Hackers stole the personal data of 1.1 million American customers of insurance company Allianz Life last month, according to an Aug. 18 update posted on X by a data breach notification website.

“Allianz attributed the attack to ‘a social engineering technique’ which targeted data on Salesforce and resulted in the exposure of 1.1M unique email addresses, names, genders, dates of birth, phone numbers and physical addresses,” Have I Been Pwned said on its website.

Allianz, headquartered in Minneapolis, has 1.4 million customers across the United States.

In a government notification, Allianz said the breach occurred on July 16, with the company discovering the incident a day later. The total number of affected customers was “unknown” at the time.

Allianz started sending notices regarding the breach to affected customers on Aug. 1.

In an emailed statement to The Epoch Times, Brett Weinberg, assistant vice president of communications at Allianz Life, said that the company’s investigation into the breach was ongoing.

“While we are not able to offer any additional comment at this time, Allianz Life will be providing dedicated resources, including two years of identity monitoring services, to assist impacted individuals,” he said.

According to an Aug. 11 post by threat intelligence platform SOCRadar, Allianz Life is just one among several companies that have been targeted by hackers intruding into their Salesforce environment, a campaign that began in mid-2025. Salesforce is a cloud-based customer relationship management service.

Other victims of such attacks include Adidas, Qantas Airways, Air France–KLM, Cartier, Google, Louis Vuitton, Cisco, Pandora, Dior, and Chanel, the post said.

While cybersecurity news site BleepingComputer reported that it has “learned that the attack is believed to have been conducted by the ShinyHunters extortion group,” it did not cite a source, and Allianz Life has not commented on who the threat actor is.

According to SOCRadar, ShinyHunters does not have a single coordinated team. Instead, it functions as a “decentralized, extortion-as-a-service collective.” and relies on social engineering tactics to access systems rather than exploiting flaws in Salesforce’s infrastructure.

In a June 5 blog post, Google said it has tracked the activities of ShinyHunters, also dubbed UNC6240.

According to Google, the group specializes in voice phishing campaigns designed to compromise organizations’ Salesforce environments.

“Over the past several months, UNC6040 has demonstrated repeated success in breaching networks by having its operators impersonate IT support personnel in convincing telephone-based social engineering engagements,” the post said.

“This approach has proven particularly effective in tricking employees, often within English-speaking branches of multinational corporations, into actions that grant the attackers access or lead to the sharing of sensitive credentials, ultimately facilitating the theft of [the] organization’s Salesforce data.”

Social Engineering Attacks

A social engineering attack involves deceiving targets to gain control over their computer systems. This may be done by manipulating targets to reveal sensitive information like passwords, and enticing them to download malware or to click on malicious links.

According to the 2025 Global Threat Report from cybersecurity company CrowdStrike, voice phishing (vishing) attacks, whereby threat actors contact victims and deploy social engineering tactics, grew by 442 percent between the first and second half of 2024.

“Similar to other social engineering techniques, vishing is effective because it targets human weakness or error rather than a flaw in software or an operating system,” it said.

In most vishing campaigns of 2024, the threat actors impersonated IT support staff while contacting targets, falsely claiming they would resolve connectivity or security issues, according to the report.

Hackers are also increasingly adopting help desk social engineering tactics, CrowdStrike said.

In such campaigns, threat actors impersonate an employee of a company and contact the organization’s IT help desk, seeking to reset passwords and multifactor authentication (MFA).

“IT help desks often require employees seeking password and MFA resets to provide their full name, date of birth, employee ID, and manager name or answer a previously determined security question. However, eCrime actors attempting to socially engineer help desk personnel often accurately respond to these questions,” the report said.

“Much of this information is not necessarily privileged and can be found in public resources and social media sites. Identity data that is typically confidential, such as a Social Security number, is often advertised in underground markets.”

In a July 10 post, software tech company Spacelift said that 45 percent of Americans have had their personal data compromised over the past five years. Among all data breaches, 86 percent involve stolen credentials, it said.