Salesloft, a sales engagement platform leveraging AI chatbots (Drift) and deep Salesforce integrations, suffered a large-scale breach orchestrated by the Scattered Lapsus$ Hunters group. The attack began in late 2024 via voice phishing (vishing), tricking employees into installing malicious Salesforce integrations, granting API-level access to corporate data. By mid-2025, attackers compromised Salesloft’s GitHub repository, extracting credentials and AWS OAuth tokens used by clients for third-party integrations. These tokens enabled lateral movement across systems, culminating in mass data exfiltration from Salesloft Drift customers by August 2025. On October 3, 2025, the group launched a Tor-based extortion portal, publicly listing victims and stolen data volumes, demanding ransom payments by October 10 to prevent leaks. The breach exposed sensitive CRM data—customer leads, deal details, and operational intelligence—via abused integrations and token theft. While Salesforce’s core platform remained unbreached, the attack exploited integration vulnerabilities and poor credential hygiene, highlighting risks in SaaS ecosystems. The incident underscores the shift toward ransomware-as-a-service (RaaS), with the group monetizing stolen data through extortion rather than encryption.
Source: https://cyberpress.org/salesforce-data-leak/
TPRM report: https://www.rankiteo.com/company/salesloft
"id": "sal5092150100725",
"linkid": "salesloft",
"type": "Ransomware",
"date": "6/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': 'Multiple (via Salesforce '
'Integrations)',
'industry': 'Sales Engagement/CRM Software',
'name': 'Salesloft',
'type': 'Private Company'},
{'industry': 'Technology/Cloud Services',
'location': 'Global',
'name': 'Google',
'size': 'Large',
'type': 'Public Company'},
{'industry': 'Networking/IT',
'location': 'Global',
'name': 'Cisco',
'size': 'Large',
'type': 'Public Company'},
{'name': 'Unnamed Salesforce Customers'}],
'attack_vector': ['Social Engineering (Vishing)',
'Malicious Salesforce Integrations',
'API Exploitation',
'GitHub Credential Harvesting',
'OAuth Token Theft',
'Lateral Movement via Cloud Environments (AWS)'],
'data_breach': {'data_exfiltration': 'Yes (Mass Data Extraction via OAuth '
'Tokens)',
'personally_identifiable_information': 'Likely (Customer Data '
'in CRM)',
'sensitivity_of_data': 'High (Business-Critical CRM Data, '
'Authentication Tokens)',
'type_of_data_compromised': ['CRM Data (Customer Leads, Deal '
'Details)',
'OAuth Tokens',
'Credentials/Access Keys',
'Operational Confidential '
'Information']},
'date_publicly_disclosed': '2025-10-03',
'description': 'The hacker collective Scattered Lapsus$ Hunters (a fusion of '
'ShinyHunters, Scattered Spider, and Lapsus$) launched a '
'dedicated leak website on the Tor network in October 2025, '
'demanding ransom payments from victims to remove stolen '
'Salesforce data. The attack originated in late 2024 via '
'social engineering (vishing) to install malicious Salesforce '
'integrations, followed by credential harvesting from '
'Salesloft’s GitHub repository and OAuth token theft from its '
'AWS environment. The group exfiltrated data from Salesforce '
'and third-party integrations, leveraging lateral movement '
'across systems. A ransom deadline of October 10, 2025, was '
'set, marking an evolution into ransomware-as-a-service (RaaS) '
'tactics.',
'impact': {'brand_reputation_impact': 'High (Public Extortion Portal, '
'High-Profile Victims)',
'data_compromised': ['Customer Leads',
'Deal Details',
'Confidential Operational Information',
'OAuth Tokens',
'Third-Party Integration Data'],
'identity_theft_risk': 'Moderate (PII in CRM Data)',
'operational_impact': ['Unauthorized Data Exfiltration',
'Potential Business Disruption',
'Loss of Customer Trust',
'Regulatory Scrutiny'],
'systems_affected': ['Salesforce Environments',
'Salesloft (Sales Engagement Platform)',
'Drift AI Chatbot',
'GitHub Repositories',
'AWS Cloud Environments']},
'initial_access_broker': {'backdoors_established': 'Yes (OAuth Tokens for '
'Persistent Access)',
'data_sold_on_dark_web': 'Likely (Extortion Portal '
'Implies Monetization)',
'entry_point': 'Social Engineering (Vishing) → '
'Malicious Salesforce Integrations',
'high_value_targets': ['Salesforce CRM Data',
'Third-Party Integration '
'Tokens',
'AWS Cloud Environments'],
'reconnaissance_period': 'Late 2024 (Initial '
'Access) to August 2025 '
'(Mass Exfiltration)'},
'investigation_status': 'Ongoing (as of October 2025)',
'lessons_learned': ['Social engineering (vishing) remains a critical attack '
'vector for initial access.',
'Over-permissive API/OAuth tokens create extensive '
'lateral movement risks.',
'Third-party integrations (e.g., Salesloft, Drift) expand '
'attack surfaces in SaaS ecosystems.',
'Credential hygiene (e.g., GitHub repositories) is a '
'persistent weak point.',
'RaaS models enable scalable extortion campaigns with '
'lower technical barriers.'],
'motivation': ['Financial Gain (Extortion/Ransom)',
'Data Theft for Resale',
'Reputation Damage',
'RaaS Monetization'],
'post_incident_analysis': {'corrective_actions': ['Mandatory MFA for all SaaS '
'and cloud access.',
'Automated credential '
'scanning in code '
'repositories.',
'Reduced OAuth token '
'permissions and scope.',
'Enhanced behavioral '
'analytics for API/OAuth '
'usage.',
'Employee training on '
'social engineering '
'tactics.'],
'root_causes': ['Successful vishing attacks due to '
'lack of employee awareness.',
'Storing credentials in GitHub '
'repositories (poor hygiene).',
'Over-permissive OAuth tokens '
'enabling lateral movement.',
'Inadequate monitoring of '
'third-party integration '
'activities.']},
'ransomware': {'data_encryption': 'No (Extortion-Based, Not Encryption)',
'data_exfiltration': 'Yes',
'ransom_demanded': 'Yes (Extortion via Tor Leak Site)'},
'recommendations': ['Implement strict API/OAuth permission controls and '
'regular audits.',
'Enforce MFA for all critical systems, including '
'third-party integrations.',
'Sanitize development repositories to remove hardcoded '
'credentials.',
'Monitor for anomalous OAuth token usage and lateral '
'movement.',
'Educate employees on vishing and social engineering '
'tactics.',
'Segment networks to limit blast radius from compromised '
'integrations.',
'Adopt zero-trust principles for SaaS and cloud '
'environments.'],
'references': [{'source': 'Cybersecurity Article (Title Not Provided)'}],
'response': {'remediation_measures': ['Enforcing API Permission Controls',
'Auditing Third-Party Integrations',
'Multi-Factor Authentication (MFA) '
'Enforcement',
'Sanitizing Development Repositories']},
'threat_actor': 'Scattered Lapsus$ Hunters (fusion of ShinyHunters, Scattered '
'Spider, and Lapsus$)',
'title': 'Scattered Lapsus$ Hunters Launches Extortionware Portal Targeting '
'Salesforce Data via OAuth Token Theft',
'type': ['Data Breach',
'Extortion',
'Unauthorized Access',
'Social Engineering',
'OAuth Token Abuse',
'Ransomware-as-a-Service (RaaS)'],
'vulnerability_exploited': ['Poor Credential Hygiene (GitHub Repository)',
'Over-Permissive API/OAuth Token Access',
'Lack of Multi-Factor Authentication (MFA) '
'Enforcement',
'Insecure Third-Party Integration Controls']}