The risk group generally known as ShinyHunters has issued what it calls a ultimate warning to Cisco (Cisco Methods, Inc.), setting a deadline of April 3, 2026, earlier than it begins leaking information it claims to have stolen. The message appeared on the group’s darkish net leak website, the place it has already been publishing information linked to earlier Salesforce-related incidents affecting corporations worldwide.
Based on the publish, the group claims entry to information from three separate breach paths, recognized as UNC6040, Salesforce Aura, and compromised AWS accounts. In whole, it alleges greater than three million Salesforce information have been taken, together with personally identifiable info, GitHub repositories, AWS storage buckets, and inside company information.
The group has described the warning as ultimate and warns Cisco to make contact earlier than the said deadline, including that failure to take action will lead not solely to information leaks but in addition unspecified “digital issues.”
It’s price noting that the newest risk comes simply days after the identical group leaked 350GB of European Fee information described as a mixture of mail server dumps, database exports, inside paperwork, and contracts.
UNC6040 Reference
Google Menace Intelligence Group (GTIG) designated the ShinyHunters group as UNC6040 in August 2025. The reference to UNC6040 can be significantly related right here as a result of Cisco additionally printed particulars a few marketing campaign involving voice phishing, or vishing, that focused workers to achieve entry to inside methods and buyer information.
By linking its claims to that marketing campaign, the ShinyHunters group has not solely acknowledged its involvement but in addition steered that a minimum of a part of the alleged Cisco information might have originated from social engineering assaults fairly than solely Salesforce-related assaults.
Leaked Samples Recommend Entry to AWS Setting
The group has shared three photos to point out the legitimacy of their claims. As seen by Hackread.com, these photos seem to point out entry to components of an AWS atmosphere allegedly related to Cisco, together with an organizational dashboard, storage volumes, and bucket listings.
Whereas these screenshots don’t comprise delicate information, they level to visibility throughout cloud infrastructure fairly than a single remoted system. The presence of an organization-level view is notable, because it normally signifies entry to a number of linked accounts and providers beneath centralized management.
ShinyHunters and Salesforce Breach
Over the previous yr, ShinyHunters has repeatedly claimed entry to Salesforce-related information throughout a number of organizations, typically publishing samples to help its claims. In a number of instances, the group pointed to misconfigurations, compromised credentials, or third-party integrations as entry factors, fairly than flaws inside Salesforce itself.
Earlier incidents linked to the group adopted the same sample through which Information was first listed on leak websites with restricted element, then printed full dumps when corporations didn’t interact. These leaks included buyer information, inside communications, and operational information pulled from linked methods.
Among the corporations named in Salesforce-related information breaches included
and lots of extra…
With the April 3 deadline approaching, the accuracy of those claims can solely be verified by Cisco. Hackread.com has reached out to the corporate for remark, and this text will likely be up to date as quickly as a response is acquired.
