Seven hundred organizations breached. One threat actor. One platform as the consistent entry point. Eighteen months.
ShinyHunters, operating as UNC6040, ran the same playbook across more than 700 Salesforce environments: voice phishing calls impersonating IT support, OAuth Device Flow abuse, misconfigured Experience Cloud guest user profiles. The victims include 7-Eleven, Instructure, Vimeo, Wynn Resorts, Crunchbase, Betterment, Medtronic, and dozens of others. The campaign is still active as of this writing.
This is not a breach story. It is a platform accountability story. The question is not whether Salesforce was attacked. The question is whether Salesforce’s observable response to an 18-month sustained campaign using its platform as the primary entry point reflects accountable conduct. That is a different question. And until now, it had no instrument.
It does now.
The Vordan External Posture Assessment evaluates the observable accountability posture of any organization using the public record as its sole evidentiary basis. No organizational access required. No cooperation needed. Six fixed components, scored on a 1 to 5 scale, with mandatory confidence intervals on every finding. If there is no citation, there is no finding.
VEPA-2026-001 is the first published assessment under this instrument. The subject is Salesforce, Inc. The assessment period is mid-2025 through May 21, 2026.
Salesforce scored 2.1.
VEPA-2026-001 Component Scores
Component | Score | 95% CI | Confidence |
|---|---|---|---|
P1: Traceability | 2.2 | 1.9 to 2.6 | High |
P2: Structural Accountability | 2.0 | 1.7 to 2.4 | High |
P3: Response Adequacy | 2.3 | 2.0 to 2.7 | High |
P4: Governance Alignment | 2.4 | 2.0 to 2.9 | Medium-High |
P5: Disclosure Integrity | 2.5 | 2.1 to 3.0 | Medium-High |
P6: Remediation Trajectory | 2.8 | 2.3 to 3.4 | Medium |
Composite Posture Score | 2.1 | 1.7 to 2.6 |
Scale: 1.0 to 1.9 is strong posture. 2.0 to 2.9 is significant deficits. 3.0 to 3.9 is systemic failure.
A score of 2.1 means significant and multi-dimensional accountability deficits across all six components. The lowest component is Structural Accountability at 2.0: the controls most directly relevant to detecting this campaign were gated behind a paid add-on, Salesforce Shield, priced at up to 30% of net Salesforce spend, throughout 18 months of active exploitation. The highest is Remediation Trajectory at 2.8, and it carries the widest confidence interval because internal roadmaps are not public. No component scored above 3.0. No component scored below 2.0 on evidence grounds.
The methodology is published. Every finding is sourced. Salesforce is invited to submit evidence that would affect any component score. The full assessment, with all 16 cited sources and complete component findings, is at the link below.
This is what external accountability assessment looks like when it is built on evidence rather than access.
Notes on the instrument
The VEPA is one of three Vordan accountability instruments. The VAF requires direct organizational access and produces an Accountability Gap Score out of 100. The VEPA operates on the public record alone. The AAB defines the accountability standard for autonomous AI deployments. The instrument specification is published at vordan.co/instruments/vepa.