On April 3, 2026, the ShinyHunters ransomware-as-a-service (RaaS) group confirmed a massive breach of Cisco's Salesforce infrastructure, exposing 3 million records including sensitive data from U.S. federal agencies: FBI, IRS, NASA, and Indian government entities. ShinyHunters gained initial access through vishing (voice phishing) attacks that bypassed multi-factor authentication, then escalated privileges to extract AWS credentials and exfiltrate data. The group set a ransom deadline of April 3, 2026, and threatened public data release if Cisco failed to contact them. This represents Cisco's second major Salesforce compromise in two years and marks a critical failure in government cloud security controls.

What Happened

ShinyHunters conducted a sustained attack on Cisco's Salesforce environment, compromising government customer data and exfiltrating AWS credentials that provide access to additional infrastructure.

Timeline:

1. Vishing Campaign (weeks prior): ShinyHunters conducted targeted voice phishing attacks against Cisco Salesforce administrators, impersonating IT support or executives to harvest credentials or obtain access codes.

2. MFA Bypass (date unknown): Despite MFA protections, attackers obtained valid credentials and bypass codes through social engineering or credential compromise, gaining initial access to Salesforce org.

3. Privilege Escalation (date unknown): Once inside Salesforce, attackers identified and compromised administrator accounts with additional permissions, moved laterally to systems with higher privileges.

4. AWS Credential Theft (date unknown): Discovered and exfiltrated AWS credentials embedded in Salesforce configurations, environment variables, or stored in Salesforce custom fields or files.

5. Data Exfiltration (date unknown): Extracted 3 million records from Salesforce including FBI, IRS, NASA, and Indian government records containing employee names, addresses, email addresses, identification numbers, and operational data.

6. Public Threat (April 3, 2026): Posted samples of stolen data on ShinyHunters leak site, set ransom deadline of April 3, 2026, and demanded contact from Cisco to negotiate payment.

7. Confirmation (April 3, 2026): ShinyHunters publicly confirmed the breach with forensic evidence and leaked data samples.

What Was Taken

Confirmed Victim Agencies:

• FBI: Field office records, agent contact information, operational data
• IRS: Tax records and employee information for audit targets and IRS staff
• NASA: Contractor and employee records, project information
• Indian Government: Multiple ministry employee records and departmental data
• Additional U.S. Federal Agencies: Various contractor and employee records

Data Categories:

• Personal identifiable information (PII): names, addresses, email addresses, phone numbers
• Government identification numbers and credentials
• Operational records and strategic information
• Financial records and payment information
• Email contents and communications
• AWS credentials providing access to cloud infrastructure

Data Volume: 3 million records (confirmed by ShinyHunters).

Secondary Impact: AWS credentials exposure provides access to additional cloud resources, potentially allowing further lateral movement and data exfiltration.

Why It Matters

This breach exposes critical failures in government cloud security:

1. Federal Agency Vulnerability: FBI, IRS, and NASA records exposure demonstrates that even top-tier federal agencies rely on cloud platforms with inadequate access controls.

2. MFA Bypass via Social Engineering: Vishing attacks succeeded despite MFA deployment, proving that technical controls alone cannot stop determined attackers. User training and access controls are equally critical.

3. Credential Exposure in Cloud: AWS credentials stored in Salesforce represents fundamental architecture mistake. Cloud credentials should never be embedded in application configurations.

4. Repeat Offender: This is Cisco's second major Salesforce breach in two years, indicating systemic control failures that survived prior incident response.

5. Government Data at Risk: Personal information on federal employees, contractors, and citizens is now in criminal hands and will likely be sold, used for blackmail, or sold to state actors.

6. Supply Chain Risk: Cisco's Salesforce org acts as aggregation point for multiple government agencies' data. Compromise of single vendor exposes dozens of customer organizations simultaneously.

The Attack Technique

Confirmed Attack Vectors:

• Vishing (voice phishing) attacks targeting Cisco Salesforce administrators
• Bypassed multi-factor authentication through social engineering
• Exfiltrated AWS credentials from Salesforce environment
• Data theft of 3 million records including government agency information

How Attackers Got In: ShinyHunters used vishing attacks to compromise Salesforce administrator credentials and bypass MFA protections.

What Happened After Initial Access: Specific details about lateral movement, privilege escalation, or persistence mechanisms are not disclosed in available reporting.

Critical Control Gaps: - MFA was bypassed through social engineering (vishing) - AWS credentials were accessible within Salesforce environment - No apparent detection or prevention of bulk data export - No secondary controls to prevent government data theft

What Organizations Should Do

Immediate (Next 24 Hours):

1. Audit all Salesforce administrator accounts — List all users with System Administrator or other admin roles, review login history for past 90 days, revoke unused accounts, reset passwords for all admins.

2. Check for persistent access mechanisms — Search for API tokens, OAuth apps, and connected apps created within past 90 days; revoke any suspicious integrations; review Setup → API → OAuth Tokens.

3. Search for credential compromise — Review Setup → Named Credentials for AWS or other cloud provider credentials; change all exposed credentials immediately.

4. Enable login IP restrictions — Configure Setup → Session Settings to restrict admin logins to specific IP ranges; require VPN access for Salesforce administrators.

5. Revoke all AWS credentials — Identify and revoke any AWS access keys that were accessible via Salesforce; rotate new keys; review AWS CloudTrail for unauthorized access.

Medium-Term (Next 2 Weeks):

1. Implement multi-factor authentication hardening — Deploy hardware security keys for Salesforce administrators (eliminate SMS-based MFA which is vulnerable to SIM swapping); require MFA for all users, not just admins.

2. Deploy Salesforce Shield and advanced monitoring — Enable Salesforce Shield Event Monitoring to track all user activity; implement alerts for sensitive actions like role changes, credential access, data exports.

3. Segment Salesforce access — Create separate Salesforce orgs for different customer data types (government, commercial, internal); limit cross-org data sharing.

4. Remove credentials from Salesforce — Never store AWS credentials or other secrets in Salesforce; use AWS Secrets Manager or third-party vault for all credentials; remove any embedded credentials immediately.

5. Implement field-level security controls — Review field-level permissions to ensure sensitive data (government records, PII) is not accessible to all users; restrict data access by role and need-to-know.

Strategic (Next Month):

1. Conduct full Salesforce security audit — Hire third-party Salesforce security firm to audit entire org configuration, user access, custom code, and integrations.

2. Establish Salesforce data governance — Document all data types stored in Salesforce, classify by sensitivity, assign data owners, and implement retention and purging policies.

Key Takeaway

Cisco's Salesforce compromise of 3 million government records through vishing and social engineering demonstrates that MFA alone is insufficient to protect high-value cloud infrastructure. Organizations must combine technical controls (MFA, IP restrictions, credential management) with user training, detective controls (logging and monitoring), and architectural changes (never store cloud credentials in applications). Repeat breaches indicate that incident response recommendations from the first breach were not implemented—organizations must verify remediation independently.

Sources: 3 Million Cisco Records Leaked: FBI, IRS, NASA from Salesforce Hack Exposed