ShinyHunters, a well-known group of hackers, has taken credit for three separate data breaches that affected Cisco Systems, Inc This article explores cisco revealed breach. . Dominic Alvieri, a security researcher, wrote about the data leak site that warned Cisco with a "FINAL WARNING" notice, telling the company to get in touch before April 3, 2026, or risk having its data made public.

The list shows that there are over 3 million records and mentions three different ways that the breach could have happened: Salesforce CRM, Salesforce Aura (Experience Cloud), and AWS account environments. Cisco said that its main systems were not hacked, but some files that were meant to stay private were accidentally made public because of a mistake in the configuration. The dataset was very useful for people who wanted to plan targeted phishing, social engineering, or supply chain attacks.

The group uses a number of tracked aliases, such as UNC6040 and UNC6395. It has also been linked to vishing (voice phishing) campaigns that trick company employees into giving OAuth token access to bad Salesforce apps. Security experts say that companies should immediately audit their Salesforce OAuth-connected apps, enforce API access controls, revoke tokens that aren't recognized, and keep an eye out for unauthorized Data Loader activity.

These are all important steps to stop UNC60 40-style intrusions. The ShinyHun Hunters group has shown that attacks on Salesforce apps are getting worse and worse. They have already claimed breaches against Snowflake, Okta, LastPass, Google, AMD, Sony, and Crunchbase. Salesforce gives out tokens directly, so users can get around Multi-Factor Authentication (MFA), password resets, and login monitoring.

This discovery shows that stolen tokens can be used in other ways to steal secrets like AWS keys, passwords, and Snowflake tokens, which lets attackers move around in cloud environments. Cisco revealed another breach in August 2025 that was caused by vishing attacks from the same group.