Hackers Are Calling Your Employees and Walking Into Your Salesforce. Most Companies Don't Notice for Months.

A criminal group called ShinyHunters has breached Charter, ADT, Cisco, McGraw-Hill, and 1,000+ organizations in 2026 — by phone. Here's how the attack works, why traditional MFA doesn't stop it, and what to fix before Salesforce's new MFA deadline on July 1.

NSI Tech

A criminal group called ShinyHunters has spent 2026 doing something almost retro: calling people on the phone.

In April, they rang a Charter Communications employee, posed as IT, and walked out with a Microsoft login — and with it, access to Charter’s Salesforce and 4.9 million customer records. They’ve used the same playbook against ADT, Cisco, McGraw-Hill, Udemy, and 1,000+ others. Roughly 1.5 billion records total.

No zero-day. No malware. Just a phone call and a helpful employee.

How It Works

Ten minutes, four steps: attacker calls, posing as Microsoft or IT. They walk the employee through entering a device code on a real Microsoft sign-in page. Employee clicks “Approve” — the attacker now has a fully authenticated session, no password or MFA prompt. Single sign-on carries them straight into Salesforce, M365, and every connected app.

Traditional MFA doesn’t help. The employee is approving a legitimate login.

Why Mid-Sized Businesses Are Next

The Fortune 500s are the headlines. The long tail of mid-sized companies is the real target — same Salesforce stack, thinner security staffing, employees who answer the phone. If you run Salesforce and your people pick up unknown calls, you are exposed.

Salesforce Is Forcing a Fix — in Three Weeks

On June 22, phishing-resistant MFA is required for admins in sandboxes. On July 1, the rule goes live in production. Phishing-resistant means FIDO2 keys, Windows Hello, or passkeys — not SMS or push.

What to Do This Week

  • Audit Salesforce admin access. If your admin clicks links in emails, that’s your risk.
  • Replace push/SMS MFA with FIDO2 keys for anyone touching Salesforce. Under $50 per user.
  • Train the front desk to recognize a device code prompt.
  • Lock down Experience Cloud guest users — ShinyHunters’ other favourite door.
  • Restrict the M365 → Salesforce connected app to shrink blast radius.

The Bigger Lesson

Every major breach this year has the same shape: someone logging in with valid credentials. The perimeter didn’t fail. The identity layer did.

NSI Tech hardens that layer — phishing-resistant MFA, Salesforce hardening, and identity monitoring that catches a 3 a.m. login from Texas before anyone notices.

Salesforce’s deadline is July 1. Yours can be earlier. Book a free 30-minute identity review →

Need help with any of this? NSI Tech has you covered.

Talk to us