Salesforce suffered a **massive data breach** via two distinct campaigns in 2025, orchestrated by threat actors **Scattered Lapsus$ Hunters** and **ShinyHunters**. The first wave (late 2024) involved **social engineering attacks** impersonating IT support to trick employees into linking malicious OAuth apps to Salesforce instances, enabling the theft of databases. The second wave (August 2025) exploited **stolen SalesLoft Drift OAuth tokens** to pivot into customer CRM environments, exfiltrating **support ticket data, credentials, API tokens, and authentication details**. The attackers claimed to have stolen **~1 billion records** in the first campaign and **1.5 billion records across 760+ companies** in the second, targeting high-profile victims like **Google, Cisco, Disney, FedEx, and Marriott**. A **data leak site** was launched to extort victims, threatening public release if ransoms were unpaid. Salesforce **refused to negotiate or pay**, and the leak site was later **shut down** (potentially via FBI seizure). The breach exposed **sensitive customer and corporate data**, including **authentication tokens, API keys, and support logs**, risking downstream attacks on affected companies. The scale and sophistication of the operation—leveraging **supply-chain and OAuth abuses**—highlighted critical vulnerabilities in Salesforce’s ecosystem, with **prolonged unauthorized access** and **large-scale data exfiltration** as core impacts.
TPRM report: https://www.rankiteo.com/company/salesforce
"id": "sal0962109100825",
"linkid": "salesforce",
"type": "Cyber Attack",
"date": "6/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': '39+ (direct extortion targets), '
'760+ (SalesLoft campaign)',
'industry': 'Technology (CRM/SaaS)',
'location': 'San Francisco, California, USA',
'name': 'Salesforce',
'size': 'Enterprise',
'type': 'Cloud Service Provider'},
{'industry': 'Logistics',
'location': 'Memphis, Tennessee, USA',
'name': 'FedEx',
'size': 'Enterprise',
'type': 'Corporation'},
{'industry': 'Entertainment',
'location': 'Burbank, California, USA',
'name': 'Disney/Hulu',
'size': 'Enterprise',
'type': 'Corporation'},
{'industry': 'Retail',
'location': 'Atlanta, Georgia, USA',
'name': 'Home Depot',
'size': 'Enterprise',
'type': 'Corporation'},
{'industry': 'Hospitality',
'location': 'Bethesda, Maryland, USA',
'name': 'Marriott',
'size': 'Enterprise',
'type': 'Corporation'},
{'industry': 'Technology',
'location': 'Mountain View, California, USA',
'name': 'Google',
'size': 'Enterprise',
'type': 'Corporation'},
{'industry': 'Technology',
'location': 'San Jose, California, USA',
'name': 'Cisco',
'size': 'Enterprise',
'type': 'Corporation'},
{'industry': 'Automotive',
'location': 'Toyota City, Aichi, Japan',
'name': 'Toyota',
'size': 'Enterprise',
'type': 'Corporation'},
{'industry': 'Retail',
'location': 'San Francisco, California, USA',
'name': 'Gap',
'size': 'Enterprise',
'type': 'Corporation'},
{'industry': 'Luxury Goods',
'location': 'Paris, France',
'name': 'Kering',
'size': 'Enterprise',
'type': 'Corporation'},
{'industry': 'Food Service',
'location': 'Chicago, Illinois, USA',
'name': "McDonald's",
'size': 'Enterprise',
'type': 'Corporation'},
{'industry': 'Pharmacy/Retail',
'location': 'Deerfield, Illinois, USA',
'name': 'Walgreens',
'size': 'Enterprise',
'type': 'Corporation'},
{'industry': 'E-commerce',
'location': 'San Francisco, California, USA',
'name': 'Instacart',
'size': 'Enterprise',
'type': 'Corporation'},
{'industry': 'Luxury Goods',
'location': 'Paris, France',
'name': 'Cartier',
'size': 'Enterprise',
'type': 'Corporation'},
{'industry': 'Apparel',
'location': 'Herzogenaurach, Germany',
'name': 'Adidas',
'size': 'Enterprise',
'type': 'Corporation'},
{'industry': 'Retail',
'location': 'New York, New York, USA',
'name': 'Saks Fifth Avenue',
'size': 'Enterprise',
'type': 'Corporation'},
{'industry': 'Aviation',
'location': 'Paris, France / Amstelveen, Netherlands',
'name': 'Air France & KLM',
'size': 'Enterprise',
'type': 'Corporation'},
{'industry': 'Credit Reporting',
'location': 'Chicago, Illinois, USA',
'name': 'TransUnion',
'size': 'Enterprise',
'type': 'Corporation'},
{'industry': 'Entertainment',
'location': 'New York, New York, USA',
'name': 'HBO Max',
'size': 'Enterprise',
'type': 'Corporation'},
{'industry': 'Logistics',
'location': 'Atlanta, Georgia, USA',
'name': 'UPS',
'size': 'Enterprise',
'type': 'Corporation'},
{'industry': 'Luxury Goods',
'location': 'Paris, France',
'name': 'Chanel',
'size': 'Enterprise',
'type': 'Corporation'},
{'industry': 'Retail',
'location': 'Delft, Netherlands',
'name': 'IKEA',
'size': 'Enterprise',
'type': 'Corporation'},
{'industry': 'Aviation',
'location': 'Sydney, Australia',
'name': 'Qantas',
'size': 'Enterprise',
'type': 'Corporation'},
{'industry': 'Insurance',
'location': 'Minneapolis, Minnesota, USA',
'name': 'Allianz Life',
'size': 'Enterprise',
'type': 'Corporation'},
{'industry': 'Insurance',
'location': 'Los Angeles, California, USA',
'name': 'Farmers Insurance',
'size': 'Enterprise',
'type': 'Corporation'},
{'industry': 'Technology (HR/Finance SaaS)',
'location': 'Pleasanton, California, USA',
'name': 'Workday',
'size': 'Enterprise',
'type': 'Corporation'},
{'industry': 'Luxury Goods',
'location': 'Paris, France',
'name': 'LVMH (Dior, Louis Vuitton, Tiffany & Co.)',
'size': 'Enterprise',
'type': 'Corporation'},
{'industry': 'Technology (Cybersecurity)',
'location': 'San Francisco, California, USA',
'name': 'Cloudflare',
'size': 'Enterprise',
'type': 'Corporation'},
{'industry': 'Technology (Cybersecurity)',
'location': 'San Jose, California, USA',
'name': 'Zscaler',
'size': 'Enterprise',
'type': 'Corporation'},
{'industry': 'Technology (Cybersecurity)',
'location': 'Columbia, Maryland, USA',
'name': 'Tenable',
'size': 'Enterprise',
'type': 'Corporation'},
{'industry': 'Technology (Cybersecurity)',
'location': 'Petah Tikva, Israel',
'name': 'CyberArk',
'size': 'Enterprise',
'type': 'Corporation'},
{'industry': 'Technology (Search/Data Analytics)',
'location': 'Mountain View, California, USA',
'name': 'Elastic',
'size': 'Enterprise',
'type': 'Corporation'},
{'industry': 'Technology (Cybersecurity)',
'location': 'Phoenix, Arizona, USA',
'name': 'BeyondTrust',
'size': 'Enterprise',
'type': 'Corporation'},
{'industry': 'Technology (Cybersecurity)',
'location': 'Sunnyvale, California, USA',
'name': 'Proofpoint',
'size': 'Enterprise',
'type': 'Corporation'},
{'industry': 'Technology (DevOps)',
'location': 'Sunnyvale, California, USA',
'name': 'JFrog',
'size': 'Enterprise',
'type': 'Corporation'},
{'industry': 'Technology (Cloud Computing)',
'location': 'San Jose, California, USA',
'name': 'Nutanix',
'size': 'Enterprise',
'type': 'Corporation'},
{'industry': 'Technology (Cybersecurity)',
'location': 'Foster City, California, USA',
'name': 'Qualys',
'size': 'Enterprise',
'type': 'Corporation'},
{'industry': 'Technology (Data Management)',
'location': 'Palo Alto, California, USA',
'name': 'Rubrik',
'size': 'Enterprise',
'type': 'Corporation'},
{'industry': 'Technology (Network Security)',
'location': 'Tel Aviv, Israel',
'name': 'Cato Networks',
'size': 'Enterprise',
'type': 'Corporation'},
{'industry': 'Technology (Cybersecurity)',
'location': 'Santa Clara, California, USA',
'name': 'Palo Alto Networks',
'size': 'Enterprise',
'type': 'Corporation'}],
'attack_vector': ['Social Engineering (OAuth Phishing)',
'Stolen OAuth Tokens (SalesLoft Drift)',
'Supply Chain Compromise'],
'customer_advisories': 'Customers advised of potential data leaks and '
'encouraged to monitor for unauthorized access.',
'data_breach': {'data_exfiltration': 'Yes',
'file_types_exposed': ['Databases',
'Support Logs',
'Configuration Files'],
'number_of_records_exposed': '~2.5 billion (1B in first '
'campaign, 1.5B in second)',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (PII, credentials, '
'business-sensitive data)',
'type_of_data_compromised': ['Customer Records',
'Support Tickets',
'Credentials',
'API Tokens',
'Authentication Tokens']},
'date_publicly_disclosed': '2025-09-17T00:00:00Z',
'description': 'Salesforce confirmed it would not negotiate with or pay '
'ransom to the threat actors behind a massive wave of data '
'theft attacks impacting its customers in 2025. The attacks '
'involved two separate campaigns: (1) social engineering '
'impersonating IT support to trick employees into linking '
'malicious OAuth apps to Salesforce instances (late 2024), and '
'(2) exploitation of stolen SalesLoft Drift OAuth tokens to '
'pivot to CRM environments and exfiltrate data (August 2025). '
"Threat actors, including 'Scattered Lapsus$ Hunters' and "
"'ShinyHunters,' claimed to have stolen nearly 1 billion "
'records in the first campaign and 1.5 billion records (760+ '
'companies) in the second. A data leak site was launched to '
'extort 39 companies, including FedEx, Disney, Google, and '
'others, but was later shut down. The FBI may have seized the '
'domain.',
'impact': {'brand_reputation_impact': 'High (public extortion of major '
'brands)',
'data_compromised': ['Customer Data',
'Support Tickets',
'Credentials',
'API Tokens',
'Authentication Tokens'],
'identity_theft_risk': 'High (PII and credentials exposed)',
'operational_impact': 'Potential infrastructure breaches due to '
'stolen credentials/tokens',
'systems_affected': ['Salesforce CRM Instances',
'SalesLoft Drift Environments']},
'initial_access_broker': {'data_sold_on_dark_web': 'Planned (extortion site '
'threatened public release '
'if demands unmet)',
'entry_point': ['Malicious OAuth Applications',
'Stolen SalesLoft Drift OAuth '
'Tokens'],
'high_value_targets': ['CRM Databases',
'Support Tickets',
'Credentials/Tokens'],
'reconnaissance_period': 'Late 2024 (first '
'campaign), Early August '
'2025 (second campaign)'},
'investigation_status': 'Ongoing (domain seizure suggests active law '
'enforcement involvement)',
'motivation': 'Financial Gain (Extortion)',
'post_incident_analysis': {'root_causes': ['Insufficient OAuth application '
'security',
'Lack of monitoring for anomalous '
'data access',
'Supply chain vulnerability '
'(SalesLoft Drift tokens)',
'Successful social engineering '
'attacks']},
'ransomware': {'data_encryption': 'No (data theft, not encryption)',
'data_exfiltration': 'Yes',
'ransom_demanded': 'Unspecified (extortion demands to '
'companies or Salesforce)',
'ransom_paid': 'No (Salesforce refused to pay)'},
'recommendations': ['Enhance OAuth application security and monitoring',
'Implement stricter access controls for third-party '
'integrations',
'Conduct regular security awareness training for social '
'engineering risks',
'Monitor for unauthorized data exfiltration in CRM '
'environments',
'Review supply chain security for third-party SaaS '
'providers'],
'references': [{'date_accessed': '2025-09-17T00:00:00Z',
'source': 'BleepingComputer',
'url': 'https://www.bleepingcomputer.com'},
{'date_accessed': '2025-09-17T00:00:00Z',
'source': 'Bloomberg',
'url': 'https://www.bloomberg.com'}],
'response': {'communication_strategy': 'Public statements and customer emails',
'incident_response_plan_activated': 'Yes (Salesforce notified '
'customers)',
'law_enforcement_notified': 'Likely (FBI may have seized '
'extortion domain)',
'remediation_measures': ['Refusal to pay ransom',
'Customer notifications']},
'stakeholder_advisories': 'Salesforce emailed customers on 2025-09-17 to warn '
'about extortion threats and refusal to pay ransom.',
'threat_actor': ['Scattered Lapsus$ Hunters', 'ShinyHunters'],
'title': 'Salesforce Data Theft and Extortion Campaigns (2024-2025)',
'type': ['Data Breach',
'Extortion',
'Supply Chain Attack',
'Social Engineering'],
'vulnerability_exploited': ['OAuth Application Abuse',
'Stolen Credentials/API Tokens',
'Improper Access Controls']}