- Group posted extortion demands on March 31, threatening โseveral annoying (digital) problemsโ unless paid by April 3.
A serious cybersecurity incident is suspected at US tech giant Cisco Systems after the criminal hacking group ShinyHunters claimed to have stolen more than three million Salesforce records containing personally identifiable information (PII), alongside internal GitHub repositories, AWS S3 buckets, and other corporate data.
The group posted extortion demands on March 31, threatening โseveral annoying (digital) problemsโ unless paid by April 3.
ShinyHunters shared screenshots to support its claims: one depicting the AWS EC2 Volumes console showing dozens of virtual storage drives with some creation dates listed as March 16โ17, 2026, and another listing purported Cisco S3 buckets. While naming patterns suggest a Cisco environment, no public data dump has been verified as of publication.
Three breaches
The group says the trove stems from three breachesโvoice phishing (UNC6040), Salesforce Aura, and AWS accounts. One cited vector echoes a previously disclosed incident in which a Cisco representative was targeted with voice phishing, enabling access to and export of a subset of basic profile information from a thirdโparty cloud CRM.
At the time, Cisco said no confidential or sensitive customer data was obtained.
The claim surfaces amid a recent supplyโchain compromise of Trivy, a popular vulnerability scanner. On March 19, threat actor TeamPCP injected malware into the โtrivy-actionโ GitHub workflow, affecting downstream users. Some industry reports are probing whether there is any link between that incident and potential Cisco exposure, but no confirmed operational tie between ShinyHunters and TeamPCP has been established as of now.
ShinyHunters, active since 2019, has a track record of highโimpact data theft and extortion campaigns, while TeamPCP emerged in late 2025, focusing on wormโdriven operations against openโsource repositories.
Cisco has not publicly confirmed the new claims. No evidence of a broad data release was immediately available, and verification efforts are ongoing.
Discover more from TechChannel News
Subscribe to get the latest posts sent to your email.
