The threat group known as ShinyHunters has issued what it calls a final warning to Cisco (Cisco Systems, Inc.), setting a deadline of April 3, 2026, before it begins leaking data it claims to have stolen. The message appeared on the group’s dark web leak site, where it has already been publishing data linked to earlier Salesforce-related incidents affecting companies worldwide.
According to the post, the group claims access to data from three separate breach paths, identified as UNC6040, Salesforce Aura, and compromised AWS accounts. In total, it alleges more than three million Salesforce records were taken, along with personally identifiable information, GitHub repositories, AWS storage buckets, and internal corporate data.
The group has described the warning as final and warns Cisco to make contact before the stated deadline, adding that failure to do so will lead not only to data leaks but also unspecified “digital problems.”
It is worth noting that the latest threat comes just days after the same group leaked 350GB of European Commission data described as a mix of mail server dumps, database exports, internal documents, and contracts.
UNC6040 Reference
Google Threat Intelligence Group (GTIG) designated the ShinyHunters group as UNC6040 in August 2025. The reference to UNC6040 is also particularly relevant here because Cisco also published details about a campaign involving voice phishing, or vishing, that targeted employees to gain access to internal systems and customer data.
By linking its claims to that campaign, the ShinyHunters group has not only acknowledged its involvement but also suggested that at least part of the alleged Cisco data may have originated from social engineering attacks rather than only Salesforce-related attacks.
Leaked Samples Suggest Access to AWS Environment
The group has shared three images to show the legitimacy of their claims. As seen by Hackread.com, these images appear to show access to parts of an AWS environment allegedly associated with Cisco, including an organizational dashboard, storage volumes, and bucket listings.
While these screenshots do not contain sensitive data, they point to visibility across cloud infrastructure rather than a single isolated system. The presence of an organization-level view is notable, as it usually indicates access to multiple linked accounts and services under centralized control.
ShinyHunters and Salesforce Breach
Over the past year, ShinyHunters has repeatedly claimed access to Salesforce-related data across multiple organizations, often publishing samples to support its claims. In several cases, the group pointed to misconfigurations, compromised credentials, or third-party integrations as entry points, rather than flaws within Salesforce itself.
Earlier incidents linked to the group followed a similar pattern in which Data was first listed on leak sites with limited detail, then published full dumps when companies did not engage. Those leaks included customer records, internal communications, and operational data pulled from connected systems.
Some of the companies named in Salesforce-related data breaches included
and many more…
With the April 3 deadline approaching, the accuracy of these claims can only be verified by Cisco. Hackread.com has reached out to the company for comment, and this article will be updated as soon as a response is received.
