April 3, 2026

Massive Data Breach Affects Major US Agencies Including FBI, IRS, and NASA via Salesforce Security Incident

Vaibhav April 3, 2026
Massive-Data-Breach-Affects-Major-US-Agencies-Including-FBI-IRS-and-NASA-via-Salesforce-Security-Incident
Post Views: 6

Notorious Cyber Extortion Group Compromises Over 3 Million Salesforce Records

A notorious cyber extortion group has claimed to have compromised over 3 million Salesforce records containing personally identifiable information (PII) from high-value government agencies, including the FBI, IRS, NASA, Australian Defense Ministry, and Indian government agencies tied to Cisco procurement.

Tactics and Exploits

The group, known as ShinyHunters, demands that Cisco contact them before April 3, 2026, or face public exposure. The breach was made possible through a combination of vulnerabilities in Salesforce CRM, Aura Experience Cloud, and Amazon Web Services (AWS).

  • Guest user misconfigurations in Salesforce Experience Cloud instances allowed unauthorized access to sensitive information.
  • Stolen OAuth tokens were used to bypass Multi-Factor Authentication (MFA) and access AWS S3 buckets and GitHub repositories.

The group’s tactics involve voice phishing customer support staff to authorize malicious Salesforce OAuth apps, which allows them to bypass password controls. They then use stolen tokens to extract secrets at scale, compromising sensitive data stored in cloud-based services such as Snowflake and AWS.

Previous Incidents and Recommendations

This latest incident follows a pattern of previous breaches, including a 4.5 TB source code/API tokens leak in October 2024, which was caused by a configuration error in the DevHub breach. In August 2025, ShinyHunters were linked to a CRM vishing campaign.

  • Auditing Salesforce OAuth apps for unauthorized integrations
  • Enforcing strict API Access Control and revoking unrecognized tokens
  • Monitoring Salesforce Data Loader activity anomalies
  • Implementing guest user restrictions in Experience Cloud (Aura)
According to the researchers, “enterprises worldwide must assume similar Salesforce exposures exist across vendor ecosystems pending confirmation.”

No official statement has been issued by Cisco regarding the March 31, 2026, extortion claim, despite a pattern of prior breaches. As a result, enterprises must take immediate action to protect themselves from potential threats.




About Author

Vaibhav

See author's posts

More Stories

Secure-On-Premises-AI-Governance-Solutions-with-APERION-SmartFlow-SDK

Secure On-Premises AI Governance Solutions with APERION SmartFlow SDK

Vaibhav April 3, 2026
Microsoft-Forces-Upgrades-on-Unmanaged-Windows-11-Version-22H2-Computers

Microsoft Forces Upgrades on Unmanaged Windows 11 Version 22H2 Computers

Vaibhav April 3, 2026
New-ShareFile-Flaws-Enable-Pre-Auth-Remote-Code-Execution-Attacks

New ShareFile Flaws Enable Pre-Auth Remote Code Execution Attacks

Vaibhav April 2, 2026

Latest Cyber Security News

Hims-Hers-Data-Breach-Exposes-Customer-Support-Information

Hims & Hers Data Breach Exposes Customer Support Information

Vaibhav April 3, 2026
How-AI-Revolutionizes-Web-Traffic-Forever

How AI Revolutionizes Web Traffic Forever

Vaibhav April 3, 2026
Artificial-Intelligence-Firm-Mercor-Hacked-4TB-of-Data-Stolen

Artificial Intelligence Firm Mercor Hacked, 4TB of Data Stolen

Vaibhav April 3, 2026
Artificial-Intelligence-Security-Conference-2026

Artificial Intelligence Security Conference 2026

Vaibhav April 3, 2026
Understanding-the-Evolution-and-Impact-of-Modern-Ransomware-Attacks

Understanding the Evolution and Impact of Modern Ransomware Attacks

Vaibhav April 3, 2026
en_USEnglish
en_USEnglish