ShinyHunters Hit Six Companies in Seven Days. Here Are Ten Salesforce-Plus-Okta Targets That Fit Their Pattern.

ShinyHunters or whoever is using the ShinyHunters name has hit six named companies in the last seven days. The attack chain is the same in every case. A help desk gets a phone call from someone claiming to be an employee. The caller asks for an MFA reset on the employee's Okta single sign-on. The help desk obliges. The attacker logs in, walks into the company's Salesforce instance, and exports the customer file as a CSV. By the time anyone notices, the data is on a Tor leak site and the extortion note is in the CISO's inbox.

April 19 — Vercel, claimed by ShinyHunters, attribution disputed by Mandiant as likely imposter. April 20 — ADT, ten million records claimed. April 24 — Inditex (Zara's parent), nine million records. April 24 — Kemper Corporation, thirteen million records, twenty-nine gigabytes. April 24 — Amtrek, two point one million records. April 24 — APTIM, claimed by an adjacent group called CoinbaseCartel.

That is six victim disclosures across seven days. The five we attribute to the ShinyHunters cluster (excluding APTIM which is CoinbaseCartel) all share the same M.O. Help desk vishing → Okta MFA reset → Salesforce CSV export. Mandiant tracks this attack family under UNC6040.

The pattern is durable. We have written before about how this chain works in ShinyHunters Claims Vercel. The Real ShinyHunters Says It Wasn't Them. We Checked. and again in our Lynx Was in Our Feed 43 Days Before ACN Healthcare Got Hit receipts piece. Now we are publishing the forward-looking piece. Here are the ten organizations that fit the victim profile and have not yet been publicly hit.

The victim profile is specific. A consumer-facing brand. A large customer database, eight figures of records or more. Salesforce as the customer-relationship management system of record. Okta as the single sign-on provider. A help desk that takes phone calls and processes MFA resets without out-of-band verification. A security team that has not yet run a tabletop on this exact attack chain. We are publishing the list because the only way ShinyHunters' run gets interrupted is if the next ten targets read this post and prepare before the call comes.

In rough order of fit to the pattern, the ten organizations we believe are most exposed.

One. T-Mobile. Roughly one hundred million customer records. Confirmed Salesforce customer per public case studies. Okta-class identity provider. T-Mobile has been breached at this scale before — fifty-three million records in 2021, thirty-seven million in 2023. The customer file is the largest single dataset on the consumer-telecom market and has been targeted repeatedly. If ShinyHunters runs the playbook, T-Mobile is the trophy.

Two. Verizon. Same shape as T-Mobile. Public Salesforce reference customer. Identity infrastructure that includes Okta-equivalent SSO. Roughly one hundred forty million customer accounts. Verizon's enterprise side runs MyOnePOS on Salesforce. The consumer side is a Salesforce Service Cloud deployment per the Salesforce customer success page. One vish into a help desk seat with the right access scope and the customer file is exposed.

Three. American Express. A hundred and forty million card members worldwide. Salesforce Financial Services Cloud per Salesforce's published financial-services case studies. Mandatory Okta-class SSO for the card-services workforce. AmEx has been notably restrained about public breach disclosure historically, but the data shape — name, card number patterns, behavioral data — is exactly what the ShinyHunters extortion model monetizes.

Four. Comcast / Xfinity. Thirty-two million broadband subscribers, plus mobile. Public Salesforce customer per documented case studies. Help-desk-heavy operations because cable internet support is one of the largest call-center workforces in the United States. Each of those help desk seats is an attack surface.

Five. Chick-fil-A. Sixty million Chick-fil-A One loyalty members. Confirmed Salesforce Marketing Cloud customer per Salesforce's own published case studies. Quick-serve restaurants are an underrated ShinyHunters-class target because the loyalty data they hold — names, phone numbers, ordering history, location patterns — is fresh and high-fidelity.

Six. Dollar General. Ninety million DG Cash loyalty members. Salesforce Marketing Cloud and Service Cloud customer per public references. Brick-and-mortar retail with a heavy field workforce that includes regional managers with elevated CRM access. Larger fits the profile better than nimble — Dollar General fits.

Seven. Coca-Cola. Salesforce reference customer at the global level. Loyalty programs and franchise-bottler data flows that touch hundreds of millions of consumers. Coca-Cola also previously had a ShinyHunters incident in 2024 — one of the prior cases that built the brand reputation. They are a known-quantity target for whoever is using the name now.

Eight. JetBlue. Roughly forty million TrueBlue loyalty members. Salesforce Service Cloud customer per the published case studies. Airline customer files contain travel patterns, contact info, and frequent-flyer numbers that monetize quickly on the ID-fraud market. Airlines have been getting hit consistently in 2025 and 2026 — Air France, Lufthansa Group, Ryanair-adjacent hits. JetBlue is the consumer-friendly carrier with the cleanest Salesforce footprint left.

Nine. Spotify. Over six hundred million monthly active users, Salesforce reference customer for the marketing side. Music-platform customer data combined with payment metadata and listening patterns is an unusual but valuable extortion-target dataset. Spotify has been historically restrained on disclosure too, which makes them an attractive extortion target — quiet incidents pay better than loud ones.

Ten. Target. Roughly one hundred million Circle loyalty members. Public Salesforce Customer 360 deployment. Target was the canonical retail breach in 2013 (forty million card numbers via HVAC vendor pivot) and has invested heavily in security since, but Salesforce-via-Okta is a different kill chain than the 2013 one and the customer file size is the same shape. The trophy value of a second Target breach is high enough to motivate a vishing campaign on the help desk.

We are deliberately publishing this list. Half of the people reading it are going to think we are reckless for naming companies. The other half are going to share it inside their organization with the CISO and the help desk director and start running the tabletop. We prefer the second half.

What every one of these ten companies should do this week, in order of cost.

The cheapest fix is a help desk policy update. No MFA reset over a phone call, ever, without an out-of-band verification step that is not the phone number on the account. The fix costs a half-hour staff meeting. The cost of skipping it is what ADT, Inditex, Kemper, and Amtrek will collectively spend on incident response and customer notification in the next six months.

The medium-cost fix is Salesforce-side. Restrict bulk export permissions to a small named group of accounts. Require approval workflows for exports above a row threshold. Enable Salesforce Shield with event monitoring on the bulk-API export endpoint. None of those require a vendor change. They require an admin willing to make Salesforce slightly less convenient for legitimate users in exchange for being significantly less convenient for attackers.

The high-cost fix is the one nobody wants to hear. The combination of "consumer brand + Salesforce CRM + Okta SSO + helpful help desk" is structurally vulnerable to the ShinyHunters M.O. The defensive architecture that closes this gap involves either eliminating help-desk-mediated MFA recovery entirely or moving to a phishing-resistant authenticator (FIDO2 / WebAuthn) that cannot be bypassed by a vishing call. Both require change-management programs that take quarters to land. Now is when you start.

For the threat intelligence side, our STIX feed has the ShinyHunters / UNC6040 indicators in it now and we publish updates as new infrastructure surfaces. The helpdesk-tabletop scenario above is the pre-attack equivalent of an indicator. If you have not run it, run it.

We will update this post when one of the ten on this list is named in a confirmed disclosure. We will be explicit about which call we got right and which ones we missed. That is the predictions-resolution discipline we committed to in our Kalshi predictions piece and we hold to it.

Sources: BleepingComputer ADT confirmation, The Hacker News Vercel-Context AI attribution, BreachSense breach tracking April 24 entries, Mandiant UNC6040 cluster documentation, Salesforce published customer case studies for the named brands.

The cheapest, fastest, most accurate threat feed on the internet.

275+ enterprises pulling daily. 1M+ IOCs. 17.4M indexed documents. We beat Zscaler by 43 days on NrodeCodeRAT. Starter tier $9/mo — less than any competitor's sales demo.

Look up an IOC → · Audit your brand on AIPM → · See pricing →

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com