In a significant cybersecurity breach, Allianz Life, a major US insurance firm, has had 2.8 million sensitive records exposed following a data leak linked to ongoing Salesforce attacks. These stolen records contain critical information pertaining to both business partners and customers, highlighting a troubling trend in the escalating sophistication of cyber threats.
Last month, Allianz Life publicly acknowledged a data breach that compromised personal information of the majority of its 1.4 million customers. This incident, which occurred on July 16, stemmed from a vulnerable third-party, cloud-based Customer Relationship Management (CRM) system, although the company did not disclose the specific provider involved. BleepingComputer revealed that this breach is part of a larger wave of coordinated attacks targeting Salesforce systems by the cybercriminal group known as ShinyHunters.
This past weekend, ShinyHunters collaborated with other threat actors, allegedly associated with groups like “Scattered Spider” and “Lapsus$,” to establish a Telegram channel provocatively named “ScatteredLapsuSp1d3rHunters.” Through this platform, they not only took credit for multiple high-profile breaches but also taunted cybersecurity experts, law enforcement, and journalists. Among the previously unattributed attacks, those on platforms such as the Internet Archive, Pearson, and Coinbase have now been linked to this emerging consortium of cybercriminals.
In the case of Allianz Life, the hackers proceeded to leak comprehensive databases extracted from the company’s Salesforce systems. The compromised data includes sensitive details from Salesforce’s “Accounts” and “Contacts” tables, comprising approximately 2.8 million records associated with individual customers, wealth management firms, brokers, and financial advisors. This information encompasses personal identifiers, including names, addresses, phone numbers, dates of birth, and Tax Identification Numbers, alongside professional credentials such as licenses and firm affiliations.
BleepingComputer managed to confirm the authenticity of some leaked data, with multiple individuals verifying that their phone numbers, email addresses, and other personal information aligned with what was published in the breach. Upon inquiry, Allianz Life refrained from commenting further, citing an ongoing investigation.
The Salesforce data theft incidents appear to have initiated at the beginning of the year, relying heavily on social engineering techniques to manipulate employees into linking malicious OAuth applications with their companies’ Salesforce accounts. By exploiting these connections, attackers could download and siphon off databases, later using them to extort the affected companies.
Extortion attempts were communicated to the companies through email, attributed to ShinyHunters, a group notorious for high-stakes cyber-attacks. Their cyber footprint stretches across numerous significant breaches, including those targeting AT&T, PowerSchool, and SnowFlake. While ShinyHunters normally focuses on cloud SaaS applications and databases, the current method of social engineering marks a deviation that some analysts believe could point to the influence of Scattered Spider.
However, representatives from ShinyHunters have asserted to BleepingComputer that ShinyHunters and Scattered Spider are essentially one in the same entity, claiming that Scattered Spider offers initial access while they handle the database exfiltration—a method they have previously employed in incidents such as the Snowflake attacks. Interestingly, a portion of the members involved is believed to have roots in Lapsus$, a group known for its exploits between 2022 and 2023 before several of its members were apprehended.
Overall, these attacks have highlighted several tactics and techniques associated with the MITRE ATT&CK framework. Initial access methods likely include social engineering and exploiting OAuth app permissions, while data exfiltration represents a critical tactic employed post-breach. Given the rapid evolution of such cyber threats, business owners must remain vigilant and proactive about their cybersecurity measures, acknowledging the sophisticated methods that attackers utilize in today’s digital landscape.
46% of environments had passwords cracked, nearly doubling from 25% last year.
Get the Picus Blue Report 2025 now for a comprehensive look at more findings on prevention, detection, and data exfiltration trends.
