Hackers publish Allianz Life data from Salesforce attacks

The US insurer Allianz Life was the target of a cyber attack in mid-July. Unknown hackers have now published sensitive data from around 2.8 million data records containing information on customers and business partners.

The hacker group ShinyHunters, which is already known for numerous attacks on companies worldwide, is presumably behind the attack.

Data leak via Salesforce systems

The attack dates back to July 16. According to Allianz Life, the personal data of most of its 1.4 million customers was stolen from a third-party cloud-based CRM system. The company did not officially name the provider, but research by BleepingComputer clearly points to the Salesforce platform.

The published dataset consists of tables from the Salesforce databases “Accounts” and “Contacts”. It includes, among other things:

• Names, addresses and telephone numbers
• Dates of birth and tax identification numbers
• Professional information such as licenses, company affiliation and product approvals

Not only private clients are affected, but also business partners such as asset managers, brokers and financial advisors.

Connection to a series of attacks

The Allianz hack is part of a larger wave of attacks on Salesforce instances. Since the beginning of the year, the perpetrators have allegedly used social engineering methods to trick employees from various companies into connecting a manipulated OAuth app to the Salesforce systems. They used this connection to download complete databases and then launch blackmail attempts.

The demands were made by email and signed in the name of the ShinyHunters group. This group is already known for attacks on companies such as AT&T and PowerSchool. What is striking, however, is that the current method of attack is more reminiscent of the Scattered Spider group, which is also notorious for clever social engineering and SIM swap attacks.

According to the perpetrators, ShinyHunters and Scattered Spider are now working together. There are also suspected personnel overlaps with the Lapsus$ group, which compromised companies such as Microsoft, Uber and T-Mobile between 2022 and 2023.

Several members of these hacker collectives have been arrested in recent years. It remains unclear whether the same people are behind the current attacks, whether new actors are continuing to use the names or whether false trails are being deliberately laid.

Allianz Life itself told BleepingComputer that no further details can be disclosed at this time due to ongoing investigations.