Cisco Confirms Data Exposure After Social Engineering Attack

In July 2025, Cisco experienced a security breach involving a vishing attack that successfully targeted an internal employee. The breach led to unauthorized access and data exfiltration from a third-party cloud-based CRM platform, impacting user accounts on Cisco.com. While no critical infrastructure or sensitive enterprise data was accessed, the incident highlights the persistent risks posed by social engineering and third-party service dependencies.

Severity Level: High

Incident Overview

• Incident Type: Voice phishing (vishing)
• Date Discovered: July 24, 2025
• Targeted System: One instance of a cloud-based Customer Relationship Management (CRM) system (likely Salesforce)
• Response Actions from Cisco:
  • Immediate termination of threat actor access
  • Internal investigation launched
  • Authorities and affected users notified
  • Security awareness re-training for staff

How The Breach Happened

A Cisco employee was socially engineered via a vishing attack, allowing the attacker to gain access credentials or session-based access to a third-party CRM system. This method allowed the adversary to:

• Log in to a CRM instance used by Cisco
• Search and export user profile data
• Avoid triggering traditional malware or endpoint security alerts

The attacker did not exploit a technical vulnerability but instead leveraged human manipulation tactics (vishing) to infiltrate Cisco’s environment via a trusted access channel.

Data Exposed During The Breach

The breach exclusively affected registered users of Cisco.com, and involved the export of basic profile data:

• Full name
• Organization name
• Physical address
• Cisco-assigned user ID
• Email address
• Phone number
• Account metadata (e.g., account creation date)

No passwords, sensitive enterprise information, financial data, or Cisco products/services were compromised.

Association With Larger Campaign

• Cisco’s breach may be part of a broader wave of vishing attacks against Salesforce instances.
• Other high-profile victims: Adidas, Qantas, Allianz Life, LVMH brands, Chanel, Pandora
• Suspected campaign origin: ShinyHunters group using social engineering and vishing to exfiltrate CRM data.

Lessons Learned

• Even well-trained personnel can fall for voice-based phishing; security training must extend beyond email phishing to include real-world voice-based social engineering scenarios.
• SaaS platforms like CRMs represent a significant risk if not tightly integrated into internal security monitoring.

Recommendations

1. Perform Continuous Risk Assessments on third-party platforms, especially those storing customer data (e.g., CRM systems like Salesforce).
2. Enforce Multi-Factor Authentication (MFA) on all Salesforce and related SaaS accounts—prefer hardware tokens or app-based authenticators over SMS.
3. Restrict OAuth App access to pre-approved applications only using app whitelisting features in Salesforce and identity providers.
4. Regularly audit and remove unused or risky OAuth-connected applications from Salesforce and third-party ecosystems.
5. Configure Salesforce Connected App Policies to limit token scope, session duration, and permitted users.
6. Conduct vishing and phishing simulation exercises specifically focused on SaaS platforms and OAuth workflows.
7. Provide contextual training to employees (especially customer service and IT) about malicious OAuth consent prompts.
8. Limit Scope of Data Stored in SaaS platforms to only what is strictly necessary.
9. Enable Salesforce Shield or third-party logging tools to monitor for:
   • Unusual API activity
   • New OAuth app authorizations
   • Bulk data exports

Source:

• https://www.bleepingcomputer.com/news/security/cisco-discloses-data-breach-impacting-ciscocom-user-accounts/amp/
• https://sec.cloudapps.cisco.com/security/center/resources/CRM-vishing

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.