Key Findings

• ShinyHunters has issued a final warning to Cisco with an April 3, 2026 deadline before publicly leaking over 3 million alleged stolen records

• The group claims access through three separate breach paths: UNC6040, Salesforce Aura, and compromised AWS accounts

• Stolen data includes personally identifiable information, GitHub repositories, AWS storage buckets, and internal corporate data

• Screenshots provided by the group show access to AWS organizational dashboards and infrastructure, suggesting broad cloud environment visibility

• The threat includes unspecified "digital problems" beyond data leaks if Cisco does not make contact before the deadline

• This incident comes days after the same group leaked 350GB of European Commission data

Background

ShinyHunters is a threat group that Google Threat Intelligence designated as UNC6040 in August 2025. The group has built a pattern of targeting Salesforce-related data across multiple organizations over the past year, publishing samples on dark web leak sites to verify their claims. They typically claim entry points through misconfigurations, compromised credentials, or third-party integrations rather than Salesforce platform vulnerabilities. The group has previously targeted high-profile companies including Odido, Telus Digital, SoundCloud, GAP, Qantas, and major fashion brands like Gucci and Balenciaga.

UNC6040 and Vishing Campaigns

The ShinyHunters group has explicitly linked their claims to UNC6040, a campaign Cisco itself documented involving voice phishing attacks against employees. By making this connection, the group has essentially acknowledged its involvement in at least part of the alleged breach and indicated that social engineering played a role beyond just Salesforce-related vulnerabilities. This suggests attackers used vishing to gain initial access to internal systems rather than relying solely on cloud service misconfigurations.

AWS Access Evidence

The group shared three screenshots allegedly showing access to Cisco's AWS environment. While the images do not contain sensitive data themselves, they display organizational dashboards, storage volumes, and bucket listings. The presence of organization-level views is particularly significant because this typically indicates access to multiple linked accounts and services under centralized management rather than isolated systems. This level of visibility suggests the attackers gained broader infrastructure access than a single compromised account would provide.

ShinyHunters' Salesforce Targeting History

ShinyHunters has repeatedly claimed access to Salesforce-related data from multiple organizations, often pointing to misconfigurations and compromised credentials as entry vectors. Their past incidents followed a consistent pattern where data was initially listed on leak sites with limited details, then full dumps were published when companies refused to engage. Previous leaks included customer records, internal communications, and operational data pulled from connected systems. The group's track record suggests they follow through on public threats when organizations do not respond to demands.

Verification and Response

Cisco has not yet publicly confirmed or denied the breach claims as of this reporting. The accuracy of ShinyHunters' allegations can only be verified by Cisco itself through direct investigation and forensic analysis of their systems and AWS accounts.

Sources

• https://hackread.com/shinyhunters-hackers-cisco-records-data-leak/

• https://socradar.io/blog/trivy-cisco-breach-shinyhunters/