ShinyHunters Claim Theft of 3M+ Cisco Records via Compromised Salesforce and AWS, Threaten Public Leak
What Happened – ShinyHunters announced that they have exfiltrated more than three million Cisco records by abusing compromised Salesforce and Amazon Web Services (AWS) accounts. The group is demanding payment and has warned that the data will be published publicly if its demands are not satisfied by April 3 2026.
Why It Matters for TPRM –
- A breach of a core networking vendor can cascade to any organization that relies on Cisco hardware, software, or cloud services.
- The use of third‑party SaaS (Salesforce) and IaaS (AWS) illustrates how supply‑chain weaknesses can expose downstream partners.
- Public disclosure of the data could trigger regulatory notifications, brand damage, and downstream credential reuse attacks.
Who Is Affected – Telecommunications, enterprise networking, cloud‑enabled manufacturers, and any third‑party that integrates Cisco solutions (e.g., data‑center operators, MSPs, and large‑scale enterprises).
Recommended Actions –
- Review contracts and security clauses with Cisco and any Cisco‑managed cloud services.
- Verify that Salesforce and AWS credentials used by Cisco are protected with MFA, least‑privilege access, and continuous monitoring.
- Conduct a rapid risk assessment of any data flows that traverse Cisco infrastructure and consider temporary segmentation until the threat is mitigated.
Technical Notes – The attackers leveraged compromised credentials to access Cisco’s Salesforce CRM and AWS environments, suggesting a third‑party dependency attack vector. No specific CVE was disclosed. Stolen data reportedly includes internal employee records, customer contact information, and possibly configuration details of networking equipment. Source: HackRead