Allianz Life hit by Salesforce breach—1.1M customers exposed in a social engineering attack by ShinyHunters.

Continue reading
The Allianz Life Insurance Company of North America—the U.S. arm of global financial powerhouse Allianz SE—has become the latest victim in a string of social engineering attacks targeting cloud platforms. On July 16, 2025, attackers tied to the ShinyHunters collective infiltrated a third-party customer relationship management (CRM) platform used by the insurer. By the time the breach was detected and contained the following day, data belonging to most of Allianz’s 1.4 million U.S. customers had been siphoned.
In the weeks since, investigators have pieced together a clearer picture. Roughly 1.1 million unique individuals were affected, though attackers exfiltrated nearly 2.8 million records—a figure inflated by duplicates, partner contacts, and non-customer entries. Even so, the breach ranks among the most significant in the U.S. insurance sector’s history.
Early disclosures were vague, with Allianz confirming only that a “majority” of customers were impacted. Independent researchers quickly identified ShinyHunters, a prolific data-theft and extortion crew that has been active since 2020. Their preferred method is not technical exploitation but the manipulation of human behavior.
Subsequent investigation confirmed that attribution. The Allianz incident mirrors a campaign tracked by Google’s Threat Analysis Group as UNC6040, in which attackers impersonate IT staff or vendors over the phone, tricking employees into approving malicious Salesforce connected apps or installing doctored versions of the Salesforce Data Loader tool. With OAuth tokens secured, criminals gain legitimate high-level access to Salesforce environments and quietly export massive datasets.
Crucially, no Salesforce software vulnerability was exploited. As Salesforce emphasized, this was consent theft through social engineering, not a flaw in the platform.
Analysis of the leaked trove by Have I Been Pwned and BleepingComputer revealed a wealth of sensitive personal data:
Although Allianz clarified that only about 1.1 million unique individuals were exposed, the data is rich enough to fuel widespread identity theft, targeted phishing, and financial fraud.
The Allianz breach is part of a wider 2025 campaign exploiting Salesforce trust relationships rather than corporate networks themselves. Other victims include Pearson, Google, LVMH, and the Internet Archive.
For Allianz, the distinction matters: the company’s internal systems were not breached. But its Salesforce-hosted CRM environment contained everything attackers needed to build detailed profiles of customers, policyholders, and advisors. The case underscores the third-party risk problem—even the strongest internal defenses can be undermined by a weak link in the supply chain.
ShinyHunters claimed responsibility, but researchers noted overlaps with Scattered Spider and remnants of Lapsus\$. Whether this was direct collaboration or opportunistic branding remains uncertain. What is clear is the shared playbook: voice phishing, OAuth token abuse, and large-scale exfiltration.
This blurring of lines reflects the evolving cybercrime ecosystem, where attribution is less about neat labels and more about fluid alliances and shared tactics.
To its credit, Allianz acted quickly once the breach was discovered. Within 24 hours, it contained the intrusion, notified the FBI and relevant state attorneys general, and began customer notifications.
The insurer is offering 24 months of identity protection and credit monitoring through Kroll. While some argue that two years is insufficient given the permanence of Social Security numbers, it aligns with regulatory expectations.
The Allianz incident reinforces a hard truth: modern cyberattacks increasingly target people, not systems. Firewalls and intrusion detection systems can’t defend against an employee pressured into approving a malicious app or clicking “allow” under the guise of IT support.

Chinese-speaking TA4922 expands into Europe, deploying new Atlas RAT malware in phishing campaigns targeting organizations across sectors.