Google Reports Salesforce Hack, ShinyHunters Plans to Launch Data Breach Site

There have been some substantial developments in the two biggest hacking campaigns of the summer. ShinyHunters and Scattered Spider may have officially joined forces, and ShinyHunters is also said to be launching its own leak site to put more pressure on the victims of its data breaches. The news comes from Google Threat Intelligence, which also confirmed that it experienced its own Salesforce hack two months ago.

Data breaches may be the work of a “merged” ShinyHunters + Scattered Spider

There was initially some confusion about which group was responsible for which data breach, but it was eventually sorted out that ShinyHunters was participating in a string of similar Salesforce hacks and was the party contacting victims and shaking them down for ransom payments. It turns out that the two groups may have had a working relationship this entire time, and more recently may have fully merged.

ShinyHunters is also said to be launching its own data leak site. Another unique part of the pattern of the Salesforce hacks was that the victims were contacted privately and threatened with sale of the stolen data rather than public dumping. Ransomware was also not deployed, a major difference from the Scattered Spider approach. It remains to be seen if ShinyHunters will also escalate to using ransomware during data breaches if it does take the next step of setting up a leak site.

It’s not yet fully confirmed that the two hacking groups did merge, but if they did it may have been to complement each other’s skills. Scattered Spider is best known for achieving initial entry by using its English-speaking members to engage in social engineering over the phone. ShinyHunters may be handling rapid lateral movement and data exfiltration once the system is compromised. The two groups have also both experienced arrest waves recently that may have put  a dent in manpower and capability.

Google says its own Salesforce hack was minor

As for Google’s own Salesforce hack, the Threat Intelligence team said that it involved the contact information of an unspecified number of small to medium businesses and was not considered a serious issue as the tranche of data was “largely public” anyway. The company did not disclose the breach until two months after it began warning about the ShinyHunters campaign, however.

Security researchers knew that Scattered Spider had adopted a more “fluid” posture post-2024 that invited other criminal groups in for collaboration, and that ShinyHunters was at least referencing the group in its attacks. But there now seems to be more solid information that the two groups are intertwined, quite possibly jointly responsible for the string of Salesforce hacks and data breaches as of late.

As to who should expect to be targeted going forward, the addition of ShinyHunters to the mix complicates things more. Scattered Spider followed a fairly straightforward pattern of attacking the help desks of specific industries for weeks before moving on. ShinyHunters seems to prefer abusing known vulnerabilities and tricks for as long as they can, wherever they might find the opportunity (reflected by their 2024 campaign against Snowflake storage accounts harboring poorly protected defunct logins).

Either way, both groups lean on fairly repetitive and predictable approaches to rack up a high volume of data breaches in a short time. All types of organizations and industries need to be aware of their present tactics and on guard, ideally taking this opportunity to re-evaluate trust and privilege distribution and if MFA solutions are suitably resistant to phishing.