26.08.2025
2 min
605
American insurance company Farmers Insurance reported a data breach of 1.1 million customers after a large-scale series of attacks on Salesforce organized by the cybercrime group ShinyHunters.
The company released a message that on May 29, 2025, a third-party contractor Farmers detected suspicious activity in a database that stored customer information. The very next day, the provider recorded unauthorized access and blocked the attacker.
The investigation showed that the following personal data was stolen:
names and addresses;
dates of birth;
driver’s license numbers;
last four digits of social security numbers.
Farmers began sending notifications to affected customers on August 22. In total, the incident affected 1,111,386 people.
Although the company did not name the contractor, BleepingComputer’s sources confirmed that the leak was part of a broader wave of attacks on Salesforce that has already hit Google, Cisco, Workday, Adidas, Qantas, Allianz Life, and LVMH brands (Louis Vuitton, Dior, Tiffany & Co).
Since early 2025, the UNC6040/UNC6240 groups have been conducting voice phishing attacks against Salesforce customers. Employees are tricked into connecting a malicious OAuth application to the Salesforce corporate environment. Through this access, the hackers download databases and demand a ransom.
ShinyHunters is involved in the attacks in collaboration with other groups, including Scattered Spider. They share roles: some provide initial access, others are engaged in mass data export and subsequent monetization. A similar scenario was previously used against Snowflake.
The Farmers Insurance leak has once again confirmed that even large companies with multi-layered security remain vulnerable to third-party contractors and social engineering. Salesforce, as one of the key CRM systems in the world, has become the number one target for cybercriminals. The incident demonstrates the need for careful monitoring of OAuth applications and raising employee awareness of phishing methods.
