ShinyHunters Hackers Claim Theft of 3M+ Cisco Records, Threaten Public Leak

Summary

The threat group ShinyHunters has claimed a major breach of Cisco affecting over 3 million records stolen through compromised Salesforce and AWS environments, along with personally identifiable information, GitHub repositories, and internal corporate data. The group, designated as UNC6040 by Google, has set an April 3, 2026 deadline and threatened a public data leak and unspecified "digital problems" if demands are not met. ShinyHunters has published screenshot samples showing access to Cisco's AWS organizational dashboard and infrastructure, linking the compromise to earlier voice phishing (vishing) campaigns targeting employee credentials.

Full text

Data Breaches SecurityShinyHunters Hackers Claim Theft of 3M+ Cisco Records, Threaten Public Leak ShinyHunters hackers claim they stole 3 million+ Cisco records via Salesforce and AWS, warning of a public leak if demands are not met by April 3, 2026. byWaqasApril 2, 20263 minute read The threat group known as ShinyHunters has issued what it calls a final warning to Cisco (Cisco Systems, Inc.), setting a deadline of April 3, 2026, before it begins leaking data it claims to have stolen. The message appeared on the group’s dark web leak site, where it has already been publishing data linked to earlier Salesforce-related incidents affecting companies worldwide. According to the post, the group claims access to data from three separate breach paths, identified as UNC6040, Salesforce Aura, and compromised AWS accounts. In total, it alleges more than three million Salesforce records were taken, along with personally identifiable information, GitHub repositories, AWS storage buckets, and internal corporate data. The group has described the warning as final and warns Cisco to make contact before the stated deadline, adding that failure to do so will lead not only to data leaks but also unspecified “digital problems.” ShinyHunters hackers claiming the Cisco data breach on their dark web leak site (Image credit: Hackread.com) It is worth noting that the latest threat comes just days after the same group leaked 350GB of European Commission data described as a mix of mail server dumps, database exports, internal documents, and contracts. UNC6040 Reference Google Threat Intelligence Group (GTIG) designated the ShinyHunters group as UNC6040 in August 2025. The reference to UNC6040 is also particularly relevant here because Cisco also published details about a campaign involving voice phishing, or vishing, that targeted employees to gain access to internal systems and customer data. By linking its claims to that campaign, the ShinyHunters group has not only acknowledged its involvement but also suggested that at least part of the alleged Cisco data may have originated from social engineering attacks rather than only Salesforce-related attacks. Leaked Samples Suggest Access to AWS Environment The group has shared three images to show the legitimacy of their claims. As seen by Hackread.com, these images appear to show access to parts of an AWS environment allegedly associated with Cisco, including an organizational dashboard, storage volumes, and bucket listings. While these screenshots do not contain sensitive data, they point to visibility across cloud infrastructure rather than a single isolated system. The presence of an organization-level view is notable, as it usually indicates access to multiple linked accounts and services under centralized control. One of the screenshots published by ShinyHunters Hackers – The image has been redacted by Hackread.com for security and privacy reasons ShinyHunters and Salesforce Breach Over the past year, ShinyHunters has repeatedly claimed access to Salesforce-related data across multiple organizations, often publishing samples to support its claims. In several cases, the group pointed to misconfigurations, compromised credentials, or third-party integrations as entry points, rather than flaws within Salesforce itself. Earlier incidents linked to the group followed a similar pattern in which Data was first listed on leak sites with limited detail, then published full dumps when companies did not engage. Those leaks included customer records, internal communications, and operational data pulled from connected systems. Some of the companies named in Salesforce-related data breaches included Odido Telus Digital Farmers Insurance SoundCloud, Crunchbase GAP, Qantas, Vietnam Airlines Gucci, Balenciaga, Alexander McQueen and many more… With the April 3 deadline approaching, the accuracy of these claims can only be verified by Cisco. Hackread.com has reached out to the company for comment, and this article will be updated as soon as a response is received. Waqas I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cybersecurity and tech world. I am also into gaming, reading and investigative journalism. View Posts CiscoCyber AttackCyber CrimeCybersecuritydata breachSalesforceShinyHunters Leave a Reply Cancel reply View Comments (0) Related Posts Security D-Link home routers plagued with critical & multiple vulnerabilities A total of 6 vulnerabilities in D-Link's DIR-865L which is geared towards home network usage bySudais Asif Read More Security Subaru STARLINK Flaw Enabled Remote Tracking and Control of Vehicles Subaru STARLINK flaw exposed a critical security vulnerability, enabling unauthorized access to vehicle tracking, remote control, and sensitive… byDeeba Ahmed Cyber Attacks Hacking News Security Latest Hack May Open Doors For Hackers To Spy on US Government Juniper network has had a major breach which has led to suspicions of a group of foreign hackers… byWaqas Leaks Privacy Security COVID-19 testing service in US exposes patients’ photos, passports COVID-19 testing service in the State of Utah stored passport scans and other highly personal data on unsecured Amazon S3 buckets. byHabiba Rashid

Indicators of Compromise

• malware — UNC6040

Entities