tech—have been affected. Confirmed victims include Google, Adidas, LVMH (Dior, Louis Vuitton, Tiffany & Co.), Pandora, Qantas, and Air France, among others. For more information on prior attacks, see here.
Why This Matters:
It is critical to note that these incidents do not indicate any inherent vulnerability in Salesforce. These breaches highlight the importance of the shared responsibility model, where organizations must properly secure their accounts, credentials, and access controls in addition to Salesforce’s built-in protections.
Taking a Step Back:
SaaS is a massive blindspot for most organizations. While investments flow into traditional defenses like zero trust architecture and IdP, attackers are targeting SaaS, where visibility is low and controls are fragmented.
Threat actors are increasingly sophisticated, and with the rise of AI tools, it is likely that attacks will become more frequent and harder to detect. AI can enable more convincing phishing campaigns, automate reconnaissance, and scale attacks, raising the stakes for organizations everywhere.
Humans are often the weakest link in the security chain. Despite robust technical safeguards, social engineering tactics like vishing exploit human vulnerabilities, leading to unintentional security breaches.
Prevention Methods:
General Strategies:
Ensure visibility and monitoring over SaaS applications. SaaS attacks are up 300% year over year, highlighting the need for proactive security.
Educate staff on vishing and social engineering threats
Educate staff on fake SSO phishing sites
Ensure staff are only granted the permissions needed for their role
Control access to Connected Applications
Restrict access to named IP ranges
For Obsidian customers:
Monitor Obsidian alerts for any related to Salesforce or Okta
Consistently review native and 3rd-Party application integrations in your core SaaS applications. Obsidian's Integration Risk Management (IRM) capabilities allow you to not only monitor addition or modification of privileges/scopes but also allows you to gain visibility into how these integrations are being used or interacted with.
Use Obsidian’s Browser Extension to detect and automatically block Identity Takeovers (ATO) from advanced phishing kits (such as Evilginx reverse proxy websites)
