Somewhere inside a major corporation, a phone rings. The caller identifies themselves as IT support — familiar voice, convincing script, correct internal terminology. The employee on the line is walked through a routine that ends with them handing over their Salesforce password, approving an MFA request, or connecting a “diagnostic tool” to their CRM environment. The caller hangs up.
ShinyHunters has the data.
This is the attack playbook driving one of 2026’s most damaging enterprise breach campaigns. The group responsible for the Instructure Canvas breach (275 million student records), the Medtronic breach (9 million medical records), and the Carnival Corporation breach (8.7 million loyalty program records) has pivoted from technical vulnerability exploitation to something far harder to patch: a phone call.
The Vishing Playbook
Vishing — voice phishing — is not new. But ShinyHunters’ systematic application of it against enterprise Salesforce environments in 2025–2026 represents a disciplined, repeatable attack model that has proven effective against organizations with mature technical defenses.
The campaign follows a consistent pattern:
1. Target selection: Identify employees with Salesforce administrator access, Salesforce developer credentials, or high-privilege CRM roles. LinkedIn, company directories, and OSINT tools make this information readily available.
2. Pretext construction: Research the target organization’s IT structure, support tooling, and internal terminology. The more plausible the pretext, the higher the success rate.
3. The call: Impersonate an internal IT helpdesk agent, a Salesforce support representative, or a trusted managed service provider. Present a plausible scenario: a security alert on the employee’s account, a required system upgrade, an investigation into suspicious login activity.
4. Credential harvest: Walk the employee through steps that result in credential disclosure — typing their password into a “verification form,” approving an MFA push request framed as “confirming your identity,” or installing a remote access tool described as a “diagnostic utility.”
5. Exfiltration: Once authenticated to the Salesforce org, pull bulk record exports, customer data, deal pipeline information, and internal communications before the intrusion is detected.
The Victims in 2026
The vishing-enabled Salesforce campaign has been linked to multiple major breaches confirmed or attributed in 2026:
Cushman & Wakefield (May 2026): ShinyHunters claimed a vishing attack yielded over 500,000 Salesforce records. When ransom talks failed, 50GB of data was leaked publicly. A second group, Qilin, simultaneously claimed the same company.
Instructure Canvas (May 2026): While not confirmed as a pure vishing attack, ShinyHunters listed Instructure on its extortion portal and claimed 3.65 terabytes of data from 275 million users across 9,000 educational institutions. ShinyHunters displayed ransom messages on Canvas login portals directly.
Carnival Corporation (April 2026): Carnival confirmed “a phishing incident involving a single user account” as the access vector — consistent with the vishing methodology ShinyHunters has used across other targets.
Security researchers tracking the campaign note that the group’s success rate with vishing is significantly higher against organizations that have not implemented phishing-resistant MFA and that do not have a clear employee protocol for verifying IT support requests out-of-band.
Salesforce’s Response: Mandatory Security Controls
Salesforce recognized the threat and responded with a rare proactive enforcement posture. On May 6, 2026, system administrators across the platform received email notifications from Salesforce outlining a new wave of mandatory security controls set to roll out between June and August 2026.
The controls include:
- Expanded MFA enforcement: Moving from optional to mandatory for all user types, including API integrations
- Connected app permission restrictions: New limits on OAuth scopes that third-party applications can request, reducing the blast radius if a connected tool is hijacked
- Bulk export anomaly detection: Platform-level alerts when data export volumes exceed baseline thresholds
- Session security hardening: Shorter session timeouts, IP-based session binding options, and enhanced login anomaly detection
The timeline — June through August — means organizations remain exposed for months during the transition. Security teams should not wait for Salesforce to enforce these controls: implementing them proactively now reduces exposure immediately.
Why Salesforce Is Such a High-Value Target
Salesforce’s CRM architecture makes it uniquely attractive to data extortionists:
- Centralized customer data: One credential can expose an entire organization’s customer relationship database — names, contact information, deal history, support tickets, and in some deployments, payment information
- Third-party connectivity: Salesforce orgs are often connected to dozens of third-party applications through OAuth, creating a broad attack surface beyond the core credential
- Bulk export functionality: Legitimate Salesforce tools make it easy to export large datasets — the same functionality attackers abuse for rapid exfiltration
- Enterprise trust model: Employees have been trained to accept that Salesforce may contact them about their account, making spoofed support calls more believable
Defending Against Vishing at the Enterprise Level
No firewall blocks a phone call. Defending against vishing requires a combination of policy, training, and technical controls:
Policy:
- Establish a strict rule: IT staff and vendors will never ask for passwords or MFA codes by phone
- Create a published callback process — employees who receive an unexpected IT support call should hang up and call the official IT helpdesk number directly
- Require dual approval for any bulk data export from Salesforce above a defined threshold
Training:
- Run vishing simulations — not just phishing email simulations — so employees recognize the social engineering script in a voice call
- Train specifically on the Salesforce support impersonation scenario, since it is now a documented, active threat
- Reward employees who report suspicious calls through official channels
Technical controls:
- Implement phishing-resistant MFA (FIDO2/WebAuthn hardware keys or passkeys) — these cannot be approved by an employee on a phone call
- Enable Salesforce Event Monitoring for bulk data exports and off-hours access patterns
- Audit all connected apps quarterly and revoke any OAuth connections that cannot be positively verified
- Implement Salesforce Shield for data encryption at rest and field-level audit logs on sensitive objects
The Bigger Threat Picture
ShinyHunters’ vishing campaign illustrates a fundamental tension in enterprise security: technical defenses have matured to the point where the human layer is now the most reliable attack vector. Patching this vulnerability requires behavioral change at scale — a harder problem than deploying a software update.
As organizations accelerate cloud adoption and centralize operations in platforms like Salesforce, the value of a single compromised credential continues to rise. A phishing-resistant MFA credential that cannot be approved over the phone is no longer optional for any enterprise with Salesforce data worth protecting.
The campaign will continue. The phone will ring again.
