ShinyHunters and Scattered Spider Linked to Farmers Insurance Data Breach

Farmers Insurance reports a breach affecting 1.1 million customers. Learn how the attack, linked to groups ShinyHunters and Scattered Spider, is part of a wider trend impacting companies via Salesforce.

Farmers Insurance has disclosed a significant data breach that impacted more than 1.1 million customers. The company confirmed that a third-party vendor was the target of a cyberattack, which resulted in the theft of sensitive personal information. Although the vendor’s name wasn’t released, several reports are connecting this incident to a larger series of cyberattacks against companies using the Salesforce customer relationship management platform.

Current status of the company’s website (Image credit: Hackread.com)

Farmers Insurance, a part of the Zurich Insurance Group, first learned of the unauthorized access on May 30, 2025, when the vendor detected suspicious activity. The compromised data included names, addresses, dates of birth, driver’s license numbers, and in some cases, the last four digits of Social Security numbers.

The breach is reported to have affected around 1,111,386 people across 10 states, including California, Washington D.C., Iowa, Maryland, Massachusetts, New York, New Mexico, North Carolina, Oregon, and Rhode Island. After an investigation, the company began sending notifications to affected individuals on August 22, 2025, and is offering two years of identity theft protection services at no cost.

This incident is part of a series of cyberattacks that have recently targeted the insurance industry and other businesses. Multiple outlets have linked the breach to a broad social engineering campaign related to Salesforce. This type of attack often involves hackers using deceptive phone calls, or “vishing,” to trick employees into giving them unauthorized access.

Cybersecurity firms, including Google’s Mandiant, have attributed some of the recent attacks on the insurance sector to a group known as Scattered Spider. However, the cybercrime group ShinyHunters has also claimed responsibility for the data theft, stating that they and Scattered Spider work together. These groups have reportedly been linked to several major incidents that have affected well-known companies in various industries, including Cisco and Allianz Life.

According to the group, Scattered Spider provides the initial access to a company’s systems, while ShinyHunters handles the exfiltration of stolen data and extortion demands. This trend is not isolated to the insurance sector.

The luxury brand Chanel recently announced that its own US database, which was part of a Salesforce environment, was breached. Google also recently confirmed that one of its internal databases, which also used Salesforce, was breached by ShinyHunters in June.

These incidents emphasise the growing security concerns for all businesses that use the Salesforce platform and are targeted by these sophisticated social engineering tactics.

“With the supply chain now a growing target for cybercriminals, organizations that provide services to large enterprises – and handle regulated sensitive data on their behalf – must ensure appropriate security controls are in place to protect that data from threats,“ said Piyush Pandey, CEO at Pathlock.

“One of the key elements to address this is to implement robust access governance, including the ability to detect unauthorized access in real time – so that malicious activity can be identified and shut down before any data is exfiltrated,“ he advised.