What do Google, Adidas, and Qantas Airlines have in common?
All of them were breached in the last three months by the same group of threat actors using the same method.
How were hackers (specifically from a group called ShinyHunterz) able to breach big brands without performing much technical magic? What do these breaches tell us about cybersecurity basics?
Let us explore through this edition of the Journal.
High-profile companies across industries
The following is the list of some of the high-profile companies across multiple industries, from technology to fashion, that got breached over the last three months:
- Adidas
- Quantas Airlines
- Louis Vuitton
- Allianz Life
- Tiffany & Co
- Chanel
- Workday (customers include 11k organizations, 60% of Fortune 500 companies)
- Pandora
- Cisco
- France KLM
- Others
When it comes to cyberattacks on small and medium-sized businesses, the challenge is relatively obvious: they don’t have the people, technology, budget, and resources to detect and respond to breaches.
But every time a high-profile company gets breached, cybersecurity experts scratch their heads, trying to ascertain how attackers were able to crack the impenetrable defenses that are made up of some of the best people and technology.
How did the attackers steal data without performing much technical wizardry?
The attacks were not carried out by using any technically complex method but through basic social engineering methods that bypassed technical controls and misled users into granting permissions.
They rely mainly on OAuth tokens, fooling users into granting permissions and authorizing a malicious app disguised as a legit app. Attackers started with small queries to evade getting caught, eventually leading to bigger queries, stealing massive quantities of data.
Since the attack doesn’t rely on any technical maneuver, it doesn’t trigger security measures bypassing measures like MFA. It is more dangerous than even some of the most sophisticated attacks.
How were the attacks carried out?
- Attackers used voice phishing, social engineering methods, and Salesforce’s connecting external apps feature.
- They instructed the targeted users (comprising victims from English-speaking MNCs) to follow immediate instructions for urgent troubleshooting.
- The victims were then redirected to the authorization page (Salesforce Connect), where they were asked to enter the 8-digit Salesforce Connect code.
- It gave authorization to a malicious app called OAuth that was controlled by attackers. It was, in most cases, a trojanized version of the Salesforce Data Loader tool, often disguised as My Ticket Portal for legitimacy.
- Attackers then gained API level access to SF data.
- They could then query and export data (customer profiles, contact lists, internal business data, internal business data) in large volumes.

Lessons from the Salesforce-specific data breaches on high profile companies
Lesson 1: Nobody is safe, even big companies
Even high-profile organizations are vulnerable to data breaches. Despite having the best of technology and people, they are still vulnerable to non-technical, unsophisticated attacks based purely on social engineering methods.
Lesson 2: To err is human, to not prioritize training is a mistake
Organizations often focus on compliance-specific audits and checklists, overlooking human awareness. For example, an organization might implement all the recommended controls and measures and even conduct training sessions on the importance of MFA, while their employees are unaware of how cybercriminals leverage socially engineered attacks that bypass MFA.
Lesson 3: Compliance doesn’t mean security
Organizations often focus on compliance-specific audits and checklists, overlooking human awareness. For example, an organization might implement all the recommended controls and measures and even conduct training sessions on the importance of MFA, while their employees are unaware of how cybercriminals leverage socially engineered attacks that bypass MFA.
Lesson 4: A crack in the defense wall is all that is needed
Attackers often focus on common weaknesses in third-party environments. Therefore, third-party risks must be proactively addressed on a regular basis and should not be treated like just another annual compliance measure. See how you can prioritize TPRM.
Lesson 5: Risks can domino into non-compliance
Despite making dedicated efforts to ensure compliance with regulations, an instance of human error can lead to non-compliance. For example, when an employee mistakenly inputs organizational data (company secrets) into a Gen AI-based chatbot.