American technology giant Cisco Systems is suspected of a serious cybersecurity incident. A well-known hacking and extortion group, ShinyHunters, claims to have stolen more than 3 million Salesforce records with personal data, GitHub repositories, AWS cloud objects, and other compromised corporate data.
American technology giant Cisco Systems is suspected of a serious cybersecurity incident. A well-known hacking and extortion group, ShinyHunters, claims to have stolen more than 3 million Salesforce records with personal data, GitHub repositories, AWS cloud objects, and other compromised corporate data.
On March 31, the ShinyHunters group demanded a ransom from Cisco Systems. The hackers are threatening the company if their demands are not met by April 3, Cybernews writes .
“In total, over 3 million Salesforce records containing personally identifiable information (PII), GitHub repositories, AWS storage, and other internal corporate data were compromised,” ShinyHunters claims on its darknet victim list page.
According to the report, the leaked data is the result of three separate breaches: voice phishing (vishing) via the UNC6040 group, a vulnerability in Salesforce Aura, and a compromise of AWS accounts. The attackers attached two screenshots to support their claims.
One image shows the AWS EC2 Volumes console with dozens of virtual hard drives in the cloud, many of which likely contain hundreds of gigabytes of data. The screenshot shows a total of 5 pages of the interface, indicating that there are likely over 100 virtual drives.
Some of the disks were created on March 16–17, 2026, indicating recent access to the system by attackers.
Another screenshot shows a list of AWS S3 cloud storages that the hackers say belong to the tech giant. Although the naming format is very similar to Cisco's internal infrastructure, the attackers have not yet provided access to the files themselves.
Neither the attacker's statements nor the screenshots conclusively prove a breach.
At the same time, Bleeping Computer published a report claiming that Cisco was hit by a cyberattack stemming from the recent Trivy supply chain leak. According to the publication, the attackers stole several AWS keys and cloned over 300 GitHub repositories, including the source code for an AI assistant, a security system, and other unreleased AI products.
“Some of the stolen repositories allegedly belong to corporate clients, including banks, business process outsourcing companies, and US government agencies,” writes Bleeping Computer.
The Cybernews research group believes the report refers to the same cyberattack.
One of the three breaches mentioned by ShinyHunters has already been disclosed by Cisco. In an incident last summer, a Cisco representative was targeted by a voice phishing attack, and the attacker “was able to access and export a subset of basic profile information from a single instance of a third-party cloud-based customer relationship management (CRM) system used by Cisco.”
The company claimed at the time that the attackers did not obtain any confidential, official, or other sensitive customer information.
