Cisco is facing a fresh cybersecurity test after the extortion group ShinyHunters claimed it had obtained a large cache of company data, raising questions over whether an earlier compromise tied to voice phishing may have widened into a more damaging exposure. Cisco has not publicly verified the full scope of the material described by the hackers, but the allegation has revived scrutiny of how major technology groups are defending cloud software, customer relationship systems and developer environments against social-engineering attacks.
The new claim, circulated through cybercrime-focused reporting on 1 April, alleges the theft of millions of Salesforce records alongside GitHub repositories, Amazon Web Services assets and internal company data. Those assertions remain unverified by independent public evidence at the time of writing, and that distinction matters. In cyber extortion cases, threat actors often inflate the volume or sensitivity of what they hold in order to pressure victims into paying, delay public disclosure or create reputational shock before forensic work is complete.
What is established is that Cisco disclosed on 1 August 2025 that it had been hit by a voice-phishing attack involving a third-party CRM system. Cisco said the incident began on 24 July 2025 when an attacker targeted a company representative through a vishing campaign and gained access to data stored in that cloud-based CRM environment. The company said the exposed information related mainly to user profile data for people registered on Cisco. com, including names, organisation details, addresses, email addresses, account IDs, usernames and other business-related information. Cisco also said there was no evidence that passwords, financial information or highly sensitive corporate or customer data had been compromised in that event.
That earlier disclosure is central to understanding the present controversy because it fits a broader pattern identified by Google’s Threat Intelligence team. In June 2025, Google warned that a cluster it tracks as UNC6040 was using voice phishing to impersonate IT support staff, trick employees into authorising a modified version of Salesforce Data Loader, and then export data from Salesforce instances for theft and extortion. Google said some victims later received ransom demands from an actor claiming affiliation with ShinyHunters, suggesting a division between the initial intrusion activity and the monetisation phase. In September 2025, Google added that extortion sometimes emerged months after the original breach, underscoring how attacks on SaaS systems can unfold over a prolonged timeline rather than as a single discrete incident.
That sequence gives Cisco’s case broader significance than a single company dispute with hackers on a dark-web forum. It points to a growing problem in which attackers are bypassing conventional perimeter defences by manipulating people, abusing trusted cloud applications and then turning stolen data into leverage. The risk is not confined to one vendor or one industry. Google and Cisco both disclosed CRM-related incidents last year, while Reuters reported on 12 March 2026 that Telus was investigating unauthorised access to some of its systems after ShinyHunters told the news agency it had stolen at least 700 terabytes of data. The pattern suggests that threat actors continue to rely on publicity, intimidation and partial disclosures to amplify pressure on targeted companies.
Security researchers have also been warning that the mechanics of voice-enabled phishing are improving. Okta’s threat-intelligence team said in January 2026 that phishing kits were adapting to the scripts used by callers, part of a broader trend in which social engineering is becoming more polished and more difficult for staff to distinguish from legitimate support requests. That evolution increases the chance that a compromise in one SaaS platform can spill into adjacent systems, especially where identities, OAuth permissions and connected third-party tools create multiple paths for lateral access.
For Cisco, the immediate challenge is forensic clarity. The company has already shown a willingness to publish incident summaries when claims surface, as it did after separate breach allegations in October 2024 and the CRM incident in August 2025. What investors, customers and regulators will now want to know is whether the material touted by ShinyHunters is simply a repackaging of data already taken in the 2025 CRM compromise, whether developer resources were also touched, and whether any newly claimed trove contains operationally sensitive information that could affect enterprise customers or partners.
The new claim, circulated through cybercrime-focused reporting on 1 April, alleges the theft of millions of Salesforce records alongside GitHub repositories, Amazon Web Services assets and internal company data. Those assertions remain unverified by independent public evidence at the time of writing, and that distinction matters. In cyber extortion cases, threat actors often inflate the volume or sensitivity of what they hold in order to pressure victims into paying, delay public disclosure or create reputational shock before forensic work is complete.
What is established is that Cisco disclosed on 1 August 2025 that it had been hit by a voice-phishing attack involving a third-party CRM system. Cisco said the incident began on 24 July 2025 when an attacker targeted a company representative through a vishing campaign and gained access to data stored in that cloud-based CRM environment. The company said the exposed information related mainly to user profile data for people registered on Cisco. com, including names, organisation details, addresses, email addresses, account IDs, usernames and other business-related information. Cisco also said there was no evidence that passwords, financial information or highly sensitive corporate or customer data had been compromised in that event.
That earlier disclosure is central to understanding the present controversy because it fits a broader pattern identified by Google’s Threat Intelligence team. In June 2025, Google warned that a cluster it tracks as UNC6040 was using voice phishing to impersonate IT support staff, trick employees into authorising a modified version of Salesforce Data Loader, and then export data from Salesforce instances for theft and extortion. Google said some victims later received ransom demands from an actor claiming affiliation with ShinyHunters, suggesting a division between the initial intrusion activity and the monetisation phase. In September 2025, Google added that extortion sometimes emerged months after the original breach, underscoring how attacks on SaaS systems can unfold over a prolonged timeline rather than as a single discrete incident.
That sequence gives Cisco’s case broader significance than a single company dispute with hackers on a dark-web forum. It points to a growing problem in which attackers are bypassing conventional perimeter defences by manipulating people, abusing trusted cloud applications and then turning stolen data into leverage. The risk is not confined to one vendor or one industry. Google and Cisco both disclosed CRM-related incidents last year, while Reuters reported on 12 March 2026 that Telus was investigating unauthorised access to some of its systems after ShinyHunters told the news agency it had stolen at least 700 terabytes of data. The pattern suggests that threat actors continue to rely on publicity, intimidation and partial disclosures to amplify pressure on targeted companies.
Security researchers have also been warning that the mechanics of voice-enabled phishing are improving. Okta’s threat-intelligence team said in January 2026 that phishing kits were adapting to the scripts used by callers, part of a broader trend in which social engineering is becoming more polished and more difficult for staff to distinguish from legitimate support requests. That evolution increases the chance that a compromise in one SaaS platform can spill into adjacent systems, especially where identities, OAuth permissions and connected third-party tools create multiple paths for lateral access.
For Cisco, the immediate challenge is forensic clarity. The company has already shown a willingness to publish incident summaries when claims surface, as it did after separate breach allegations in October 2024 and the CRM incident in August 2025. What investors, customers and regulators will now want to know is whether the material touted by ShinyHunters is simply a repackaging of data already taken in the 2025 CRM compromise, whether developer resources were also touched, and whether any newly claimed trove contains operationally sensitive information that could affect enterprise customers or partners.
Topics
Technology