Salesforce is facing a major extortion attempt by a crime syndicate known as **Scattered LAPSUS$ Hunters** (tracked as **UNC6040** by Mandiant), which claims to have stolen approximately **1 billion records** from **dozens of Salesforce customers**, including high-profile companies like **Toyota and FedEx**. The attack began in **May 2024**, with the threat actors using **voice phishing (vishing)** to trick employees into connecting a malicious app to their Salesforce portals. The group created a **dedicated leak site**, demanding a ransom from Salesforce itself—threatening to **publicly dump all stolen customer data** if payment was not made by a specified deadline. Salesforce has **refused to negotiate**, risking potential exposure of sensitive customer records. The stolen data reportedly includes **personal, financial, and corporate information** from affected organizations, posing severe reputational, financial, and operational risks. The scale of the breach—nearly **1 billion records**—suggests a **systemic compromise** with far-reaching consequences for Salesforce’s client base, including potential **fraud, identity theft, and regulatory penalties**.
TPRM report: https://www.rankiteo.com/company/salesforce
"id": "sal5002150100925",
"linkid": "salesforce",
"type": "Cyber Attack",
"date": "5/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': 'Dozens (including Toyota, '
'FedEx, and 37 others)',
'industry': 'Technology',
'location': 'San Francisco, California, USA',
'name': 'Salesforce',
'size': 'Large Enterprise',
'type': 'Cloud CRM Provider'},
{'industry': 'Automotive',
'location': 'Global',
'name': 'Toyota',
'size': 'Large Enterprise',
'type': 'Automotive Manufacturer'},
{'industry': 'Transportation/Logistics',
'location': 'Global',
'name': 'FedEx',
'size': 'Large Enterprise',
'type': 'Logistics Company'}],
'attack_vector': ['Voice Phishing (Vishing)',
'Malicious App Integration',
'Social Engineering'],
'data_breach': {'data_exfiltration': 'Claimed by threat actor',
'number_of_records_exposed': '989.45 million (~1 billion)'},
'date_detected': '2024-05-01',
'date_publicly_disclosed': '2024-06-01',
'description': 'Salesforce refused to pay an extortion demand made by a crime '
'syndicate (Scattered LAPSUS$ Hunters) claiming to have stolen '
'roughly 1 billion records from dozens of Salesforce '
'customers. The group, tracked as UNC6040 by Mandiant, '
'initiated the campaign in May 2024 by making voice calls to '
'organizations, tricking them into connecting an '
'attacker-controlled app to their Salesforce portals. The '
'group created a website naming affected customers (including '
'Toyota and FedEx) and demanded ransom from Salesforce, '
'threatening to leak the data if unpaid. Salesforce rejected '
'the demand.',
'impact': {'brand_reputation_impact': 'High (Public extortion threat and data '
'leak risk)',
'data_compromised': '~1 billion records',
'identity_theft_risk': 'Potential (depends on compromised data '
'types)',
'systems_affected': ['Salesforce Customer Portals']},
'initial_access_broker': {'backdoors_established': 'Attacker-controlled app '
'integrated into '
'Salesforce portals',
'data_sold_on_dark_web': 'Threatened (public leak '
'if ransom unpaid)',
'entry_point': 'Voice Phishing (Vishing) Calls',
'high_value_targets': ['Salesforce Customer Data'],
'reconnaissance_period': 'Likely conducted prior to '
'May 2024'},
'investigation_status': 'Ongoing (Mandiant tracking as UNC6040)',
'motivation': 'Financial Gain (Extortion)',
'post_incident_analysis': {'root_causes': ['Human Error (Compliance with '
'Fraudulent Calls)',
'Lack of Multi-Factor '
'Authentication for App '
'Integrations']},
'ransomware': {'data_exfiltration': 'Claimed (~1 billion records)',
'ransom_demanded': 'Unspecified (extortion demand to '
'Salesforce)',
'ransom_paid': 'No (Salesforce refused)'},
'references': [{'date_accessed': '2024-06-01',
'source': 'Mandiant (Google-owned)'},
{'date_accessed': '2024-07-10',
'source': 'Salesforce Public Statement'}],
'response': {'communication_strategy': 'Public refusal of ransom demand '
'(email statement)',
'incident_response_plan_activated': 'Likely (Salesforce refused '
'ransom demand)',
'third_party_assistance': ['Mandiant (Google-owned threat '
'intelligence)']},
'threat_actor': ['Scattered LAPSUS$ Hunters',
'UNC6040 (Mandiant designation)'],
'title': 'Salesforce Data Extortion Campaign by Scattered LAPSUS$ Hunters',
'type': ['Data Breach', 'Extortion', 'Social Engineering'],
'vulnerability_exploited': 'Human Error (Compliance with Fraudulent Requests)'}