ShinyHunters Salesforce Heist Threatens Saudi Bank SaaS Security

The extortion crew known as ShinyHunters has quietly executed one of the largest SaaS data heists in history—approximately 1.5 billion Salesforce records pulled from 760 corporate tenants. For Saudi SAMA-regulated banks that have aggressively migrated CRM, customer onboarding, and complaints workflows to Salesforce and similar platforms, this campaign is not a foreign headline. It is a direct test of every Third Party Risk Management (TPRM) control mandated by SAMA CSCC 4.1 and NCA ECC-2:2024.

Anatomy of the ShinyHunters Salesforce Campaign

Throughout 2026, ShinyHunters (tracked by Google Threat Intelligence as UNC6040 and UNC6395) layered three distinct techniques to harvest Salesforce data at scale. The first wave abused OAuth refresh tokens issued to a third-party Salesforce integration, Salesloft Drift, that had been granted broad api and refresh_token scopes across hundreds of customer orgs. When the integrator was compromised, those long-lived tokens became a master key. The second wave used voice phishing (vishing) against helpdesks and sales reps, walking victims through fake Okta or Microsoft sign-in pages to capture SSO credentials and MFA push approvals. The third wave weaponized a modified AuraInspector script against Salesforce Experience Cloud sites with misconfigured guest access, scraping public-facing community portals for customer PII.

Why This Matters Beyond Salesforce

The technical pattern is the real story. None of these attacks exploited a Salesforce kernel CVE. ShinyHunters never broke Salesforce—they broke trust boundaries around it: an integrator, an SSO flow, a misconfigured guest profile. The same attack surface exists across every SaaS platform a Saudi bank consumes—ServiceNow, Workday, Jira Cloud, Microsoft 365, and dozens of niche fintech APIs. Confirmed 2026 victims already include ADT, Cisco, Chanel, Kemper Corporation, Allianz Life, and reportedly Ameriprise Financial—where 200 GB of compressed SharePoint data and PII-bearing Salesforce records were allegedly exfiltrated.

Impact on Saudi Financial Institutions

SAMA Cyber Security Framework v1.0 explicitly extends accountability to outsourced and SaaS-hosted data under domains 3.3.14 (Cyber Security and Third Party) and 3.3.15 (Cloud Computing). NCA ECC-2:2024 control 4-1-3 requires organizations to enforce least-privilege OAuth scopes and continuously monitor third-party connected applications. PDPL Article 19 mandates that controllers ensure processors—including SaaS vendors and integrators—apply technical safeguards equivalent to the controller's own. A Saudi bank whose Salesforce tenant is breached through a compromised Salesloft-style integrator will not be able to argue that the breach belonged to the vendor; SAMA will hold the licensed entity accountable, and the regulatory exposure compounds with PDPL data subject notification timelines and potential PCI-DSS scope creep if cardholder data flowed through the CRM.

Practical Hardening Steps for SAMA-Regulated Banks

1. Inventory every Connected App in Salesforce. Run SELECT Id, Name, OptionsRefreshTokenValidityFollowsOAuthPolicy FROM ConnectedApplication via the Tooling API. Disable any app you cannot map to a current vendor, owner, and contract.
2. Revoke long-lived refresh tokens. Force token rotation on a 24-hour window for high-risk integrations, and require IP allowlisting on the Connected App profile policy. ShinyHunters relies on tokens that outlive the original session.
3. Lock down Experience Cloud guest profiles. Audit every Guest User profile object permission—especially Account, Contact, Opportunity, and any custom object holding KYC data. Default to Internal Read Only sharing for the guest user.
4. Deploy SaaS Security Posture Management (SSPM). Tools like Obsidian, AppOmni, or Adaptive Shield surface OAuth grants, dormant admins, and abnormal API call volumes—telemetry your SOC will not get from Salesforce Event Monitoring alone.
5. Re-train the helpdesk against vishing. ShinyHunters' 2026 playbook calls IT impersonating a panicked executive. Mandate a callback to a verified internal number before any password reset, MFA bypass, or device re-enrollment.
6. Map SaaS data flows to PCI-DSS scope. If Salesforce stores any PAN, even in a free-text complaint field, the entire org becomes in-scope for PCI-DSS v4.0.1 controls 3.4 and 3.5—a finding examiners now actively hunt.
7. Update incident response playbooks. SAMA expects breach notification within hours. Your IR runbook must include a SaaS-specific branch: API audit logs, OAuth token revocation, and coordinated communication with the platform vendor's CSIRT.

Conclusion

ShinyHunters did not invent a new exploit—they industrialized the operational gaps that exist between regulated banks and the SaaS platforms holding their crown jewels. For Saudi CISOs, the campaign is a compliance event as much as a security one: SAMA CSCC, NCA ECC, and PDPL all demand demonstrable governance over third-party data processors, and a 1.5-billion-record breach is precisely the scenario these frameworks were written to prevent. The institutions that emerge unscathed will be the ones that treat their CRM tenant as Tier-1 infrastructure rather than a sales tool.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment focused on SaaS, OAuth, and TPRM controls.