Hackers have launched stolen information belonging to US insurance coverage big Allianz Life, exposing 2.8 million information with delicate info on enterprise companions and prospects in ongoing Salesforce information theft assaults.
Final month, Allianz Life disclosed that it suffered a data breach when the private info for the “majority” of its 1.4 million prospects was stolen from a third-party, cloud-based CRM system on July sixteenth.
Whereas the corporate didn’t identify the supplier, BleepingComputer first reported the incident was a part of a wave of Salesforce-targeted thefts carried out by the ShinyHunters extortion group.
Over the weekend, ShinyHunters and different menace actors claiming overlap with “Scattered Spider” and “Lapsus$” created a Telegram channel referred to as “ScatteredLapsuSp1d3rHunters” to taunt cybersecurity researchers, legislation enforcement, and journalists whereas taking credit score for a string of high-profile breaches.
Many of those assaults had not beforehand been attributed to any menace actor, together with the assaults on Web Archive, Pearson, and Coinbase.
One of many assaults claimed by the menace actors is Allianz Life, for which they proceeded to leak the entire databases that have been stolen from the corporate’s Salesforce cases.
These information include the Salesforce “Accounts” and “Contacts” database tables, containing roughly 2.8 million information information for particular person prospects and enterprise companions, comparable to wealth administration firms, brokers, and monetary advisors.
The leaked Salesforce information consists of delicate private info, comparable to names, addresses, cellphone numbers, dates of delivery, and Tax Identification Numbers, in addition to skilled particulars like licenses, agency affiliations, product approvals, and advertising and marketing classifications.
BleepingComputer has been capable of affirm with a number of folks that their information within the leaked information is correct, together with their cellphone numbers, e-mail addresses, tax IDs, and different info contained within the database.
BleepingComputer contacted Allianz Life concerning the leaked database however was advised that they may not remark because the investigation is ongoing.
The Salesforce data-theft assaults
The Salesforce information theft assaults are believed to have began at the start of the yr, with the menace actors conducting social engineering assaults to trick staff into linking a malicious OAuth app with their firm’s Salesforce cases.
As soon as linked, the menace actors used the connection to obtain and steal the databases, which have been then used to extort the corporate via e-mail.
Extortion calls for have been despatched to the businesses through e-mail and have been signed as coming from ShinyHunters. This infamous extortion group has been linked to many high-profile assaults through the years, together with these towards AT&T, PowerSchool, and the SnowFlake assaults.
Whereas ShinyHunters is thought to focus on cloud SaaS purposes and web site databases, they aren’t recognized for all these social engineering assaults, inflicting many researchers and the media to attribute a few of the Salesforce assaults to Scattered Spider.
Nevertheless, ShinyHunters advised BleepingComputer the “ShinyHunters” group and “Scattered Spider” at the moment are one and the identical.
“Like we now have stated repeatedly already, ShinyHunters and Scattered Spider are one and the identical,” ShinyHunters advised BleepingComputer.
“They supply us with preliminary entry and we conduct the dump and exfiltration of the Salesforce CRM cases. Identical to we did with Snowflake.”
Additionally it is believed that most of the group’s members share their roots in one other hacking group referred to as Lapsus$, which was chargeable for quite a few assaults in 2022-2023, earlier than a few of their members have been arrested.
Lapsus$ was behind breaches at Rockstar Video games, Uber, 2K, Okta, T-Cell, Microsoft, Ubisoft, and NVIDIA.
Like Scattered Spider, Lapsus$ was additionally adept at social engineering assaults and SIM swap assaults, permitting them to run over billion and trillion-dollar firms’ IT defenses.
Over the previous couple of years, there have been many arrests linked to all three collectives, so it isn’t clear if the present menace actors are previous menace actors, new ones who’ve picked up the mantle, or are merely using these names to plant false flags.
46% of environments had passwords cracked, practically doubling from 25% final yr.
Get the Picus Blue Report 2025 now for a complete take a look at extra findings on prevention, detection, and information exfiltration tendencies.
