What Happened
On July 16, 2025, threat actors gained unauthorized access to a Salesforce-hosted CRM system used by Allianz Life Insurance Company of North America through social engineering. The attack was detected the following day, July 17, and Allianz notified the Maine Attorney General’s Office that 1,497,036 individuals were affected, including customers, financial professionals, and some employees.
The breach is part of a larger campaign targeting companies using Salesforce-hosted databases. Other reported victims of the same campaign include Adidas, Cisco, Dior, Louis Vuitton, Google, and Air France/KLM.
Who Did It
The breach has been attributed to the Scattered Spider and ShinyHunters cybercrime groups, which appear to be collaborating. The groups created a Telegram channel called “ScatteredLapsuSp1d3rHunters” to claim credit for breaches and taunt researchers and law enforcement.
ShinyHunters subsequently leaked the stolen Salesforce databases, which contained approximately 2.8 million data records for individual customers and business partners. Analysis by Have I Been Pwned identified 1.1 million unique records within the leaked data, with 72% of the exposed email addresses already appearing in previously disclosed breaches.
Exposed Data
The breach exposed personal information including names, addresses, phone numbers, and dates of birth. Social Security numbers were confirmed in state filings, along with tax identification numbers for businesses and individuals. Professional details such as licenses, firm affiliations, and product approvals were also compromised, as were internal Allianz marketing classifications. The leak included 1.1 million unique email addresses.
How They Got In
The attackers used social engineering to gain access to the cloud-based Salesforce CRM system. The specific technique has not been publicly detailed, but Scattered Spider is known for phone-based social engineering (vishing) targeting IT help desks, SIM swapping to intercept MFA codes, and impersonation of employees to obtain credentials or bypass access controls.
Allianz’s internal IT and policy administration systems were not affected. The compromise was limited to the third-party CRM platform.
Timeline
Threat actors gained access to the Salesforce CRM via social engineering on July 16, 2025. Allianz detected the unauthorized access the next day. The FBI and regulatory authorities were notified in July 2025. ShinyHunters leaked the stolen databases publicly in late 2025, and a class action lawsuit investigation was announced in early 2026.
Company Response
Allianz Life detected the attack within approximately 24 hours of initial access. They notified the FBI and regulatory authorities, engaged external cybersecurity experts for forensic investigation, and are offering affected individuals two years of free identity theft restoration and credit monitoring through Experian. The company filed breach notifications with multiple state attorneys general.
What Organizations Should Do
Organizations using cloud-hosted CRM platforms should implement phishing-resistant MFA (FIDO2/WebAuthn) for CRM administrative access. Training help desk staff specifically on social engineering attacks targeting credential resets is critical. Monitoring for anomalous data exports from CRM systems, such as bulk record access and unusual query patterns, can help detect breaches early. Reviewing Salesforce sharing and export permissions and applying least privilege principles, implementing session controls and IP restrictions for CRM access, and ensuring CRM security is included in third-party risk assessments are all important steps.