The FBI's seizure of **BreachForums**, a hacking forum used by cybercriminal groups like **Scattered Lapsus$ Hunters** (including Baphomet, IntelBroker, and ShinyHunters), has exposed Salesforce as a key target in a series of high-profile attacks. These actors exploited vulnerabilities to breach Salesforce environments, compromising customer data of major corporations such as **Google, Palo Alto Networks, Zscaler, Cloudflare, Disney, Qantas, Air France-KLM, and Toyota**. The stolen data was leaked on BreachForums, where attackers also conducted extortion campaigns, threatening to expose or sell sensitive information unless ransoms were paid. The breach highlights systemic risks in Salesforce’s ecosystem, where third-party integrations and misconfigured access controls enabled attackers to infiltrate high-value SaaS platforms. While the FBI’s takedown disrupted the forum’s operations, the attackers have pivoted to encrypted channels like **Telegram**, continuing their monetization efforts through ransomware, data resale, and targeted extortion. The incident underscores the broader threat to enterprise tenants, where compromised Salesforce instances serve as gateways to wider corporate networks, financial records, and proprietary customer databases. The cumulative impact includes reputational damage, financial losses from extortion, and erosion of trust in cloud-based CRM security.
TPRM report: https://www.rankiteo.com/company/salesforce
"id": "sal4432144101325",
"linkid": "salesforce",
"type": "Cyber Attack",
"date": "10/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': 'Cybercriminals and victims of '
'data leaks/extortion',
'industry': 'Cybercrime',
'location': 'Global (Online)',
'name': 'BreachForums',
'type': 'Hacking Forum'},
{'industry': 'Cloud Computing/SaaS',
'location': 'USA',
'name': 'Salesforce',
'size': 'Large',
'type': 'Corporation'},
{'industry': 'Technology',
'location': 'USA',
'name': 'Google',
'size': 'Large',
'type': 'Corporation'},
{'industry': 'Cybersecurity',
'location': 'USA',
'name': 'Palo Alto Networks',
'size': 'Large',
'type': 'Corporation'},
{'industry': 'Cybersecurity',
'location': 'USA',
'name': 'Zscaler',
'size': 'Large',
'type': 'Corporation'},
{'industry': 'Web Infrastructure',
'location': 'USA',
'name': 'Cloudflare',
'size': 'Large',
'type': 'Corporation'},
{'industry': 'Entertainment',
'location': 'USA',
'name': 'Disney',
'size': 'Large',
'type': 'Corporation'},
{'industry': 'Aviation',
'location': 'Australia',
'name': 'Qantas',
'size': 'Large',
'type': 'Corporation'},
{'industry': 'Aviation',
'location': 'France/Netherlands',
'name': 'Air France-KLM',
'size': 'Large',
'type': 'Corporation'},
{'industry': 'Automotive',
'location': 'Japan',
'name': 'Toyota',
'size': 'Large',
'type': 'Corporation'}],
'customer_advisories': ['Companies targeted (e.g., Salesforce, Google) likely '
'issued internal advisories'],
'data_breach': {'data_exfiltration': 'Yes (via BreachForums)',
'personally_identifiable_information': 'Likely (depends on '
'leaked datasets)',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Corporate Data',
'Stolen Credentials',
'Sensitive Information (varies '
'by victim)']},
'description': 'The FBI has seized control of domains linked to the '
'BreachForums hacking forum, a platform used by cybercriminals '
'(including groups like Baphomet, IntelBroker, and '
'ShinyHunters) to buy, sell, and trade hacked or stolen data. '
'The forum was used to leak data and conduct extortion '
'attempts against high-profile targets such as Salesforce, '
'Google, Palo Alto Networks, Zscaler, Cloudflare, Disney, '
'Qantas, Air France-KLM, and Toyota. This takedown disrupts a '
'key hub for cybercriminal monetization, recruitment, and '
'targeting across multiple sectors. The operation follows '
'prior seizures in March 2023 and a 2023 joint effort with '
'Europol, though the forum had repeatedly resurfaced. '
'Cybercriminals are now shifting to Telegram for '
"communications and extortion, signaling the 'end of an era' "
'for centralized hacking forums.',
'impact': {'brand_reputation_impact': ['Erosion of credibility for '
'BreachForums and similar platforms',
'Increased skepticism among '
'cybercriminal communities'],
'data_compromised': ['Hacked/Stolen Data (Traded on BreachForums)',
'Leaked Corporate Data (e.g., Salesforce, '
'Google, Disney, etc.)'],
'downtime': ['BreachForums and successor sites disrupted'],
'identity_theft_risk': ['High (due to traded stolen data)'],
'legal_liabilities': ['Potential legal consequences for forum '
'operators (e.g., Conor Brian Fitzpatrick)'],
'operational_impact': ['Disruption of cybercriminal operations',
'Reduced trust in hacking forums',
'Shift to decentralized platforms (e.g., '
'Telegram)'],
'payment_information_risk': ['High (if financial data was traded)'],
'systems_affected': ['BreachForums Domain Infrastructure']},
'initial_access_broker': {'data_sold_on_dark_web': 'Yes (via BreachForums and '
'successors)',
'entry_point': ['BreachForums (for data trading)',
'Compromised SaaS/enterprise '
'accounts (for extortion)'],
'high_value_targets': ['SaaS platforms (e.g., '
'Salesforce)',
'Enterprise tenants (e.g., '
'Google, Disney)']},
'investigation_status': 'Ongoing (FBI-led, with potential follow-up actions)',
'lessons_learned': ['Repeated takedowns erode trust in cybercriminal forums, '
'making them less sustainable.',
'Cybercriminals adapt by shifting to encrypted platforms '
'(e.g., Telegram) for resilience.',
'Coordinated international law enforcement actions can '
'disrupt high-profile cybercrime hubs.',
"The 'era of forums' may be ending, but extortion and "
'data monetization tactics persist.'],
'motivation': ['Financial Gain',
'Data Monetization',
'Extortion',
'Recruitment of Collaborators'],
'post_incident_analysis': {'corrective_actions': ['Law enforcement: Continue '
'disruptive operations '
'against successor forums.',
'Companies: Strengthen '
'access controls and '
'monitoring for '
'SaaS/enterprise '
'environments.',
'Cybersecurity community: '
'Share threat intelligence '
'on emerging extortion '
'tactics.'],
'root_causes': ['Lack of sustainable '
'infrastructure for cybercriminal '
'forums under law enforcement '
'pressure.',
'Over-reliance on centralized '
'platforms (e.g., BreachForums) '
'vulnerable to seizures.',
'High monetization incentives '
'driving persistent cybercriminal '
'activity.']},
'ransomware': {'data_exfiltration': 'Yes (as part of extortion schemes)'},
'recommendations': ['Monitor dark web/Telegram channels for leaked data or '
'extortion attempts.',
'Enhance SaaS and enterprise tenant security to prevent '
'unauthorized access.',
'Collaborate with law enforcement to disrupt '
'cybercriminal infrastructure proactively.',
'Educate employees on phishing and credential theft risks '
'to mitigate initial access brokers.'],
'references': [{'source': 'ITPro', 'url': 'https://www.itpro.com/'},
{'source': 'FBI Press Release (hypothetical)'}],
'regulatory_compliance': {'legal_actions': ['Domain seizures',
'Arrest of forum founder (Conor '
'Brian Fitzpatrick in 2023)']},
'response': {'communication_strategy': ['Public announcement by FBI',
'Media coverage (e.g., ITPro)'],
'containment_measures': ['Domain seizure',
'Disruption of forum operations'],
'incident_response_plan_activated': 'Yes (FBI-led operation)',
'law_enforcement_notified': 'Yes (FBI-led, with international '
'coordination)',
'third_party_assistance': ['Europol (in prior operations)']},
'stakeholder_advisories': ['FBI warnings to potential victims',
'Cybersecurity community alerts'],
'threat_actor': ['Baphomet',
'IntelBroker',
'ShinyHunters',
'Scattered Lapsus$ Hunters'],
'title': 'FBI Seizes Domains Linked to BreachForums Hacking Forum',
'type': ['Forum Takedown',
'Law Enforcement Action',
'Cybercriminal Disruption']}