Voice Phishing Rattles Big Tech as ShinyHunters Strike Salesforce Systems
Another day, another breach. But this time, it’s the voice on the other end of the line — not malware or a rogue link — that’s doing the damage.
Tech titans Google and Cisco have confirmed recent CRM data breaches tied to voice phishing, or “vishing,” a form of social engineering that’s rapidly climbing the ranks of cyberattack tactics. The same method, used in both cases, exploited human error — not technical vulnerabilities — and gave cybercriminals access to customer information stored in Salesforce-based CRM systems.
And all signs point to the same familiar name behind the scenes: ShinyHunters — a group that’s been making a career out of breaching data, selling it, or using it for extortion.
The Vishing Playbook Is Getting Too Familiar
It’s not a new trick. But it’s one that keeps working.
Both breaches followed a similar pattern. Attackers — likely posing as internal staff or trusted vendors — called up employees, spun a believable story, and tricked them into giving up access credentials. Those credentials were then used to infiltrate Salesforce instances where customer data was stored.
Google said its breach happened in June, while Cisco reported discovering its own on July 24.
What’s alarming isn’t just that these giants were hit — but that the method was so low-tech.
What Kind of Data Was Exposed?
Thankfully, neither breach led to the exposure of passwords, financial information, or government IDs — but that doesn’t mean the leaks were harmless.
Here’s what each company reported:
-
Google: Contact information and notes related to small and medium businesses, stored in Salesforce. Mostly public-facing info — company names, phone numbers, business email addresses.
-
Cisco: Basic account profile data from users registered on Cisco.com. This includes names, emails, and other low-sensitivity fields.
But the concern isn’t just about what was taken. It’s what could be done next.
A cybersecurity analyst in New York explained: “These may seem like soft breaches. But attackers often chain data from multiple sources to build detailed profiles. That’s what fuels future attacks — including more vishing.”
Why CRM Systems Are Prime Targets Now
Cloud-based CRM platforms like Salesforce are gold mines for attackers. They hold customer names, emails, phone numbers, account histories — and sometimes more sensitive details depending on the company.
In many companies, CRM platforms aren’t monitored as tightly as core infrastructure. They’re often managed by sales or marketing teams, with weaker controls.
Here’s a quick look at why attackers love CRM data:
-
It’s centralized — one login can open thousands of customer profiles.
-
Access is often shared across large teams.
-
Security monitoring is usually lighter than in finance or HR systems.
-
The data is ideal for targeted phishing and fraud.
One cybersecurity executive summed it up: “CRMs are the low-hanging fruit that companies forget to lock up properly.”
Who Are the ShinyHunters, Anyway?
They’re not new to this scene.
ShinyHunters have been around since at least 2020. They’ve been tied to dozens of high-profile breaches — from Tokopedia and Wattpad to Microsoft and AT&T. Sometimes they steal and sell. Other times they extort.
The group operates largely on Telegram, BreachForums, and dark web marketplaces. But in recent months, investigators say they’ve become more tactical, focusing on high-value but less-defended systems — like CRM platforms.
One sentence here.
They don’t need ransomware. Just a voice and a target.
Who’s Next? Companies Urged to Re-Evaluate Their Frontlines
After these two high-profile disclosures, security experts are waving the red flag — again.
It’s not about firewalls or antivirus this time. It’s about people. Companies are being urged to:
-
Train staff on voice phishing detection
-
Require multi-factor authentication for CRM access
-
Limit CRM data access to only necessary roles
-
Monitor CRM systems for abnormal access or exports
And perhaps most crucially: build a culture where employees feel safe to double-check before giving access, even if the voice on the other end seems legit.
Here’s how tech firms typically fall short:
| Weak Point | Why It’s Risky | Suggested Fix |
|---|---|---|
| Trusting internal-sounding calls | Attackers spoof numbers, mimic jargon | Teach employees to verify through separate channels |
| Broad CRM access | Too many users = bigger breach window | Enforce least-privilege access |
| No MFA for CRM | Password alone is too easy to phish | Require MFA and location-based controls |
| Unmonitored data exports | Breaches go unnoticed | Set export limits and alerts |
A Google spokesperson emphasized they are “reviewing additional layers of verification for CRM access moving forward.”
Breach Fatigue Is Real — But So Is the Threat
It’s easy for the public to brush off these alerts now. Breaches happen almost weekly. A name here, an email there. It barely makes headlines anymore.
But the cumulative risk is growing.
CRM data, when cross-referenced with other leaks, lets cybercriminals:
-
Impersonate real businesses
-
Launch ultra-targeted phishing
-
Apply for fraudulent loans or services
And the tactics evolve fast. Today it’s vishing. Tomorrow it could be deepfake audio impersonations.
