Hackers under the alias **Shiny Hunters** claimed to have breached Salesforce systems via **social engineering attacks**, targeting users rather than the platform itself. They allegedly stole **nearly 1 billion records** from **39 companies** (including Adidas, Cisco, FedEx, and Disney) and demanded a ransom by **October 10, 2025**, threatening to leak the data on a dark web site called *Scattered Lapsus$ Hunters*. The breach stemmed from **voice phishing (vishing) attacks** tricking victims into installing malicious OAuth apps and exploiting a **vulnerable integration between Salesloft Drift and Salesforce** (disabled in August 2025). The incident escalated to **14 lawsuits against Salesforce** by September 2025, with critics arguing the company bears responsibility despite the third-party attack vectors. The stolen data includes **sensitive corporate and customer information**, with samples already published as proof. The attack represents a **large-scale, coordinated ransomware-driven data exfiltration campaign** with severe reputational, financial, and operational consequences for Salesforce and its clients.
TPRM report: https://www.rankiteo.com/company/salesforce
"id": "sal0693606100625",
"linkid": "salesforce",
"type": "Ransomware",
"date": "8/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '39 companies (targeted for '
'ransom) + unspecified number of '
'users',
'industry': 'Technology/Software',
'location': 'San Francisco, California, USA',
'name': 'Salesforce',
'size': 'Enterprise (150,000+ employees)',
'type': 'Cloud-Based CRM Provider'},
{'industry': 'Retail/Apparel',
'location': 'Global (HQ: Herzogenaurach, Germany)',
'name': 'Adidas',
'size': 'Enterprise',
'type': 'Corporation'},
{'industry': 'Technology/Networking',
'location': 'Global (HQ: San Jose, California, USA)',
'name': 'Cisco',
'size': 'Enterprise',
'type': 'Corporation'},
{'industry': 'Logistics/Transportation',
'location': 'Global (HQ: Memphis, Tennessee, USA)',
'name': 'FedEx',
'size': 'Enterprise',
'type': 'Corporation'},
{'industry': 'Entertainment/Media',
'location': 'Global (HQ: Burbank, California, USA)',
'name': 'Disney',
'size': 'Enterprise',
'type': 'Corporation'}],
'attack_vector': ['Social Engineering (Voice Phishing/Vishing)',
'Malicious OAuth Applications',
'Third-Party App Exploitation (Salesloft Drift '
'Integration)'],
'customer_advisories': 'Customers advised to review OAuth app permissions and '
'monitor for suspicious activity.',
'data_breach': {'data_exfiltration': 'Yes (samples published on dark web site '
"'Scattered Lapsus$ Hunters')",
'number_of_records_exposed': 'Nearly 1 billion (claimed)',
'personally_identifiable_information': 'Likely (based on '
'context)',
'sensitivity_of_data': 'High (includes PII and potentially '
'proprietary business data)',
'type_of_data_compromised': ['Customer Records',
'Sensitive Corporate Data']},
'date_publicly_disclosed': '2025-10-03',
'description': 'Hackers claiming to be part of the Shiny Hunters group set up '
"a dark web site called 'Scattered Lapsus$ Hunters,' demanding "
'a ransom from 39 companies and Salesforce itself for nearly 1 '
'billion allegedly stolen Salesforce records. The hackers '
'provided a deadline of October 10, 2025, and published '
'samples of stolen data from brands like Adidas, Cisco, FedEx, '
'and Disney. Salesforce attributed the breach to social '
'engineering attacks targeting its users, not a direct '
'compromise of its platform. The incident follows a series of '
'related attacks, including voice phishing (vishing) and '
'exploitation of third-party app integrations (e.g., Salesloft '
'Drift). Fourteen companies filed lawsuits against Salesforce '
'in September 2025 over unauthorized data access.',
'impact': {'brand_reputation_impact': "Severe (described as a 'slow-motion "
"train wreck' by observers; criticism "
'over accountability)',
'customer_complaints': 'High (across online platforms like '
'LinkedIn and Reddit)',
'data_compromised': 'Nearly 1 billion records (claimed)',
'identity_theft_risk': 'High (PII likely included in stolen data)',
'legal_liabilities': ['14 Lawsuits Filed by Affected Companies (as '
'of September 2025)'],
'operational_impact': ['Disruption of Third-Party Integrations '
'(Aug 28–Sep 7, 2025)',
'Legal Actions (14 Lawsuits Filed)'],
'systems_affected': ['Salesforce User Accounts',
'Third-Party Integrations (e.g., Salesloft '
'Drift)']},
'initial_access_broker': {'data_sold_on_dark_web': "Yes (via 'Scattered "
"Lapsus$ Hunters' site)",
'entry_point': ['Voice Phishing (Vishing) Calls',
'Malicious OAuth Apps',
'Exploited Third-Party Integrations '
'(e.g., Salesloft Drift)'],
'high_value_targets': ['Salesforce User Credentials',
'Corporate Data from 39 '
'Targeted Companies'],
'reconnaissance_period': 'Several months (attacks '
'reported since June '
'2025)'},
'investigation_status': 'Ongoing (as of October 2025)',
'lessons_learned': 'Social engineering and third-party app vulnerabilities '
'can bypass platform-level security. Proactive monitoring '
'of OAuth app installations and third-party integrations '
'is critical. User education on phishing/vishing attacks '
'is essential to mitigate human-error risks.',
'motivation': ['Financial Gain (Ransom Extortion)',
'Data Theft for Dark Web Sale'],
'post_incident_analysis': {'corrective_actions': ['Disabled Vulnerable '
'Integrations Temporarily',
'Public Awareness Campaigns '
'on Phishing Risks',
'Legal Defense Against '
'Lawsuits'],
'root_causes': ['Successful Social Engineering '
'(Vishing/OAuth App Tricks)',
'Inadequate Security for '
'Third-Party Integrations',
'Lack of Real-Time Monitoring for '
'Unauthorized Data Access']},
'ransomware': {'data_encryption': 'No (extortion-based, not encryption)',
'data_exfiltration': 'Yes',
'ransom_demanded': 'Yes (amount unspecified; deadline: Oct 10, '
'2025)'},
'recommendations': ['Enhance OAuth App Vetting Processes',
'Implement Multi-Factor Authentication (MFA) for '
'Third-Party Integrations',
'Conduct Regular Security Audits of Partner Apps',
'Improve User Training on Social Engineering Tactics',
'Establish Clearer Incident Communication Protocols'],
'references': [{'source': 'Google Threat Intelligence Report (June 2025)'},
{'source': 'Google Threat Intelligence Report (August 2025)'},
{'source': 'Salesforce Security Alert (2025)'},
{'source': 'LinkedIn/Reddit Observations (2025)'}],
'regulatory_compliance': {'legal_actions': ['14 Lawsuits Filed by Affected '
'Companies (September 2025)']},
'response': {'communication_strategy': ['Public Security Alert Issued',
'Denial of Direct Platform '
'Compromise'],
'containment_measures': ['Disabled Salesloft Drift Integration '
'(Aug 28–Sep 7, 2025)'],
'incident_response_plan_activated': 'Yes (Salesforce disabled '
'vulnerable Salesloft Drift '
'integration on Aug 28, '
'2025)',
'remediation_measures': ['Reinstated Integration with Security '
'Fixes (Sep 7, 2025)'],
'third_party_assistance': ['Google Threat Intelligence (reported '
'attacks in June and August 2025)']},
'stakeholder_advisories': 'Salesforce issued alerts to customers and disabled '
'vulnerable integrations.',
'threat_actor': 'Shiny Hunters',
'title': 'Shiny Hunters Ransom Demand for Nearly 1 Billion Stolen Salesforce '
'Records',
'type': ['Data Breach', 'Ransomware Extortion', 'Social Engineering'],
'vulnerability_exploited': ['Human Error (Tricked into Installing Malicious '
'Apps)',
'Weak Third-Party Integration Security']}