Insurance giant Allianz Life disclosed a data breach affecting approximately 2.8 million records after threat actors compromised a Salesforce-hosted CRM system through social engineering on July 16, 2025. The attack has been attributed to a collaboration between Scattered Spider and ShinyHunters, who are conducting a broader campaign targeting Salesforce instances across major enterprises.
Incident overview
| Attribute | Details |
|---|---|
| Victim | Allianz Life Insurance Company |
| Records exposed | 2.8 million |
| Unique email addresses | 1.1 million |
| Attack vector | Salesforce OAuth social engineering |
| Threat actors | Scattered Spider + ShinyHunters (UNC6040) |
| Third-party platform | Salesforce CRM |
| Detection time | ~24 hours |
| Campaign scope | 91 organizations claimed |
Timeline
| Date | Event |
|---|---|
| July 16, 2025 | Threat actor gains unauthorized access via social engineering |
| July 17, 2025 | Allianz security teams detect intrusion, begin containment |
| August 2025 | ShinyHunters leaks stolen Salesforce databases |
| January 2026 | Public disclosure; class action lawsuit filed |
| January 2026 | Have I Been Pwned adds dataset |
The breach was detected within 24 hours—fast by industry standards—but the attackers had already exfiltrated the complete CRM database.
What was exposed
The leaked files include complete Salesforce “Accounts” and “Contacts” database tables:
Personal data
| Data Type | Affected |
|---|---|
| Names | Yes |
| Addresses | Yes |
| Phone numbers | Yes |
| Dates of birth | Yes |
| Social Security numbers | Yes |
| Tax identification numbers | Yes |
| Email addresses | 1.1 million unique |
Professional data
| Data Type | Affected |
|---|---|
| Professional licenses | Yes |
| Firm affiliations | Yes |
| Product approvals | Yes |
| Marketing classifications | Yes |
| Business partner records | Yes |
Have I Been Pwned analysis found 72% of exposed email addresses already appeared in prior breaches—common for business professionals who frequently appear in corporate data sets.
What was NOT compromised
Allianz confirmed its internal IT and policy administration systems were not affected:
| System | Status |
|---|---|
| Internal IT systems | Not compromised |
| Policy administration | Not compromised |
| Claims systems | Not compromised |
| Customer login credentials | Not compromised |
| Investment account details | Not compromised |
The breach was limited to the third-party Salesforce CRM environment.
Attack methodology
Threat actor collaboration
ShinyHunters told BleepingComputer that “ShinyHunters and Scattered Spider are now one and the same”:
“They provide us with initial access and we conduct the dump and exfiltration of the Salesforce CRM instances. Just like we did with Snowflake.”
The attack chain
| Phase | Action |
|---|---|
| 1. Reconnaissance | Identify target employees with Salesforce access |
| 2. Social engineering | Voice phishing (vishing) and helpdesk impersonation |
| 3. OAuth exploitation | Convince employees to authorize malicious “Connected Apps” |
| 4. Token capture | Capture OAuth tokens that bypass MFA controls |
| 5. API access | Use Salesforce API with legitimate tokens |
| 6. Data exfiltration | Export large volumes of CRM data via API |
The attackers didn’t exploit technical vulnerabilities in Salesforce itself—they exploited human trust and OAuth’s design to gain legitimate API access.
Why OAuth bypass is effective
| Factor | Impact |
|---|---|
| MFA bypass | OAuth tokens work without additional MFA |
| Legitimate access | API calls appear authorized |
| Persistence | Tokens remain valid until revoked |
| Detection difficulty | Normal-looking API activity |
Part of a larger campaign
The Allianz breach is one incident in a coordinated campaign targeting enterprise Salesforce instances. In ransom messages, the threat actors claimed the campaign had compromised data from 91 organizations worldwide.
Known campaign targets
| Target | Industry | Status |
|---|---|---|
| Google (corporate Salesforce) | Technology | Claimed |
| Qantas | Airlines | Confirmed |
| Allianz Life | Insurance | Confirmed |
| LVMH | Luxury goods | Claimed |
| Chanel | Luxury goods | Claimed |
| Cartier | Luxury goods | Claimed |
| Tiffany & Co. | Luxury goods | Claimed |
| Louis Vuitton | Luxury goods | Claimed |
| Dior | Luxury goods | Claimed |
| Workday | Enterprise software | Claimed |
| Adidas | Retail | Claimed |
| Cisco | Technology | Claimed |
| Air France/KLM | Airlines | Claimed |
| Pandora | Jewelry | Claimed |
The same Scattered Spider + ShinyHunters collaboration is behind these attacks, using consistent social engineering techniques across targets.
Threat actor profile
Scattered Spider + ShinyHunters merger
| Attribute | Details |
|---|---|
| Also tracked as | UNC6040, UNC3944 |
| Specialization | Social engineering, vishing, helpdesk impersonation |
| Technique | OAuth token capture, SSO abuse |
| Monetization | Data theft, extortion, dark web sales |
| Previous campaigns | Snowflake (165+ organizations), MGM, Caesars |
ScatteredLapsuSp1d3rHunters channel
The groups created a Telegram channel called “ScatteredLapsuSp1d3rHunters” to taunt cybersecurity researchers, law enforcement, and journalists while claiming credit for high-profile breaches.
This collaboration mirrors the 2024 Snowflake campaign, where the same threat actors compromised over 165 organizations by stealing credentials and bypassing MFA through social engineering.
Legal action
A class action lawsuit was filed against Allianz Life alleging:
| Allegation | Details |
|---|---|
| Failure to protect data | Inadequate safeguards for customer information |
| NIST non-compliance | Practices fell short of Cybersecurity Framework standards |
| CIS Controls failure | Non-compliance with Critical Security Controls |
| Delayed notification | Insufficient timely notice to affected individuals |
The lawsuit seeks damages, restitution, and court-ordered improvements to Allianz’s data security systems.
Allianz’s response
| Action | Details |
|---|---|
| Law enforcement notification | FBI and regulatory authorities informed |
| Credit monitoring | Two years free identity theft restoration and monitoring |
| Internal review | Security assessment underway |
| Containment | Breach contained within 24 hours of detection |
Risk assessment for affected individuals
SSN exposure severity
| Risk | Likelihood | Mitigation |
|---|---|---|
| Identity theft | High | Credit freeze, fraud alerts |
| Tax fraud | High | IRS Identity Protection PIN |
| Account takeover | Medium | MFA on all accounts |
| Targeted phishing | High | Verify all communications |
Professional data risks
| Risk | Concern |
|---|---|
| Business impersonation | Professional license data enables fraud |
| Targeted social engineering | Firm affiliations inform attack vectors |
| Competitive intelligence | Business relationships exposed |
Recommendations
For organizations using Salesforce
| Priority | Action |
|---|---|
| Critical | Implement phishing-resistant MFA (hardware keys, passkeys) |
| Critical | Require admin approval for new OAuth app connections |
| High | Monitor for bulk data exports via API |
| High | Train help desk staff on vishing tactics |
| High | Audit OAuth tokens regularly—revoke unnecessary Connected Apps |
| Medium | Implement Salesforce Shield for enhanced monitoring |
For affected individuals
| Priority | Action |
|---|---|
| Critical | Enroll in offered credit monitoring |
| Critical | Place fraud alerts or credit freezes (SSN exposure is serious) |
| High | Request IRS Identity Protection PIN |
| High | Watch for targeted phishing using leaked professional information |
| Ongoing | Monitor financial accounts for unauthorized activity |
Detection indicators
| Indicator | Meaning |
|---|---|
| New OAuth Connected Apps | Potential unauthorized access |
| Bulk API data exports | Data exfiltration |
| Unusual login locations | Compromised credentials |
| Help desk impersonation reports | Active social engineering |
Context
The Scattered Spider + ShinyHunters collaboration represents an evolution in cybercrime operations. By combining Scattered Spider’s social engineering expertise with ShinyHunters’ data exfiltration and monetization capabilities, the groups have created an efficient pipeline for compromising enterprise SaaS platforms.
The campaign’s success against 91 claimed organizations demonstrates that OAuth-based access and social engineering remain highly effective against enterprises with traditional security controls. Organizations should assume that sophisticated vishing attacks targeting help desks and OAuth abuse are now standard threats requiring dedicated defenses.
The Allianz breach specifically highlights the risks of third-party SaaS platforms holding sensitive customer data—even when an organization’s own systems remain secure, their data can be compromised through vendor relationships.