The Attack Surface Most Companies Aren't Watching: Their CRM

For years, the cybersecurity conversation has centered on two fronts: your endpoints and your email. Patch the laptops. Train people on phishing. Buy the antivirus. Watch the inboxes. Most managed IT and security programs are built around those two pillars, and for good reason — they’re where most attacks have lived.

That’s changing. Over the past eighteen months, attackers have opened a third front, and most businesses haven’t moved their defenses to match. The new target is the place where your customer data actually lives: your CRM.

Ready to see where your business stands? centrexIT has helped San Diego businesses protect their critical systems since 2002. Take the free 2-minute cybersecurity assessment →

What Happened: 760 Companies, 1.5 Billion Records

The extortion group ShinyHunters has spent the past year quietly running one of the largest data theft operations in history — and the data wasn’t taken from email servers or laptops. It was taken from Salesforce.

According to BleepingComputer, ShinyHunters told reporters they stole approximately 1.5 billion Salesforce records from 760 companies through compromised OAuth tokens tied to a third-party Salesforce integration called Salesloft Drift. Public victims of that single campaign include Cloudflare, Workiva, Zscaler, Tenable, CyberArk, Elastic, BeyondTrust, Proofpoint, JFrog, Rubrik, Cato Networks, and Palo Alto Networks — every one of them companies that sell security or compliance software for a living.

Google’s Threat Intelligence Group, which has been tracking the activity as UNC6040 and UNC6395, says the attackers’ primary goal isn’t simply stealing customer lists. After exfiltrating CRM data, they search through it looking for embedded credentials — AWS access keys, passwords, Snowflake tokens — that can be used to compromise other systems downstream.

The campaign hasn’t slowed. Computer Weekly reports a long and growing list of confirmed or claimed victims that includes Adidas, Pandora, Allianz, Qantas, Air France-KLM, Google, and the LVMH brands Louis Vuitton, Dior, and Tiffany & Co. Mandiant Consulting CTO Charles Carmakal told BleepingComputer that the attackers have also been misusing AuraInspector — an open-source tool originally built to help administrators audit Salesforce configurations — to scan public-facing Experience Cloud sites at scale.

The most recent example is fresh. On April 15, 2026, ShinyHunters posted alleged data from insurance company Kemper Corporation on its dark web leak site. According to coverage by Cybernews, the threat actors claim to have stolen 29 GB of data covering more than 13 million Salesforce records — internal corporate documents, employee training materials, employee names and email addresses, and Stripe payment logs containing customer names and transaction amounts. Kemper has confirmed the incident publicly, launched an investigation with third-party cybersecurity experts, and notified law enforcement.

How They’re Getting In

This is the part that should get every business leader’s attention. Salesforce is not the vulnerability. The platform itself isn’t being broken into. The attackers are walking through the front door, using credentials that were given to them voluntarily.

The pattern is consistent across the campaign. Attackers call employees pretending to be IT support — a technique called voice phishing, or vishing. They walk the employee through “fixing” something, which usually means authorizing a malicious OAuth application or handing over a one-time password. Once that authorization happens, the attacker has direct access to that company’s CRM data, and OAuth tokens don’t require re-authentication. Multi-factor authentication doesn’t help, because the attacker isn’t logging in — they’re using a token the user already approved.

In the Salesloft Drift variant of the campaign, attackers didn’t even need to call employees. They scanned source code repositories with a tool called TruffleHog, found OAuth tokens that developers had accidentally committed to public code, and used those tokens to query Salesforce instances directly. According to BleepingComputer, that single technique enabled the theft of records from 760 companies.

Salesforce has been clear in its public guidance: this is not a platform vulnerability. It’s a customer-side configuration and credential issue. The same is true for any CRM platform — HubSpot, Microsoft Dynamics, Zoho, Pipedrive. The risk isn’t in the software. It’s in how organizations manage access to it.

Why Your CRM Is Now a Primary Target

Step back from the technical detail for a moment and ask a harder question: what’s actually inside your CRM right now?

For most businesses, the answer is sobering. Your CRM probably contains every customer’s contact information. The deal history. The pricing you’ve quoted. Notes from sales calls. Email threads. Support tickets that reference passwords, IP addresses, internal usernames, and specific systems. Payment records. Employee names and roles. Vendor relationships. In some cases, attached documents — contracts, signed agreements, intake forms — sitting inside the customer record.

That data lives there because the CRM is supposed to be the operational heart of the business. Sales runs on it. Customer service runs on it. Marketing runs on it. Account management runs on it. The same convenience that makes it valuable to your team makes it valuable to an attacker.

And here’s the uncomfortable part: most organizations have a much more mature security posture around their email and their endpoints than around their CRM. The IT team owns the laptops. The IT team owns the inbox. But the CRM is usually owned by sales operations or marketing operations — teams that aren’t trained on access governance, OAuth grant review, or third-party integration risk. Plug-ins, browser extensions, and AI productivity tools get connected to the CRM with broad permissions, often without anyone in IT or security being told.

That’s the gap ShinyHunters has been exploiting for eighteen months. Not a software flaw. A governance gap.

What You Should Do Now

You don’t need to panic, and you don’t need to rip out your CRM. You need to start treating it the way you already treat your email environment — as a primary system that needs governance, monitoring, and review.

A few questions worth answering this week:

Who has admin access to your CRM right now? Pull the admin list. If there are names on it that shouldn’t be there — former employees, contractors who finished a project, integration accounts that were never cleaned up — that’s an open door.

What third-party apps and integrations are connected to your CRM? Every OAuth grant is a potential entry point. Most organizations connect tools over time and never audit what’s still active. A quarterly review of connected applications is basic hygiene that most businesses skip entirely.

Are your OAuth tokens stored anywhere they shouldn’t be? If your development team has ever worked with your CRM’s API, check whether tokens were committed to code repositories. This is the exact technique ShinyHunters used to access 760 companies — and it’s entirely preventable.

Does anyone monitor your CRM for unusual data access? Your email environment probably has alerting. Your CRM almost certainly doesn’t. Bulk data exports, unusual API activity, logins from new locations — these are the signals that would have flagged the ShinyHunters campaign before the damage was done.

Who in your organization is responsible for CRM security? If the answer is “sales ops” or “marketing,” that’s a gap. CRM security is an IT and security function, not a business operations function. If your IT team isn’t involved in your CRM governance, now is the time to fix that.

The Broader Pattern

The ShinyHunters campaign is part of a larger shift in how sophisticated attackers approach enterprise data theft. The goal isn’t to break the software — it’s to acquire legitimate credentials and permissions that allow them to operate as if they belong.

This is the same logic behind the DigitalMint ransomware negotiator case, where an insider used trusted access to betray his own clients. It’s the same logic behind the Business Email Compromise attacks that cost businesses $2.9 billion in 2023 alone. The attacker doesn’t need to break down the door if someone inside will open it.

The implication for businesses is that technical controls alone aren’t enough. Governance matters. Access review matters. The human layer — who is authorized to do what, and whether anyone is checking — is where the real exposure lives.

This is exactly why centrexIT’s approach puts people first. Not just in the sense of client relationships, but in the literal sense: the security posture of your organization depends on the humans who manage access, review authorizations, and catch anomalies before they become incidents. Technology is only as secure as the governance around it.

Not sure how your CRM fits into your overall security posture? Start with our free 2-minute cybersecurity assessment →

Or talk to our team directly — we’ve been helping San Diego businesses close security gaps since 2002.

Sources:

• BleepingComputer: ShinyHunters claims theft of 1.5 billion Salesforce records from 760 companies
• Mandiant / BleepingComputer: Charles Carmakal quoted on AuraInspector misuse
• Google Threat Intelligence Group: UNC6040 and UNC6395 tracking
• Computer Weekly: ShinyHunters victim list
• Cybernews: Kemper Corporation Salesforce breach coverage
• Kemper Corporation public statement via PRNewswire (April 15, 2026)