If you haven’t read the threat intelligence breakdown of the ShinyHunters Salesforce campaign, start there. This article assumes you know what happened and focuses on what to do about it. ...
ShinyHunters didn’t hack Salesforce. That distinction matters. Across three separate campaigns spanning mid-2025 through early 2026, the group — tracked by security researchers as UNC6040 and UNC6395 — systematically exploited how organizations configure, connect, and authenticate into Salesforce. The platform’s infrastructure was never the vulnerability. The integrations, the OAuth flows, and the guest user permissions were. ...