The cybercriminal group **ShinyHunters** (operating under the alias *Scattered LAPSUS$ Hunters*) executed a **voice phishing (vishing) campaign** in **May 2025**, tricking employees into connecting a malicious app to their **Salesforce portals**. This breach led to the theft of **over a billion customer records** from **dozens of Fortune 500 firms**, including Toyota, FedEx, Disney/Hulu, and UPS. The group threatened to **publicly leak stolen data** unless ransoms were paid by **October 10, 2025**, via a victim-shaming extortion blog. The compromised data included **customer engagement records, internal communications, and sensitive business details**. Salesforce confirmed the attack but refused to negotiate, stating it would not pay extortion demands. The incident also exposed a broader **supply-chain risk**, as the group claimed responsibility for stealing **authentication tokens from Salesloft** (a Salesforce-integrated AI chatbot provider), further expanding the attack surface. The group’s actions were linked to **multiple zero-day exploits**, including **CVE-2025-61882** in Oracle’s E-Business Suite, which they weaponized for additional data theft.
Source: https://krebsonsecurity.com/2025/10/shinyhunters-wage-broad-corporate-extortion-spree/
TPRM report: https://www.rankiteo.com/company/salesforce
"id": "sal0562205100825",
"linkid": "salesforce",
"type": "Cyber Attack",
"date": "5/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '>1B Records (Across Dozens of '
'Clients)',
'industry': 'Enterprise Software',
'location': 'USA (Global Operations)',
'name': 'Salesforce',
'size': 'Large (Fortune 500)',
'type': 'CRM Platform'},
{'customers_affected': 'Corporate Salesforce Instance '
'Compromised',
'industry': 'Internet Services',
'location': 'USA',
'name': 'Google',
'size': 'Large',
'type': 'Technology'},
{'customers_affected': 'Salesforce Data Stolen (Volume '
'Undisclosed)',
'industry': 'Automotive',
'location': 'Japan/Global',
'name': 'Toyota',
'size': 'Large',
'type': 'Corporation'},
{'customers_affected': 'Salesforce Data Stolen (Volume '
'Undisclosed)',
'industry': 'Logistics',
'location': 'USA/Global',
'name': 'FedEx',
'size': 'Large',
'type': 'Corporation'},
{'customers_affected': 'Salesforce Data Stolen (Volume '
'Undisclosed)',
'industry': 'Entertainment',
'location': 'USA',
'name': 'Disney/Hulu',
'size': 'Large',
'type': 'Corporation'},
{'customers_affected': 'Salesforce Data Stolen (Volume '
'Undisclosed)',
'industry': 'Logistics',
'location': 'USA/Global',
'name': 'UPS',
'size': 'Large',
'type': 'Corporation'},
{'customers_affected': '28,000+ Git Repos, 5,000+ '
'Customer Engagement Reports',
'industry': 'Enterprise Software',
'location': 'USA/Global',
'name': 'Red Hat (IBM)',
'size': 'Large',
'type': 'Subsidiary'},
{'customers_affected': 'Limited Number of Users '
'(Support/Trust & Safety '
'Interactions)',
'industry': 'Social Media/Communication',
'location': 'USA',
'name': 'Discord',
'size': 'Large',
'type': 'Corporation'},
{'customers_affected': 'E-Business Suite Users (Via '
'CVE-2025-61882)',
'industry': 'Enterprise Software',
'location': 'USA/Global',
'name': 'Oracle',
'size': 'Large',
'type': 'Corporation'},
{'customers_affected': 'Authentication Tokens Stolen '
'(Impacted Cloud Services: '
'Snowflake, AWS)',
'industry': 'Sales Engagement',
'location': 'USA',
'name': 'Salesloft',
'size': 'Medium',
'type': 'Corporation'}],
'attack_vector': ['Voice Phishing (Vishing)',
'Malicious OAuth App Integration (Salesforce)',
'Exploit of CVE-2025-61882 (Oracle E-Business Suite)',
'Compromised Third-Party Vendor (Discord)',
'GitLab Server Exfiltration (Red Hat)',
'Malware-Laced Emails (ASYNCRAT Trojan)'],
'customer_advisories': ['Salesforce: Monitor for Phishing, Enable MFA',
'Discord: Reset Passwords, Watch for Identity Theft',
'Red Hat: Audit GitLab Access, Rotate Compromised '
'Tokens'],
'data_breach': {'data_exfiltration': True,
'file_types_exposed': ['Salesforce Database Exports',
'Git Repositories (Red Hat)',
'Customer Support Tickets (Discord)',
'Oracle E-Business Suite Records'],
'number_of_records_exposed': '>1B (Salesforce) + Undisclosed '
'(Discord, Red Hat, Oracle)',
'personally_identifiable_information': ['Discord: Usernames, '
'Emails, IPs, '
'Government ID Images',
'Salesforce: Customer '
'Data (Varies by '
'Client)',
'Red Hat: Business '
'Contact Information '
'(Limited)'],
'sensitivity_of_data': 'High (PII, Government IDs, Source '
'Code, API Tokens)',
'type_of_data_compromised': ['Customer Records (Salesforce)',
'User PII (Discord: Emails, IPs, '
'Government IDs)',
'Source Code (Red Hat Git Repos)',
'API Tokens (Red Hat CERs)',
'Infrastructure Details (Red Hat '
'Audits)',
'Authentication Tokens '
'(Salesloft)']},
'date_detected': '2025-05',
'date_publicly_disclosed': '2025-06-01',
'description': 'A cybercriminal group (ShinyHunters/Scattered LAPSUS$ '
'Hunters) used voice phishing (vishing) to compromise '
'Salesforce instances of Fortune 500 companies, stealing over '
'a billion records. The group launched a victim-shame blog '
'threatening to leak data unless ransoms were paid. Additional '
'breaches included Discord (via a third-party vendor), Red Hat '
'(GitLab server compromise), and exploitation of a zero-day in '
'Oracle E-Business Suite (CVE-2025-61882). The group also sent '
'malware-laced threats to security researchers and leveraged '
'ASYNCRAT trojan for persistence. Law enforcement actions '
'targeted members, including arrests and extraditions.',
'impact': {'brand_reputation_impact': ['Salesforce (Extortion Refusal '
'Publicized)',
'Fortune 500 Victims (Named on '
'Victim-Shame Blog)',
'Red Hat (Trust Erosion Due to GitLab '
'Breach)',
'Discord (User Privacy Concerns)'],
'customer_complaints': 'Expected (Due to Data Leak Threats)',
'data_compromised': ['Salesforce Customer Records (>1B)',
'Discord User Data (Usernames, Emails, IP '
'Addresses, Payment Card Last 4 Digits, '
'Government IDs)',
'Red Hat GitLab Repositories (28,000+ Repos, '
'5,000+ Customer Engagement Reports, API '
'Tokens, Infrastructure Details)',
'Oracle E-Business Suite Data (Via '
'CVE-2025-61882)',
'Salesloft Authentication Tokens (Cloud '
'Services: Snowflake, AWS)'],
'identity_theft_risk': 'High (Discord Government IDs, Payment '
'Data)',
'legal_liabilities': ['Potential GDPR/CCPA Violations (Discord, '
'Salesforce Customers)',
'Regulatory Fines (Pending Investigations)',
'Lawsuits from Affected Individuals'],
'operational_impact': ['Forensic Investigations (Salesforce, Red '
'Hat, Discord)',
'Customer Notifications (Ongoing)',
'Regulatory Scrutiny',
'Reputation Damage for Victim Companies'],
'payment_information_risk': 'Moderate (Discord: Last 4 Digits of '
'Cards)',
'systems_affected': ['Salesforce Instances (Multiple Fortune 500 '
'Companies)',
'Discord Third-Party Customer Service '
'Provider',
'Red Hat GitLab Server',
'Oracle E-Business Suite Servers',
'Salesloft AI Chatbot Platform']},
'initial_access_broker': {'backdoors_established': ['ASYNCRAT Trojan '
'(Targeted Security '
'Researchers)',
'Persistent GitLab Access '
'(Red Hat)'],
'data_sold_on_dark_web': 'Likely (Historical '
'Behavior of '
'ShinyHunters/Lapsus$)',
'entry_point': ['Voice Phishing Calls (Salesforce)',
'Compromised Third-Party Vendor '
'(Discord)',
'Exploited GitLab Misconfiguration '
'(Red Hat)',
'Zero-Day Exploit (Oracle '
'CVE-2025-61882)',
'Malicious OAuth App (Salesforce)'],
'high_value_targets': ['Fortune 500 Salesforce Data',
'Red Hat Customer Engagement '
'Reports (CERs)',
'Oracle E-Business Suite '
'Servers',
'Discord Government ID '
'Images'],
'reconnaissance_period': 'Months (Salesforce '
'Campaign Planned Since '
'Early 2025)'},
'investigation_status': 'Ongoing (Law Enforcement, Forensic Analysis by '
'Victim Companies)',
'lessons_learned': ['Vishing Remains Effective for OAuth Abuse (Salesforce)',
'Third-Party Vendors Are Critical Attack Vectors '
'(Discord, Salesloft)',
'GitLab Server Hardening Needed (Red Hat)',
'Zero-Day Patching Urgency (Oracle CVE-2025-61882)',
'Extortion Groups Evolve Tactics (Victim-Shaming Blogs, '
'Malware Threats)',
'Cross-Group Collaboration (Scattered Spider + Lapsus$ + '
'ShinyHunters)'],
'motivation': ['Financial Gain (Extortion)',
'Data Theft for Resale (Dark Web)',
'Reputation Damage (Victim-Shaming)',
'Harassment of Security Researchers'],
'post_incident_analysis': {'corrective_actions': ['Salesforce: Stricter OAuth '
'App Review Process',
'Discord: Vendor Security '
'Audits',
'Red Hat: GitLab Hardening, '
'Token Rotation',
'Oracle: Emergency Patch '
'Deployment',
'Cross-Industry: Shared '
'Threat Intelligence on '
'ShinyHunters Tactics'],
'root_causes': ['Lack of MFA on Salesforce OAuth '
'Integrations',
'Insufficient Third-Party Vendor '
'Security (Discord)',
'GitLab Server Misconfiguration '
'(Red Hat)',
'Delayed Patching (Oracle '
'CVE-2025-61882)',
'Social Engineering Susceptibility '
'(Vishing Success)']},
'ransomware': {'data_exfiltration': True,
'ransom_demanded': 'Unspecified (Threatened Public Leak if '
'Unpaid by October 10, 2025)'},
'recommendations': ['Implement MFA for OAuth Integrations (Salesforce)',
'Audit Third-Party Vendor Security (Discord, Salesloft)',
'Isolate GitLab/Sensitive Repos (Red Hat)',
'Monitor Dark Web for Stolen Data (All Victims)',
'Enhance Employee Training on Vishing (Salesforce '
'Customers)',
'Apply Zero-Day Patches Immediately (Oracle)',
'Coordinate with Law Enforcement (FBI, INTERPOL for '
'Cross-Border Cases)'],
'references': [{'date_accessed': '2025-10',
'source': 'KrebsOnSecurity',
'url': 'https://krebsonsecurity.com'},
{'date_accessed': '2025-06',
'source': 'Google Threat Intelligence Group (GTIG)',
'url': 'https://blog.google/threat-analysis-group/'},
{'date_accessed': '2025-10',
'source': 'BleepingComputer',
'url': 'https://www.bleepingcomputer.com/news/security/oracle-rushes-patch-for-zero-day-exploited-by-clop-ransomware/'},
{'date_accessed': '2025-10-05',
'source': 'Mandiant (Charles Carmichael LinkedIn)',
'url': 'https://www.linkedin.com/in/charles-carmichael-mandiant'},
{'date_accessed': '2025-10-02',
'source': 'Red Hat Security Advisory',
'url': 'https://access.redhat.com/security'},
{'date_accessed': '2025-08',
'source': 'US Department of Justice (Noah Urban Sentencing)',
'url': 'https://www.justice.gov/opa/pr/florida-man-sentenced-10-years-prison-his-role-international-cybercrime-group'},
{'date_accessed': '2025-09',
'source': 'UK National Crime Agency (Scattered Spider '
'Charges)',
'url': 'https://www.nationalcrimeagency.gov.uk/news'}],
'regulatory_compliance': {'legal_actions': ['UK Charges Against Scattered '
'Spider Members (September 2025)',
'US Charges Against Thalha Jubair '
'(MGM, Caesars, Harrods Attacks)',
'Extradition of Tyler Buchanan '
'(Spain to US, April 2025)',
'Noah Urban Sentencing (10 Years, '
'August 2025)'],
'regulations_violated': ['Potential GDPR (EU '
'Customer Data in '
'Salesforce/Discord)',
'Potential CCPA '
'(California Residents)',
'Industry-Specific '
'Compliance (e.g., PCI DSS '
'for Payment Data)'],
'regulatory_notifications': ['Salesforce: Notified '
'Customers (No '
'Regulatory Filings '
'Mentioned)',
'Red Hat: Customer '
'Notifications '
'(October 2, 2025)',
'Discord: Affected '
'User Notifications '
'(Ongoing)']},
'response': {'communication_strategy': ['Salesforce: Customer Advisories (No '
'Negotiation Policy)',
'Red Hat: Public Disclosure (October '
'2, 2025)',
'Discord: Direct Emails to Affected '
'Users',
'Oracle: Security Advisory for '
'CVE-2025-61882'],
'containment_measures': ['Salesforce: Disabled Malicious OAuth '
'Apps',
'Red Hat: Isolated Compromised GitLab '
'Server',
'Discord: Terminated Third-Party Vendor '
'Access',
'Oracle: Emergency Patch for '
'CVE-2025-61882'],
'enhanced_monitoring': ['Salesforce: Increased Logging for OAuth '
'Integrations',
'Red Hat: GitLab Access Audits'],
'incident_response_plan_activated': True,
'law_enforcement_notified': True,
'recovery_measures': ['Salesforce: Refused to Pay Ransom, '
'Focused on Defense',
'Red Hat: Restored GitLab from Backups',
'Discord: Enhanced Vendor Security '
'Controls'],
'remediation_measures': ['Salesforce: Forensic Analysis, '
'Customer Support',
'Red Hat: Customer Notifications, '
'Repository Audits',
'Discord: Affected User Notifications, '
'Password Resets',
'Oracle: Urged Customers to Apply '
'Patch'],
'third_party_assistance': ['Google Threat Intelligence Group '
'(GTIG)',
'Mandiant (Malware Analysis)',
'Law Enforcement (FBI, UK NCA)']},
'stakeholder_advisories': ["Salesforce: 'Will Not Negotiate or Pay Extortion' "
'(October 2025)',
"Red Hat: 'Notify Affected Customers' (October 2, "
'2025)',
"Discord: 'Limited User Impact, Password Resets "
"Advised' (September 2025)"],
'threat_actor': [{'affiliation': ['Scattered Spider',
'Lapsus$',
'The Com (Cybercriminal Community)'],
'aliases': ['Scattered LAPSUS$ Hunters',
'UNC6240',
'UNC6395'],
'name': 'ShinyHunters (UNC6040)',
'nationality': 'English-speaking (Multinational)'},
{'name': 'Crimson Collective',
'role': 'Claimed Responsibility for Red Hat Breach'},
{'name': 'Clop Ransomware Gang',
'role': 'Exploited CVE-2025-61882 Prior to Public '
'Disclosure'}],
'title': 'ShinyHunters/Scattered LAPSUS$ Hunters Multi-Company Data Breach '
'and Extortion Campaign (2025)',
'type': ['Data Breach',
'Ransomware Extortion',
'Supply Chain Attack',
'Zero-Day Exploitation',
'Social Engineering (Vishing)',
'Malware Distribution (ASYNCRAT)'],
'vulnerability_exploited': ['CVE-2025-61882 (Oracle E-Business Suite - '
'Unauthenticated RCE)',
'Salesforce OAuth Misconfiguration (via Vishing)',
'Third-Party Customer Service Provider (Discord)',
'GitLab Server Misconfiguration (Red Hat)']}