ShinyHunters, one of the more prolific cybercrime groups operating today, is claiming to have stolen over three million Salesforce records in a Cisco Systems data breach.
Earlier this week, the group posted extortion demands on its dark web victim page, reporting that it had stolen over three million Salesforce records.
The records in the data breach contained personally identifiable information (PII), alongside GitHub repositories, AWS buckets, and other internal corporate data.
Cisco has until April 3rd to comply, or face what the hackers describe as “several annoying (digital) problems.”
The data is said to have been obtained via three separate breaches:
- A voice phishing (vishing) attack attributed to UNC6040
- An exploit of Salesforce Aura
- Unauthorized access to AWS accounts
But the customer relationship management angle here is what should be catching the eye of CX leaders, because the story doesn’t start in March 2026.
You can find out more about how security and compliance is impacting the customer service and CX space here.
This Breach Has Been Building
This breach has been building since last summer, with Cisco itself disclosing a vishing incident back in August 2025.
In its official advisory, the company confirmed:
“The actor was able to access and export a subset of basic profile information from one instance of a third-party, cloud-based Customer Relationship Management (CRM) system that Cisco uses.”
The data involved included names, organization names, addresses, email addresses, phone numbers, and account metadata for individuals who had registered on Cisco.com.
At the time, Cisco maintained that no customer confidential or proprietary information had been obtained – a position it stood by as recently as October 2025, stating it had “not seen any evidence that the actor obtained any information beyond what we initially assessed.”
ShinyHunters, it seems, tells a different story. And while neither the screenshots attached to the extortion post nor the broader claims have been independently verified, the Cybernews research team noted that the screenshots look “plausible”, and that the implications for customers could be serious:
“This incident can be damaging to the company’s customers, and the main risks are confidential data exposure in general.
“Data from customers would give attackers a foothold to plan further attacks, and the personally identifiable information could be useful for social engineering, fraud, and other scams.”
How the Attack Unfolded
The situation has since taken a further turn. A parallel Bleeping Computer investigation found that Cisco had also been caught up in the recent Trivy supply chain attack, in which credentials stolen from the company’s development environment were used to clone over 300 GitHub repositories.
Some of those repositories reportedly belong to Cisco’s own corporate customers, including banks, BPOs, and US government agencies.
The involvement of a second threat actor, TeamPCP, suggests this is not a clean or contained incident, and the downstream fallout could stretch well beyond Cisco’s own infrastructure.
For the contact center, it is the vishing entry point that is of particular importance.
The original breach began with a bad actor targeting a Cisco employee over the phone.
That methodology will be familiar to anyone who has worked in customer service. Indeed, social engineering over voice channels is a persistent threat, and it only takes one successful call.
Basic profile data – including names, email addresses, and phone numbers – is exactly what attackers need to run convincing follow-on scams, and at scale, three million records can do a lot of damage.
What This Means for CX
The breach also puts CRM security back in the spotlight in a way that should prompt some honest internal conversations.
When a company the size of Cisco can have its CRM accessed through a single vishing attack, the question of how well-protected your own CRM environment really is deserves a serious answer.
With the April 3rd deadline looming, whether the company paid up, pushed back, or simply waited the group out remains unclear.
But for the CX industry, the more uncomfortable question is whether your customers’ data would survive the same kind of pressure test.
One of Many
While this Cisco breach is the latest high-profile hack to hit the customer service and CX space, there are plenty of others to keep it company – outlining just how regular and impactful these attacks are becoming.
Below are 9 breaches that have occurred in the last six months:
