ShinyHunters Claim Alleged Cisco Source Code & Data

Notorious cybercriminal group ShinyHunters has allegedly claimed responsibility for three distinct data breaches targeting Cisco Systems, Inc. The group asserts it compromised over 3 million Salesforce records containing personally identifiable information (PII). Further exposures reportedly include GitHub repositories, AWS S3 buckets, and additional sensitive internal corporate data.

Security researcher Dominic Alvieri detailed that on ShinyHunters’ data leak site, which flagged Cisco with a “FINAL WARNING” notice, demanding the company reach out before April 3, 2026, or face public data exposure.

The listing, updated March 31, 2026, indicates a record count of over 3 million and references three distinct breach vectors: Salesforce CRM, Salesforce Aura (Experience Cloud), and AWS account environments.

ShinyHunters is a prolific black-hat hacker and extortion group believed to have formed around 2019 and has since evolved into one of the most active data theft and extortion operations in the cybercrime ecosystem.

The group operates under multiple tracked aliases, including UNC6040 and UNC6395, and has been linked to vishing (voice phishing) campaigns that trick company employees into granting OAuth token access to malicious third-party Salesforce applications.

In March 2026, ShinyHunters claimed to have breached between 300 and 400 organizations by exploiting misconfigured Salesforce Experience Cloud (Aura) guest user access controls, using an open-source tool called AuraInspector to automate vulnerability scanning across Salesforce environments.

Alleged Breach Claims

According to threat intelligence published by Resecurity, records allegedly stolen from Cisco clearly originate from its Salesforce environment and contain references to both Cisco customers and employees.

Alarmingly, the dataset reportedly includes records tied to personnel from the FBI, DHS, DISA, IRS, and NASA, as well as the Australian Ministry of Defense and multiple Indian government agencies — all likely linked to procurement or configuration of Cisco products.

Such data is highly valuable for adversaries planning targeted phishing, social engineering, or supply chain attacks.

ShinyHunters’ UNC6040 cluster is known for deceiving customer support employees via vishing to authorize malicious Salesforce-connected apps using OAuth tokens. Once OAuth access is granted, it effectively bypasses MFA, password resets, and login monitoring, since the tokens are issued natively by Salesforce.

In a subsequent stage attributed to UNC6395, stolen tokens are further weaponized to exfiltrate secrets, including AWS keys, passwords, and Snowflake tokens — enabling lateral movement into cloud environments.

Cisco’s Prior Breach History

In October 2024, threat actor IntelBroker claimed to have downloaded 4.5 TB of data from Cisco’s public-facing DevHub environment, which included source code, hardcoded credentials, API tokens, and AWS private buckets.

Cisco confirmed that while its core systems were not breached, certain files intended to remain private were inadvertently exposed due to a configuration error. In August 2025, Cisco also disclosed a separate CRM data breach via a vishing attack attributed to actors linked to ShinyHunters.

The ShinyHunters group has shown a consistent pattern of escalating its Salesforce-themed attacks, previously claiming breaches against Snowflake, Okta, LastPass, Google, AMD, Sony, and Crunchbase.

Security researchers advise organizations to immediately audit Salesforce OAuth-connected apps, enforce Salesforce API Access Control, revoke unrecognized tokens, and monitor for unauthorized Salesforce Data Loader activity as key mitigations against UNC6040-style intrusions.

Cisco has not yet issued an official public statement specifically addressing the March 2026 ShinyHunters extortion claim.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.