threatintel
actor tracker
All briefs

ShinyHunters' cloud-data-platform pivot: Snowflake to Salesforce, 2024–2026

Author: Thomas Malinowski Published: 2026-05-16 Status: OSINT synthesis, primary sources cited inline Tags: ShinyHunters, UNC5537, Snowflake, Salesforce, eCrime, infostealer, OAuth, McGraw Hill

Bottom line up front

Between mid-2024 and early 2026, the financially-motivated cybercrime collective tracked as ShinyHunters (and its sub-cluster UNC5537 in Mandiant's reporting) executed two of the largest eCrime campaigns of the decade — both targeting cloud data platforms rather than on-premises infrastructure, and both operationally enabled by the existing infostealer-credential underground rather than by novel capability. The sequence:

  • Mid-2024: Compromise of ~165 Snowflake customer tenants, driving the year's biggest data-breach headlines: Ticketmaster, Santander, AT&T (call/SMS metadata for ~109M subscribers), Neiman Marcus, Advance Auto Parts, Pure Storage, Cylance.
  • Late 2025 – early 2026: Compromise of dozens of Salesforce customer tenants via OAuth-app social engineering and misconfigured public-facing Salesforce sites. Confirmed victims on the operators' own leak-site include Disney/Hulu, Toyota, Adidas, FedEx, Marriott, Google, Cisco, McDonald's, Walgreens, HBO Max, Cartier, Air France-KLM, IKEA, TransUnion (4.4M records of U.S. consumers), and McGraw Hill (13.5M user-account records).

This piece argues two things:

  1. The Snowflake-to-Salesforce sequence is not opportunistic victim-of-the-month behaviour. It is a deliberate playbook — compromise the aggregator of customer data rather than each customer separately — that ShinyHunters will continue to apply to whichever cloud data platform is next in line.
  2. The defensive lessons from the Snowflake wave were available eighteen months before the Salesforce wave hit. Most of the 2025-2026 Salesforce victims had access to those lessons and did not apply them.

The implication for any organization sitting on a Salesforce, BigQuery, Databricks, or comparable customer-data aggregation platform is direct.

The Snowflake wave (April – June 2024)

Mandiant's UNC5537 reporting, Snowflake's own statement, and the DOJ's October 2024 indictment of Connor Riley Moucka ("Judische") together paint a clean picture of the campaign:

  • No Snowflake-side compromise. Snowflake's own infrastructure was not breached. Every UNC5537 intrusion was a customer-tenant compromise, achieved by replaying valid customer credentials.
  • Credentials sourced from the infostealer underground. Many of the credentials replayed in the campaign were dated — in some cases, four years old — sourced from Vidar, Lumma, RedLine, Raccoon, and Risepro infostealer logs collected via commodity Telegram-channel marketplaces. The credentials worked because the affected tenants had not enforced multi-factor authentication.
  • Bulk exfiltration. Once authenticated, operators ran SQL queries to enumerate database schema, then bulk-exported customer tables via Snowflake's standard COPY INTO to attacker-controlled cloud storage.
  • Extortion. Victims received emails demanding $300k-$5M to prevent leak-site publication. A subset paid. The rest had their data published on BreachForums and similar.

The headline numbers were large. ~165 customer tenants were breached. AT&T paid an estimated $370k. Ticketmaster's 560M-record breach drove congressional attention. Santander's 30M-customer breach reached three countries. The downstream PR and legal cost of the campaign across all victims is plausibly in the low billions of dollars.

The defensive lesson in one sentence: Cloud data platforms require MFA on every account, no exceptions, even — especially — service and integration accounts.

The Salesforce wave (mid-2025 – present)

The 2025-2026 Salesforce campaign, claimed by a self-styled "Scattered Lapsus$ Hunters" umbrella that explicitly merges ShinyHunters with Scattered Spider and Lapsus$ branding, applied the same thesis — compromise the aggregator — through a different technique:

  • Initial vector: malicious OAuth app + voice-phishing. Operators contacted the IT or sales-operations help-desk of a target organization and social-engineered an employee into authorising a malicious OAuth application against the organization's Salesforce instance. The OAuth grant gave the application broad data-read scope — enough to walk the entire Salesforce object model and bulk-extract Account, Contact, Lead, and Case data.
  • Initial vector (alt): public-facing Salesforce misconfiguration. A second sub-set of victims (McGraw Hill is the public example) had Salesforce-hosted webpages misconfigured to expose internal data via public URLs, enabling extraction without any authentication step at all.
  • Bulk exfiltration via legitimate APIs. Operators used Salesforce's Bulk API (which the granted OAuth scope permits) to extract gigabytes of customer-relationship data per victim.
  • Extortion via dedicated leak site. In October 2025 the collective launched a Salesforce-themed data-leak site ("Trinity of Chaos") publicly listing 39 victim companies. The U.S. government subsequently seized the leak-site domain in late 2025. The operators rebuilt; victims continued to be added through Q1 2026.

Operationally and strategically, the 2025-2026 Salesforce wave is the same playbook as the 2024 Snowflake wave with the initial access primitive swapped from "credential replay" to "OAuth grant abuse." Everything else — the bulk exfil via legitimate API, the leak-site extortion, the brand-merging, the infostealer-supply-chain enablement — carries forward.

Why the playbook keeps working

Three structural reasons, in increasing order of how-much-they- should-bother-defenders:

  1. Cloud data platforms tend to expose powerful APIs by default. Snowflake's COPY INTO, Salesforce's Bulk API, BigQuery's BigQuery Data Transfer, Databricks' SQL warehouse external-table writes — every modern customer-data-platform has a legitimate, well-documented "extract everything to my own bucket" primitive. By design. The primitive is not a security failure; the absence of meaningful gates around the primitive is.
  2. The credential-supply chain is healthier than the defender-supply chain. Infostealer logs are aggregated, indexed, and resold on a daily cadence by a multi-billion- dollar cybercrime ecosystem. Defenders' ability to detect that their own users' credentials have appeared in those logs — and rotate them before the credentials are weaponised — lags the supply chain by weeks.
  3. OAuth is the new password. Most large organizations have spent the last decade hardening their password and MFA posture. Most have not spent the last decade hardening their OAuth-application catalogue. The result is that an operator who cannot phish a password-and-MFA pair often can phish an OAuth grant — and the OAuth grant is broader, longer-lived, and in many tenants subject to no review process at all.

Defender takeaways

For any organization operating a customer-data aggregation platform:

  1. Enforce MFA on every authentication path, including integration and service accounts. This is the Snowflake lesson. It is two years old. It is still the single highest- leverage control.
  2. Build an OAuth application review programme. Inventory every third-party application granted to your tenant. Quarterly-review the inventory. Auto-revoke unused grants. Block end-user OAuth consent for unverified publishers (Microsoft Entra User consent settings → "Do not allow user consent"; Salesforce equivalents exist).
  3. Treat infostealer log discovery as a tenant-wide credential incident. Subscribe to a feed (Hudson Rock, IntSights, Recorded Future) that alerts when your domain appears in stealer-log marketplaces. When it does, force a tenant-wide credential rotation and OAuth-token revocation, not a single-user reset.
  4. Audit the public-facing surface of your customer-data platform. McGraw Hill's exposure was via a misconfigured public Salesforce page — no credential or OAuth grant required. Salesforce, ServiceNow, Atlassian Confluence Cloud, and SharePoint Online all support public-facing exposure modes. Inventory yours. Test from an unauthenticated browser.
  5. Rate-limit your bulk-export APIs at the platform level where possible. A 100GB Salesforce Bulk API extraction to an unfamiliar destination, completed by a single OAuth grant in a single session, is investigable as a matter of routine if the platform's audit log is being read.

Strategic outlook

  • High confidence that the Scattered Lapsus$ Hunters collective will run a third major cloud-data-platform wave within twelve months. The candidates worth watching, in rough order of plausibility based on aggregator scale and default-OAuth posture: BigQuery, Databricks, ServiceNow, HubSpot, Atlassian Confluence Cloud.
  • Moderate confidence that the brand-merging trend ("Scattered Lapsus$ Hunters") will continue and that future waves will involve operator personnel that today identify with three or four different historical brand names. The generation of operators who came of age in 2020-2022 does not have strong loyalty to any particular brand and treats brand identity as marketing.
  • High confidence that the law-enforcement response (DOJ indictments, multi-jurisdiction arrests of named individuals, domain seizures) will not reduce the rate of incidents before mid-2026 at minimum. The 2024 arrests of Moucka, Binns, and Raoult did not prevent the 2025-2026 Salesforce wave; the June 2025 French arrests did not prevent the McGraw Hill incident a few months later. The brand survives the operator.

References