The FBI seized **BreachForums**, a hacking forum operated by **ShinyHunters**, which was used as a platform for leaking corporate data stolen via **ransomware and extortion campaigns**. Among the targeted victims was **Salesforce**, part of a high-profile breach campaign where hackers claimed to have stolen **over one billion customer records** from multiple companies, including FedEx, Disney, Google, and others. The ShinyHunters group confirmed the seizure of BreachForums’ infrastructure, including **all database backups since 2023 and escrow databases**, but emphasized that their **Salesforce data leak was still proceeding as planned**, scheduled for public release. The breach involved **massive customer data exposure**, with the hackers leveraging the forum to extort companies that refused ransom payments. While the FBI’s takedown disrupted the forum’s operations, the **dark web leak site remained active**, indicating persistent risk. The attack highlights a **large-scale, coordinated extortion scheme** targeting enterprise-level customer databases, with **potential financial, reputational, and operational fallout** for Salesforce and its clients. The stolen records likely include **sensitive personal and corporate information**, amplifying the severity of the incident.
TPRM report: https://www.rankiteo.com/company/salesforce
"id": "sal4232242101025",
"linkid": "salesforce",
"type": "Ransomware",
"date": "6/2023",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Cybercrime',
'location': 'Global (Seized by U.S. and France)',
'name': 'BreachForums',
'type': 'Hacking Forum / Data Extortion Site'},
{'customers_affected': '1+ billion records (across '
'multiple companies)',
'industry': 'Technology',
'location': 'Global',
'name': 'Salesforce (Indirectly Affected via Breach)',
'size': 'Enterprise',
'type': 'Cloud Computing / CRM'},
{'industry': 'Transportation',
'location': 'Global',
'name': 'FedEx',
'size': 'Enterprise',
'type': 'Logistics'},
{'industry': 'Media',
'location': 'Global',
'name': 'Disney/Hulu',
'size': 'Enterprise',
'type': 'Entertainment'},
{'industry': 'Home Improvement',
'location': 'Global',
'name': 'Home Depot',
'size': 'Enterprise',
'type': 'Retail'},
{'industry': 'Travel',
'location': 'Global',
'name': 'Marriott',
'size': 'Enterprise',
'type': 'Hospitality'},
{'industry': 'Internet Services',
'location': 'Global',
'name': 'Google',
'size': 'Enterprise',
'type': 'Technology'},
{'industry': 'Networking',
'location': 'Global',
'name': 'Cisco',
'size': 'Enterprise',
'type': 'Technology'},
{'industry': 'Manufacturing',
'location': 'Global',
'name': 'Toyota',
'size': 'Enterprise',
'type': 'Automotive'},
{'industry': 'Fashion',
'location': 'Global',
'name': 'Gap',
'size': 'Enterprise',
'type': 'Retail'},
{'industry': 'Restaurant',
'location': 'Global',
'name': "McDonald's",
'size': 'Enterprise',
'type': 'Food Service'},
{'industry': 'Pharmacy',
'location': 'Global',
'name': 'Walgreens',
'size': 'Enterprise',
'type': 'Retail'},
{'industry': 'Grocery Delivery',
'location': 'Global',
'name': 'Instacart',
'size': 'Enterprise',
'type': 'E-Commerce'},
{'industry': 'Retail',
'location': 'Global',
'name': 'Cartier',
'size': 'Enterprise',
'type': 'Luxury Goods'},
{'industry': 'Sportswear',
'location': 'Global',
'name': 'Adidas',
'size': 'Enterprise',
'type': 'Retail'},
{'industry': 'Luxury Department Store',
'location': 'Global',
'name': 'Saks Fifth Avenue',
'size': 'Enterprise',
'type': 'Retail'},
{'industry': 'Travel',
'location': 'Global',
'name': 'Air France & KLM',
'size': 'Enterprise',
'type': 'Aviation'},
{'industry': 'Credit Reporting',
'location': 'Global',
'name': 'TransUnion',
'size': 'Enterprise',
'type': 'Financial Services'},
{'industry': 'Streaming',
'location': 'Global',
'name': 'HBO Max',
'size': 'Enterprise',
'type': 'Entertainment'},
{'industry': 'Transportation',
'location': 'Global',
'name': 'UPS',
'size': 'Enterprise',
'type': 'Logistics'},
{'industry': 'Retail',
'location': 'Global',
'name': 'Chanel',
'size': 'Enterprise',
'type': 'Luxury Goods'},
{'industry': 'Furniture',
'location': 'Global',
'name': 'IKEA',
'size': 'Enterprise',
'type': 'Retail'}],
'customer_advisories': ['Companies affected by the Salesforce campaign (e.g., '
'FedEx, Disney, Google) may need to notify customers '
'of potential data exposure.'],
'data_breach': {'data_exfiltration': 'Yes (Stolen from Salesforce breaches)',
'number_of_records_exposed': '1+ billion (Salesforce '
'campaign)',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (Personally Identifiable '
'Information)',
'type_of_data_compromised': ['Customer Records',
'Corporate Data',
'Escrow Databases',
'Database Backups']},
'date_publicly_disclosed': '2025-10-09',
'description': 'The FBI, in collaboration with law enforcement authorities in '
'France, seized all domains for the BreachForums hacking '
'forum, a platform primarily used by the ShinyHunters group to '
'leak corporate data stolen in ransomware and extortion '
'attacks. The seizure occurred before the Scattered Lapsus$ '
'Hunters hacker could leak data from Salesforce breaches '
'targeting companies that refused to pay ransoms. The '
'operation compromised all BreachForums database backups since '
'2023, including escrow databases, and seized backend servers. '
"Despite the takedown, the gang's dark web data leak site "
'remains operational, and the Salesforce data leak (affecting '
'over 1 billion customer records from companies like FedEx, '
'Disney, Google, and others) is still scheduled for release. '
'ShinyHunters confirmed no arrests of core admin team members '
"but declared the 'era of forums' over, warning future "
'platforms may be honeypots.',
'impact': {'brand_reputation_impact': ['Negative (for Affected Companies)',
'Loss of Anonymity for Cybercriminals'],
'data_compromised': ['Corporate Data',
'Customer Records (1+ billion)',
'Escrow Databases',
'Database Backups (since 2023)'],
'downtime': ['BreachForums (Permanent)',
'Forum Infrastructure (Seized)'],
'identity_theft_risk': ['High (1+ billion customer records '
'exposed)'],
'legal_liabilities': ['Potential Charges for BreachForums Admins '
"(e.g., Kai West aka 'IntelBroker')",
'Regulatory Scrutiny for Affected Companies'],
'operational_impact': ['Termination of BreachForums Operations',
'Disruption of Cybercrime Ecosystem',
'Loss of Trust in Hacking Forums'],
'systems_affected': ['BreachForums Domains',
'Backend Servers',
'Database Backups']},
'initial_access_broker': {'data_sold_on_dark_web': 'Yes (via BreachForums and '
'dedicated leak site)',
'high_value_targets': ['Salesforce Customer Data',
'Corporate Databases']},
'investigation_status': 'Ongoing (FBI and French authorities)',
'lessons_learned': ['Cybercrime forums are vulnerable to law enforcement '
'takedowns, especially with international cooperation.',
'Data backups can be compromised if stored within seized '
'infrastructure.',
'High-profile data leak threats can accelerate law '
'enforcement action.',
"The 'era of forums' for cybercriminals may be ending due "
'to increased scrutiny and takedowns.'],
'motivation': ['Financial Gain (Extortion)',
'Data Leakage',
'Cybercrime Facilitation'],
'post_incident_analysis': {'corrective_actions': ['ShinyHunters declared no '
'further reboots of '
'BreachForums, suggesting a '
'shift to decentralized or '
'darker web-only '
'operations.',
'Increased caution among '
'cybercriminals regarding '
'forum-based activities '
'(perceived as '
"'honeypots').",
'Potential migration of '
'data leak operations to '
'more secure, less '
'detectable platforms.'],
'root_causes': ['Centralized infrastructure '
'(BreachForums) created a single '
'point of failure for '
'cybercriminal operations.',
'Underestimation of law '
"enforcement's ability to seize "
'backups and escrow databases.',
'Over-reliance on forum-based '
'models for data extortion '
'campaigns.']},
'ransomware': {'data_exfiltration': 'Yes',
'ransom_demanded': 'Yes (Salesforce Campaign)',
'ransom_paid': 'Unknown (Companies targeted for non-payment)'},
'recommendations': ['Companies should proactively monitor dark web leak sites '
'for exposed data.',
'Enhance third-party risk management to mitigate supply '
'chain attacks (e.g., Salesforce breaches).',
'Law enforcement should continue targeting cybercrime '
'infrastructure to disrupt operations.',
'Organizations should prepare for potential data leaks '
"even after ransomware attacks are 'resolved.'"],
'references': [{'date_accessed': '2025-10-09',
'source': 'BleepingComputer',
'url': 'https://www.bleepingcomputer.com'}],
'regulatory_compliance': {'legal_actions': ['Arrests of BreachForums Admins '
'(France)',
'Charges Against Kai West '
"('IntelBroker') in U.S."]},
'response': {'communication_strategy': ['Public Announcement via '
'BleepingComputer',
'PGP-Signed Message from ShinyHunters '
'on Telegram'],
'containment_measures': ['Domain Seizure',
'Backend Server Seizure',
'Nameserver Redirection to FBI'],
'incident_response_plan_activated': "Yes (FBI and France's BL2C "
'Unit)',
'law_enforcement_notified': 'Yes (FBI-led operation)',
'remediation_measures': ['Permanent Shutdown of BreachForums',
'Prevention of Data Leak (Salesforce '
'Campaign Disrupted)'],
'third_party_assistance': ['French Law Enforcement (BL2C Unit)']},
'threat_actor': ['ShinyHunters', 'Scattered Lapsus$ Hunters'],
'title': 'FBI Seizure of BreachForums Hacking Forum Operated by ShinyHunters',
'type': ['Law Enforcement Takedown',
'Data Leak Prevention',
'Cybercrime Forum Seizure']}