Cisco Faces New Data Breach Ultimatum After ShinyHunters Exposes FBI, NASA Records

In March 2026, the notorious ransomware group ShinyHunters targeted Cisco, asserting that it had infiltrated the company's Salesforce CRM system, GitHub code repositories, and AWS S3 storage, exfiltrating more than 3 million records containing sensitive personal information.

Among the leaked data are personnel records from U.S. federal agencies—including the FBI, Department of Homeland Security, Department of Defense Information Systems Agency, IRS, and NASA—as well as Australian Defence and multiple Indian government bodies.

The group, also known as UNC6040 and UNC6395, specializes in large‑scale data theft through a combination of social engineering and vulnerability exploitation. Their latest campaign began with a classic vishing (voice‑phishing) attack that tricked Cisco support staff into authorising a malicious third‑party Salesforce application via an OAuth token.

Once OAuth access was granted, the attackers leveraged the token to bypass MFA, password resets, and login monitoring, because the token appeared as a legitimate Salesforce‑issued credential.

ShinyHunters then employed the open‑source tool AuraInspector to automatically scan Salesforce Experience Cloud (Aura) configurations for mis‑configured “guest access” permissions. This scan identified 300–400 vulnerable Salesforce environments, including Cisco's.

After gaining Salesforce access, the attackers moved laterally, using the compromised tokens to harvest additional credentials such as AWS access keys, passwords, and Snowflake tokens. These credentials opened Cisco’s cloud assets—AWS S3 buckets and GitHub repositories—to full extraction.

The article notes that this is not Cisco’s first breach of this type. In October 2024, the IntelBroker group claimed to have downloaded 4.5 TB of data from Cisco’s public DevHub environment, including source code, hard‑coded credentials, API tokens, and private AWS buckets. In August 2025, another CRM breach occurred via a similar vishing attack, with investigators linking the actors to ShinyHunters.

These repeated incidents highlight a persistent security blind spot: inadequate oversight of third‑party OAuth applications and insufficient employee training against phone‑based social engineering.

Key defensive recommendations from the analysis include:

Remove unknown third‑party plugins from the corporate Salesforce environment.

Revoke all unrecognised OAuth tokens.

Conduct regular audits of authorised applications.

Monitor for anomalous data exports via Salesforce Data Loader.

Deploy anomaly detection alerts for API calls.

Provide targeted training on phone‑induced authorisations.

Implement a strict internal verification process for any phone‑based access requests.

Adopt a zero‑trust phone verification mechanism organisation‑wide.

Enforce least‑privilege principles on AWS IAM roles.

Rotate access keys and tokens regularly.

Enable detailed audit logging for cloud environments.

The deadline set by the attackers—April 3, 2026—remains less than 24 hours away, and the security community watches closely to see how Cisco will respond.