Air France & KLM Hit in Supply-Chain CRM Breach; ShinyHunters Behind Salesforce Attacks on Global Giants

Air France and KLM have confirmed that hackers accessed customer data via a third-party contact-center platform during the week of 28 July 2025, prompting regulator notifications. At the same time, the extortion-oriented ShinyHunters group (UNC6040) is behind recent social-engineering breaches of Salesforce CRM systems at Qantas, Allianz Life, LVMH and others – highlighting the sharp rise in supply-chain and human-centric cyber threats.

• In the week commencing 28 July 2025, Air France and KLM detected unauthorized access to a third-party platform used by their contact centers .
• Exposed data includes names, email addresses, contact information, Flying Blue membership numbers and levels, and service-request email subjects. Critically, no sensitive data (passwords, travel details, passport numbers, payment data, loyalty point balances) was compromised .
• Both airlines have reported the breach to their respective data protection authorities (France’s CNIL and Netherlands’ AP) and have initiated corrective measures. Affected customers have been directly notified .

Why It Matters

This incident underscores persistent supply-chain vulnerabilities, especially in customer-facing systems managed by third-parties. For travelers across the MEA, Europe, and beyond, this serves as a warning of potential phishing risks exploiting even non-sensitive, but contextual, customer data.

Global CRM-Focused Campaign: ShinyHunters Strike Salesforce Users

Confirmed Activity

• On 30 July 2025, Bleeping Computer confirmed that ShinyHunters (UNC6040) was responsible for data thefts from Salesforce CRM systems at Qantas, Allianz Life, LVMH, and Adidas .
• The technique involves voice phishing (vishing): attackers impersonated IT support to coax employees into visiting Salesforce’s connected app setup page, entering a “connection code” that installed a rogue OAuth app (masquerading as “Data Loader” or “My Ticket Portal”) .
• Attackers also deployed phishing pages mimicking Okta login portals to capture credentials and MFA tokens .

Extortion-Driven Tactics

• Google’s Threat Intelligence Group (GTIG) attributes these breaches to UNC6040, with subsequent extortion activity tied to UNC6240 using the ShinyHunters name .
• In early June, a Salesforce database at Google was breached, exposing contact information and notes related to SMB customers — though Google stated the data was mostly basic and publicly available .
• Allianz Life confirmed on 16 July 2025 that personal data of a majority of its 1.4 million customers were exposed via a third-party CRM, attributed to social engineering; affected individuals are being offered identity protection and the FBI has been notified .

Expert Insight

“ShinyHunters is exploiting human trust to hijack cloud CRM systems, not platform vulnerabilities,” explains GTIG leadership .
Cyber-threat analysts warn that social engineering remains the Achilles’ heel of even enterprise-grade SaaS platforms .

MEA Perspective & Broader Context

• Though the current breaches primarily impact organizations in Europe, North America, and Oceania, MEA businesses relying on Salesforce CRM or third-party service platforms – common in sectors like aviation and insurance – should take note of emerging threats.
• Regional regulators in GCC and North Africa may soon encounter similar cases, underscoring the need for stringent oversight of vendors and extended due diligence.

Actionable Takeaways for CISOs & Security Leaders

1. Review and harden connected-app configurations in SaaS platforms to minimize abuse via OAuth.
2. Implement strict identity-verification protocols before allowing staff to run IT support calls or access sensitive setup pages.
3. Enable and monitor MFA and apply the principle of least privilege for SaaS and contact-center integrations.
4. Conduct phishing and vishing awareness training, especially targeting customer-service and helpdesk teams.
5. Audit third-party contact-center and CRM vendors, ensuring incident response plans include vendor systems.
6. Establish Zero Trust practices for external-facing service systems across operations.
7. Offer breach-response tools to affected users (e.g., identity monitoring), as done by Allianz Life.
8. Prepare for phishing scams—attacks could leverage exposed contextual data.
9. Coordinate with regulators proactively for cross-border data protection compliance.
10. Review and tighten supply-chain security to reduce exposure through external service providers.

Conclusion

These incidents mark a turning point: cyber adversaries increasingly combine social engineering with supply-chain compromise to bypass advanced tech defenses. From Air France-KLM’s third-party leak to ShinyHunters’ Salesforce-powered extortions, the message is clear — the perimeter has shifted. Organizations must reinforce human and vendor risk controls to safeguard critical data assets and customer trust.

Sources

• Air France & KLM third-party breach – ITPro, Cybernews, TechRadar (Jul–Aug 2025)
• ShinyHunters Salesforce campaign – Bleeping Computer, National CIO Review, TrueSec (Jul 2025)
• Google Salesforce breach – TechRadar, Axios, Techworm (Aug 2025)
• Allianz Life breach – TechRadar, ITPro, Bleeping Computer (Jul 2025)