• Home
  • cyber
  • Okta, Nordstrom and Salesforce: Nordstrom's email system abused to send crypto scams to customers
cyber Breach

Okta, Nordstrom and Salesforce: Nordstrom's email system abused to send crypto scams to customers

Mar 18, 2026 2 min read
Okta, Nordstrom and Salesforce: Nordstrom's email system abused to send crypto scams to customers

Nordstrom Customers Targeted in Cryptocurrency Scam via Compromised Email System

Nordstrom customers recently received fraudulent emails from the company’s legitimate marketing address (nordstrom@eml.nordstrom.com), promoting a cryptocurrency scam disguised as a St. Patrick’s Day promotion. The messages promised to double any cryptocurrency sent to a specified wallet within two hours, creating a false sense of urgency to pressure recipients into acting quickly.

The scam emails contained red flags, including a misspelled company name ("Normstorm") in the subject line, though the official sender address likely led some victims to overlook the deception. Nordstrom later confirmed the messages were unauthorized and warned customers that the company would never request cryptocurrency transactions. A follow-up email urged recipients to disregard the fraudulent offer.

While it remains unclear how many customers were affected, some victims reportedly sent funds to the attacker’s wallet, which accumulated over $5,600 in cryptocurrency. According to sources, the breach stemmed from a compromise in Okta SSO and Salesforce Marketing Cloud, allowing threat actors to send the scam emails through Nordstrom’s official channels. This incident mirrors recent attacks on Betterment and GrubHub, which also exploited similar vulnerabilities to distribute crypto scams.

Nordstrom, a major U.S. retailer with over $15 billion in annual revenue and millions of customers, has not publicly detailed the extent of the breach or its response beyond issuing customer warnings. The company is investigating the incident.

Source: https://www.bleepingcomputer.com/news/security/nordstroms-email-system-abused-to-send-crypto-scams-to-customers/

Nordstrom cybersecurity rating report: https://www.rankiteo.com/company/nordstrom

okta cybersecurity rating report: https://www.rankiteo.com/company/Okta

Salesforce cybersecurity rating report: https://www.rankiteo.com/company/salesforce

"id": "NOROKTSAL1773854168",
"linkid": "nordstrom, Okta, salesforce",
"type": "Breach",
"date": "3/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'customers_affected': 'Unknown (some victims reported)',
                        'industry': 'Retail / Fashion',
                        'location': 'United States',
                        'name': 'Nordstrom',
                        'size': 'Over $15 billion in annual revenue, millions '
                                'of customers',
                        'type': 'Retailer'}],
 'attack_vector': 'Compromised email system (Okta SSO and Salesforce Marketing '
                  'Cloud)',
 'customer_advisories': 'Warning to disregard fraudulent emails and avoid '
                        'cryptocurrency transactions',
 'description': 'Nordstrom customers received fraudulent emails from the '
                'company’s legitimate marketing address '
                '(nordstrom@eml.nordstrom.com), promoting a cryptocurrency '
                'scam disguised as a St. Patrick’s Day promotion. The messages '
                'promised to double any cryptocurrency sent to a specified '
                'wallet within two hours. The scam emails contained red flags, '
                "including a misspelled company name ('Normstorm') in the "
                'subject line. Nordstrom confirmed the messages were '
                'unauthorized and warned customers that the company would '
                'never request cryptocurrency transactions. Some victims '
                'reportedly sent funds to the attacker’s wallet, which '
                'accumulated over $5,600 in cryptocurrency. The breach stemmed '
                'from a compromise in Okta SSO and Salesforce Marketing Cloud.',
 'impact': {'brand_reputation_impact': 'Potential erosion of customer trust '
                                       'due to fraudulent emails from official '
                                       'channels',
            'financial_loss': "$5,600 (reportedly accumulated in attacker's "
                              'wallet)',
            'operational_impact': 'Unauthorized use of official email channels '
                                  'for fraudulent activity',
            'systems_affected': 'Email marketing system (Salesforce Marketing '
                                'Cloud), Okta SSO'},
 'initial_access_broker': {'entry_point': 'Okta SSO and Salesforce Marketing '
                                          'Cloud compromise'},
 'investigation_status': 'Ongoing',
 'motivation': 'Financial gain',
 'post_incident_analysis': {'root_causes': 'Compromise in Okta SSO and '
                                           'Salesforce Marketing Cloud (exact '
                                           'cause unknown)'},
 'references': [{'source': 'Cybersecurity news reports'}],
 'response': {'communication_strategy': 'Public warnings via follow-up emails '
                                        'and official statements',
              'containment_measures': 'Issued customer warnings to disregard '
                                      'fraudulent emails'},
 'title': 'Nordstrom Customers Targeted in Cryptocurrency Scam via Compromised '
          'Email System',
 'type': 'Phishing / Scam',
 'vulnerability_exploited': 'Misconfiguration or compromise in Okta SSO and '
                            'Salesforce Marketing Cloud'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.