Hackers have launched stolen knowledge belonging to US insurance coverage big Allianz Life, exposing 2.8 million information with delicate info on enterprise companions and clients in ongoing Salesforce knowledge theft assaults.
Final month, Allianz Life disclosed that it suffered an information breach when the private info for the “majority” of its 1.4 million clients was stolen from a third-party, cloud-based CRM system on July sixteenth.
Whereas the corporate didn’t identify the supplier, BleepingComputer first reported the incident was a part of a wave of Salesforce-targeted thefts carried out by the ShinyHunters extortion group.
Over the weekend, ShinyHunters and different risk actors claiming overlap with “Scattered Spider” and “Lapsus$” created a Telegram channel referred to as “ScatteredLapsuSp1d3rHunters” to taunt cybersecurity researchers, regulation enforcement, and journalists whereas taking credit score for a string of high-profile breaches.
Many of those assaults had not beforehand been attributed to any risk actor, together with the assaults on Web Archive, Pearson, and Coinbase.
One of many assaults claimed by the risk actors is Allianz Life, for which they proceeded to leak the entire databases that had been stolen from the corporate’s Salesforce cases.
These information include the Salesforce “Accounts” and “Contacts” database tables, containing roughly 2.8 million knowledge information for particular person clients and enterprise companions, similar to wealth administration corporations, brokers, and monetary advisors.
The leaked Salesforce knowledge contains delicate private info, similar to names, addresses, cellphone numbers, dates of start, and Tax Identification Numbers, in addition to skilled particulars like licenses, agency affiliations, product approvals, and advertising classifications.
BleepingComputer has been in a position to affirm with a number of people who their knowledge within the leaked information is correct, together with their cellphone numbers, e-mail addresses, tax IDs, and different info contained within the database.
BleepingComputer contacted Allianz Life in regards to the leaked database however was instructed that they might not remark because the investigation is ongoing.
The Salesforce data-theft assaults
The Salesforce knowledge theft assaults are believed to have began firstly of the 12 months, with the risk actors conducting social engineering assaults to trick workers into linking a malicious OAuth app with their firm’s Salesforce cases.
As soon as linked, the risk actors used the connection to obtain and steal the databases, which had been then used to extort the corporate by e-mail.
Extortion calls for had been despatched to the businesses through e-mail and had been signed as coming from ShinyHunters. This infamous extortion group has been linked to many high-profile assaults through the years, together with these in opposition to AT&T, PowerSchool, and the SnowFlake assaults.
Whereas ShinyHunters is thought to focus on cloud SaaS functions and web site databases, they aren’t recognized for some of these social engineering assaults, inflicting many researchers and the media to attribute a few of the Salesforce assaults to Scattered Spider.
Nonetheless, ShinyHunters instructed BleepingComputer the “ShinyHunters” group and “Scattered Spider” at the moment are one and the identical.
“Like we have now mentioned repeatedly already, ShinyHunters and Scattered Spider are one and the identical,” ShinyHunters instructed BleepingComputer.
“They supply us with preliminary entry and we conduct the dump and exfiltration of the Salesforce CRM cases. Identical to we did with Snowflake.”
It’s also believed that most of the group’s members share their roots in one other hacking group often called Lapsus$, which was answerable for quite a few assaults in 2022-2023, earlier than a few of their members had been arrested.
Lapsus$ was behind breaches at Rockstar Video games, Uber, 2K, Okta, T-Cellular, Microsoft, Ubisoft, and NVIDIA.
Like Scattered Spider, Lapsus$ was additionally adept at social engineering assaults and SIM swap assaults, permitting them to run over billion and trillion-dollar corporations’ IT defenses.
Over the previous couple of years, there have been many arrests linked to all three collectives, so it isn’t clear if the present risk actors are outdated risk actors, new ones who’ve picked up the mantle, or are merely using these names to plant false flags.
46% of environments had passwords cracked, practically doubling from 25% final 12 months.
Get the Picus Blue Report 2025 now for a complete have a look at extra findings on prevention, detection, and knowledge exfiltration traits.
