Hackers hit Cisco: 3M Salesforce records, GitHub repos allegedly stolen

---

Original Post: https://cybernews.com/security/hackers-blackmail-cisco-over-stolen-salesforce-data/

---

Ernestas Naprys | Senior Journalist

Published: 1 April 2026

---

A serious cybersecurity incident is suspected at US tech giant Cisco Systems. ShinyHunters, a notorious criminal hacking and extortion group, claims it has stolen over 3 million Salesforce records containing personal data, GitHub repositories, AWS buckets, and other compromised corporate data.

On March 31st, ShinyHunters posted extortion demands targeting Cisco Systems. The hackers are threatening the company with “several annoying (digital) problems,” unless their demands are met by April 3rd.

“A total of over 3M Salesforce records containing PII (personally identifiable information), Github repositories, AWS buckets, and other internal corporate data have been compromised,” ShinyHunters claims on its victim page on the dark web.

According to the post, the data is combined from three breaches in total: voice phishing (UNC6040), Salesforce Aura, and AWS accounts. The attackers attached two screenshots to support their claims.

What do the hackers claim to have stolen?

One of the images shows the AWS EC2 Volumes console, with dozens of virtual hard drives in the cloud, many of which supposedly contain hundreds of gigabytes of data. The screenshot shows 5 pages in total, suggesting there could be over 100 virtual storage drives.

Some of the drive creation dates are specified as March 16th-17th, 2026, suggesting recent access.

Another screenshot exposes an AWS S3 bucket list, allegedly belonging to Cisco. While naming patterns strongly suggest a Cisco environment, no actual data has been released.

Neither the attacker claims nor the screenshots conclusively prove the breach. Cybernews has reached out to Cisco and will include its response.

Simultaneously, Bleeping Computer released a report claiming that Cisco has suffered a cyberattack stemming from the recent Trivy supply chain compromise. According to the publication, attackers stole multiple AWS keys and cloned over 300 GitHub repositories, including the source code for an AI-powered assistant, defense, and other unreleased AI products.

“A portion of the stolen repositories allegedly belongs to corporate customers, including banks, BPOs, and US government agencies,” Bleeping Computer writes.

The Cybernews research team believes the report concerns the same cyberattack.

“We cannot confirm the ShinyHunters’ claims as they did not upload the data yet, but looking at the sample screenshots, it seems plausible,” our researchers said.

“This incident can be damaging to the company’s customers, and the main risks are confidential data exposure in general. Data from customers would give attackers a foothold to plan further attacks, and the personally identifiable information could be useful for social engineering, fraud, and other scams.”

One of the three breaches cited by ShinyHunters had already been disclosed by Cisco. During the incident last summer, a Cisco representative was targeted with a voice phishing attack, and the attacker “was able to access and export a subset of basic profile information from one instance of a third-party, cloud-based Customer Relationship Management (CRM) system that Cisco uses.”

The company claimed at a time that attackers did not obtain any of the customers’ confidential, proprietary, or other sensitive information.

However, the compromise of Trivy, a popular vulnerability scanner, is recent. Threat actor known as TeamPCP injected malware into the “trivy-action” – an automation script developers use to run the scanning engine to check their code for known security vulnerabilities – on March 19th.

This supply chain attack compromised many downstream organizations, including the maintainers of LiteLLM.

If the recent Cisco breach is true, it would signal a collaboration between two high-profile cybercrime organizations, ShinyHunters and TeamPCP.

ShinyHunters has built a reputation for high-impact data theft and extortion operations. The group has been active since 2019.

TeamPCP is a new, financially motivated threat group that first appeared in late 2025, conducting worm-driven campaigns targeting popular open-source repositories.

---

Original Post: https://cybernews.com/security/hackers-blackmail-cisco-over-stolen-salesforce-data/

---