Salesforce Is the New Front Door. ShinyHunters Is Walking Through It.

Kevin Surace
4 minute read
Salesforce Is the New Front Door.
Salesforce Is the New Front Door. ShinyHunters Is Walking Through It.
7:14

The latest Sysco and Kodak breach claims should make every Salesforce customer stop pretending this is someone else’s problem.

Sysco has now been tied to three separate breach stories. First came the prior data breach that resulted in a class action settlement. Then came a Qilin ransomware claim. Now ShinyHunters is claiming more than 61 million Salesforce records. Kodak appears in the same pattern, with ShinyHunters claiming 2.2 million records and Kodak confirming unauthorized access to some data.

Different companies. Same uncomfortable lesson.

Attackers are not breaking Salesforce. They are getting people to let them in. Based on the public reporting around ShinyHunters, UNC6040, and recent Salesforce focused attacks, here is the most likely attack path.

Step 1. Pick a target with valuable Salesforce data

Salesforce is a treasure chest. It contains customers, contracts, sales histories, account notes, support records, employee names, supplier contacts, partner relationships, and internal business data. For Sysco, that could mean restaurants, hospitals, schools, hotels, government accounts, stadiums, casinos, and massive supplier relationships. For Kodak, it could mean B2B customer records, procurement data, corporate contacts, and supply chain intelligence.

This is not just data theft. It is fuel for the next hundred attacks.

Step 2. Call the employee

The attacker does not need a zero day. They need a phone number and confidence. The common ShinyHunters and UNC6040 pattern is vishing. Someone calls an employee while pretending to be IT support, Salesforce support, a security team member, or someone helping with an urgent system issue. The call sounds legitimate. The attacker knows names, systems, vendors, and enough internal language to pass the smell test.

Step 3. Create urgency

The story is always some version of this: Your Salesforce access needs to be fixed. Your account is being migrated. Your security profile needs to be updated. Your app connection failed. Your session expired. Your MFA needs to be revalidated.

The employee thinks they are helping IT. In reality, they are helping the attacker.

Step 4. Push the employee to approve access

This is the critical moment. The attacker guides the victim to approve a malicious connected app, often disguised as a Salesforce utility such as Data Loader. The app may look familiar. The screens may look legitimate. The user may believe this is normal IT work.

Once the employee approves the connected app, the attacker receives OAuth access. That is the magic key.

Step 5. Use Salesforce APIs to export data

Now the attacker does not need to sit inside a browser clicking through records. They can use APIs to query and export data at scale. Thousands, millions, or tens of millions of records can be pulled depending on the permissions granted and the controls in place.

To many security tools, this may look like app activity. That is what makes it so brutal. The attacker is not smashing a window. They are using a key the company helped issue.

Step 6. Extort the company

After the data is copied, the victim gets the threat. Pay, or the data gets leaked. If the data includes customer records, employee records, commercial relationships, procurement contacts, or partner data, the damage multiplies quickly.

For Sysco, the downstream risk is enormous. Criminals can use the data for business email compromise, supplier fraud, customer impersonation, invoice scams, phishing, and attacks against food service customers. For Kodak, the risk is similar across enterprise customers, suppliers, and corporate relationships.

This is why these breaches are so bad. The stolen data does not just hurt the company that lost it. It becomes an attack map for everyone connected to that company. And here is the part no one wants to say out loud. This was foreseeable.

Salesforce already supports and encourages phishing resistant authentication and biometric assured identity. WebAuthn security keys are not science fiction. FIDO2 is not experimental. Biometric assured identity is not some future concept waiting for a standards committee. Token devices work out of the box with Salesforce.

Most enterprise security leaders know this. They know SMS codes can be phished. They know authenticator apps can be relayed. They know push approvals can be manipulated. They know help desks can be fooled. They know connected app approval is a dangerous human decision point.

Yet, some still delay. They run another pilot. They schedule another architecture review. They wait for next quarter. They decide the old MFA stack is probably good enough for a little longer... Then ShinyHunters calls. This is the result.

Token would have stopped the front door attack cold.

Token provides biometric assured identity using hardware bound, phishing resistant FIDO2 authentication. A TokenCore Portable, TokenCore Wearable, or TokenCore Node requires the right human fingerprint, the right physical device, and the right cryptographic origin. There is no SMS code to steal. No authenticator code to relay. No push prompt to trick someone into approving. No password that becomes useful by itself.

If an attacker sends a spoofed login page, Token will not authenticate to the fake domain.

If an attacker tries a real time relay, Token will only sign for the legitimate origin.

If an attacker steals a password, it is useless.

If an attacker steals the Token device, it is useless without the enrolled fingerprint.

If an attacker calls the help desk pretending to be an employee, they still cannot become that employee.

This is the difference between legacy MFA and biometric assured identity. Legacy MFA asks, did someone approve the login? Token asks, is this the right verified human, using the right hardware, at the right origin?

For Salesforce, that distinction is everything.

To be clear, companies still need to govern Salesforce connected apps. They should restrict OAuth approvals, monitor API exports, limit permissions, review installed apps, and kill suspicious tokens. But those controls are not a substitute for assured identity. They are cleanup and containment. Token stops the easiest first move, the human compromise that starts the whole chain.

The uncomfortable truth is simple: These attacks are not sophisticated because the technology is brilliant. They are effective because enterprise authentication is still weak where it matters most. Legacy MFA is comprisable by teens. With a $200 kit. And a phone call. Every hour. Every day.

ShinyHunters does not need to defeat Salesforce. They need to defeat a person.

Token removes that person as the weak link. No biometric match. No valid domain. No physical device. No login.

That is how Salesforce access should work now. Not someday. Now.

Because every identity leader already knows the old model is broken. The attackers know it too. And they are proving it one Salesforce breach at a time. When is your time up?

Stay Identity Assured

Subscribe to The Assured Identity Brief for sharp insights on identity security, authentication, and the threats security leaders must stay ahead of.