The ransomware group **ShinyHunters (Scattered Lapsus$ Hunters)** breached **Salesforce** by exploiting stolen OAuth tokens from **Salesloft Drift’s AI chatbot integration**, compromising **1.5 billion records** across **760 companies** (including Cisco, Disney, and Marriott). The leaked data includes **PII (names, DOBs, passports, employment histories)**, shipping details, chat transcripts, flight records, and car ownership data—validated by cybersecurity researchers. Attackers first infiltrated **Salesloft’s GitHub repository**, extracting private source code and OAuth tokens, then laterally moved to **Google Workspace, Microsoft 365, and Okta platforms** of victims. The group demanded **separate ransoms** from Salesforce and listed **39 high-profile victims** on a darkweb leak site, pressuring them to pay under threat of full data exposure. The attack leveraged **social engineering (vishing, phishing, IT impersonation)** to trick employees into granting access, highlighting vulnerabilities in **third-party supply-chain integrations** and weak **2FA/OAuth security controls**.
Source: https://www.bankinfosecurity.com/ransomware-group-debuts-salesforce-customer-data-leak-site-a-29636
TPRM report: https://www.rankiteo.com/company/salesforce
"id": "sal5592855100325",
"linkid": "salesforce",
"type": "Ransomware",
"date": "10/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': '760+ (via Salesloft Drift '
'integration)',
'industry': 'Technology',
'location': 'Global (HQ: San Francisco, USA)',
'name': 'Salesforce',
'size': 'Enterprise',
'type': 'Software Company (CRM)'},
{'customers_affected': '760+',
'industry': 'Technology/SaaS',
'location': 'Global (HQ: Atlanta, USA)',
'name': 'Salesloft (Drift)',
'size': 'Mid-to-Large',
'type': 'Software Company (AI Chatbot)'},
{'industry': 'Technology',
'location': 'Global (HQ: San Jose, USA)',
'name': 'Cisco',
'size': 'Enterprise',
'type': 'Corporation'},
{'industry': 'Entertainment',
'location': 'Global (HQ: Burbank, USA)',
'name': 'The Walt Disney Company',
'size': 'Enterprise',
'type': 'Corporation'},
{'industry': 'Food & Beverage',
'location': 'Global',
'name': 'KFC (Yum! Brands)',
'size': 'Enterprise',
'type': 'Restaurant Chain'},
{'industry': 'Furniture',
'location': 'Global (HQ: Netherlands)',
'name': 'IKEA',
'size': 'Enterprise',
'type': 'Retailer'},
{'industry': 'Hotels',
'location': 'Global (HQ: Bethesda, USA)',
'name': 'Marriott International',
'size': 'Enterprise',
'type': 'Hospitality'},
{'industry': 'Food & Beverage',
'location': 'Global (HQ: Chicago, USA)',
'name': "McDonald's",
'size': 'Enterprise',
'type': 'Restaurant Chain'},
{'industry': 'Healthcare/Retail',
'location': 'Global (HQ: Deerfield, USA)',
'name': 'Walgreens Boots Alliance',
'size': 'Enterprise',
'type': 'Pharmacy Retailer'},
{'industry': 'Retail',
'location': 'USA',
'name': 'Albertsons Companies',
'size': 'Enterprise',
'type': 'Grocery Retailer'},
{'industry': 'Retail',
'location': 'USA (HQ: New York)',
'name': 'Saks Fifth Avenue',
'size': 'Large',
'type': 'Luxury Retailer'}],
'attack_vector': ['Stolen OAuth Tokens',
'GitHub Repository Compromise',
'Social Engineering (Vishing/Phishing)',
'Third-Party Software Exploitation (Salesloft Drift)',
'Lateral Movement to Cloud Platforms (Google Workspace, '
'Microsoft 365, Okta)'],
'customer_advisories': ['Recommended: Password Resets for Affected Accounts',
'Credit Monitoring for Exposed PII',
'Phishing Awareness Alerts'],
'data_breach': {'data_encryption': 'No (Data Stolen in Plaintext)',
'data_exfiltration': 'Confirmed (Samples Validated by '
'Researchers)',
'file_types_exposed': ['Database Dumps',
'CSV/Excel Files',
'JSON/Log Files',
'Chat Transcripts'],
'number_of_records_exposed': '1,500,000,000 (claimed)',
'personally_identifiable_information': ['Full Names',
'Dates of Birth',
'Nationalities',
'Passport Numbers',
'Email Addresses',
'Phone Numbers',
'Physical Addresses',
'Employment '
'Histories'],
'sensitivity_of_data': 'High (Includes Passport Numbers, '
'Nationalities, Contact Details)',
'type_of_data_compromised': ['PII',
'Customer Support Records',
'Chat Transcripts',
'Marketing Data',
'Shipping Information',
'Flight Details',
'Employment Histories']},
'date_detected': '2023-08-08',
'date_publicly_disclosed': '2023-09-15',
'description': 'A notorious ransomware group, Scattered Lapsus$ Hunters (aka '
'ShinyHunters), launched a darkweb data-leak site targeting 39 '
'victims—including Cisco, Disney, KFC, Ikea, Marriott, '
"McDonald's, Walgreens, Albertsons, and Saks Fifth "
'Avenue—whose Salesforce CRM was integrated with the Salesloft '
'Drift AI chatbot. The group claims to have stolen **1.5 '
'billion Salesforce records** from **760 Salesloft Drift-using '
'companies**, with leaked samples confirming exposure of **PII '
'(names, DOBs, nationalities, passport numbers, contact '
'details, employment histories)**, shipping data, marketing '
'leads, support case records, chat transcripts, flight '
'details, and car ownership records. The attack exploited '
'**stolen OAuth tokens** from Salesloft’s GitHub repository, '
'granting access to Salesforce instances and other cloud '
'resources (Google Workspace, Microsoft 365, Okta). The FBI '
'and Google’s Mandiant linked the attacks to **UNC6040**, a '
'threat cluster using **social engineering (vishing, phishing, '
'IT impersonation)** to trick support staff into granting '
'access. ShinyHunters demanded separate ransoms from '
'Salesforce and listed victims, threatening to leak data for '
'non-payment.',
'impact': {'brand_reputation_impact': ['High (Public Data Leak Site)',
'Loss of Customer Trust',
'Media Scrutiny'],
'data_compromised': ['Personally Identifiable Information (PII)',
'Shipping Information',
'Marketing Lead Data',
'Customer Support Case Records',
'Chat Transcripts',
'Flight Details',
'Car Ownership Records',
'Employment Histories',
'Passport Numbers',
'Full Contact Information'],
'identity_theft_risk': 'High (Exposed PII Includes Passport '
'Numbers, DOBs, Contact Details)',
'legal_liabilities': ['Potential GDPR/CCPA Violations',
'Regulatory Fines',
'Class-Action Lawsuits'],
'operational_impact': ['Potential Disruption to CRM Operations',
'Customer Data Exposure Risks',
'Incident Response Activation'],
'systems_affected': ['Salesforce CRM Instances',
'Salesloft Drift AI Chatbot',
'Google Workspace',
'Microsoft 365',
'Okta Platforms',
'GitHub Repository (Salesloft)']},
'initial_access_broker': {'backdoors_established': ['Persistent Access via '
'Compromised OAuth Tokens',
'Lateral Movement to '
'Google '
'Workspace/Microsoft 365'],
'data_sold_on_dark_web': 'Yes (Via ShinyHunters’ '
'Leak Site and Telegram '
'Channel)',
'entry_point': 'Salesloft GitHub Repository (Stolen '
'OAuth Tokens)',
'high_value_targets': ['Salesforce CRM Data',
'Customer PII',
'Corporate Support Case '
'Records'],
'reconnaissance_period': '2023-08-08 to 2023-08-18 '
'(Per Google’s Threat '
'Intelligence)'},
'investigation_status': 'Ongoing (FBI, Mandiant, Salesforce, and Affected '
'Companies)',
'lessons_learned': ['Third-party integrations (e.g., Salesloft Drift) '
'introduce significant supply-chain risks; rigorous '
'vendor security assessments are critical.',
'OAuth tokens and API keys must be protected with **2FA '
'and strict access controls** to prevent abuse.',
'Social engineering (vishing/phishing) remains a highly '
'effective attack vector; **employee training and '
'verification protocols** are essential.',
'Lateral movement to cloud platforms (Google Workspace, '
'Microsoft 365, Okta) underscores the need for '
'**zero-trust architecture and segmentation**.',
'Proactive threat hunting and **dark web monitoring** can '
'help detect stolen data early.',
'Incident response plans must include **third-party '
'breach scenarios** with clear escalation paths.'],
'motivation': ['Financial Gain (Extortion/Ransom)',
'Data Theft for Dark Web Sales',
'Reputation Damage'],
'post_incident_analysis': {'corrective_actions': ['**Immediate:**',
'- Revoke all compromised '
'OAuth tokens and enforce '
'2FA for new tokens.',
'- Isolate and audit all '
'third-party integrations '
'with Salesforce.',
'- Reset credentials for '
'affected '
'employees/customers.',
'**Short-Term:**',
'- Deploy **behavioral '
'analytics** to detect '
'anomalous access patterns.',
'- Conduct '
'**phishing/vishing '
'simulations** to test '
'employee awareness.',
'- Implement **network '
'segmentation** between '
'cloud platforms.',
'**Long-Term:**',
'- Establish a '
'**third-party risk '
'management program** with '
'regular vendor audits.',
'- Adopt a **zero-trust '
'architecture** to limit '
'lateral movement.',
'- Develop a **supply-chain '
'breach playbook** for '
'future incidents.'],
'root_causes': ['1. **Weak OAuth Security**: '
'Salesloft’s GitHub repository '
'lacked protection for OAuth '
'tokens, enabling initial access.',
'2. **Third-Party Risk**: '
'Salesloft Drift integration was '
'not adequately vetted for '
'security vulnerabilities.',
'3. **Social Engineering Gaps**: '
'Support staff were tricked into '
'granting access via '
'vishing/phishing (UNC6040 '
'tactics).',
'4. **Lack of 2FA**: OAuth '
'applications and admin accounts '
'did not enforce multi-factor '
'authentication.',
'5. **Lateral Movement '
'Opportunities**: Poor '
'segmentation allowed attackers to '
'pivot to Google Workspace, '
'Microsoft 365, and Okta.']},
'ransomware': {'data_encryption': 'No (Data Theft Without Encryption)',
'data_exfiltration': 'Yes (1.5B Records Claimed)',
'ransom_demanded': ['Separate Ransoms from Salesforce and '
'Listed Victims',
'Extortion Threats via Dark Web Leak '
'Site']},
'recommendations': ['**For Salesforce/Salesloft Customers:**',
'- Immediately **revoke and rotate OAuth tokens** for all '
'third-party integrations.',
'- Enforce **multi-factor authentication (2FA) for all '
'OAuth applications** and admin accounts.',
'- Conduct a **full audit of third-party app '
'permissions** in Salesforce and disable unused '
'integrations.',
'- Implement **network segmentation** to limit lateral '
'movement between cloud platforms (e.g., Salesforce, '
'Google Workspace, Okta).',
'- Deploy **behavioral analytics and anomaly detection** '
'to identify suspicious access patterns.',
'**For All Organizations:**',
'- **Assess third-party vendor security** with '
'penetration testing and contractually enforce security '
'standards.',
'- **Train employees on social engineering tactics**, '
'especially vishing and IT impersonation scams.',
'- **Monitor dark web forums** for leaked credentials or '
'mentions of your organization.',
'- **Develop a third-party breach response plan** with '
'legal, PR, and technical playbooks.',
'- **Patch promptly**—unpatched software (e.g., Oracle '
'E-Business Suite) is a common attack vector.'],
'references': [{'date_accessed': '2023-09-15',
'source': 'Information Security Media Group (ISMG)',
'url': 'https://www.ismg.com'},
{'date_accessed': '2023-09-15',
'source': 'BleepingComputer',
'url': 'https://www.bleepingcomputer.com/news/security/shinyhunters-ransomware-group-leaks-salesforce-customer-data/'},
{'date_accessed': '2023-09-12',
'source': 'FBI Cyber Division Advisory (UNC6040)',
'url': 'https://www.fbi.gov'},
{'date_accessed': '2023-09-12',
'source': 'Google Mandiant Defensive Framework',
'url': 'https://www.mandiant.com'},
{'date_accessed': '2023-09-10',
'source': "Resecurity Report on 'The Com' Cybercrime "
'Collective',
'url': 'https://www.resecurity.com'}],
'regulatory_compliance': {'legal_actions': ['Pending (Potential Class-Action '
'Lawsuits)',
'Regulatory Investigations'],
'regulations_violated': ['Potential GDPR (EU)',
'CCPA (California)',
'Sector-Specific Data '
'Protection Laws'],
'regulatory_notifications': ['Likely Required '
'(e.g., GDPR 72-Hour '
'Rule)',
'State Attorney '
'General Notifications '
'(USA)']},
'response': {'communication_strategy': ['Public Disclosure via Media (ISMG, '
'BleepingComputer)',
'Customer Advisories (Pending)',
'Regulatory Notifications'],
'containment_measures': ['Revoking Compromised OAuth Tokens',
'Isolating Affected Salesforce '
'Instances',
'Disabling Salesloft Drift '
'Integrations'],
'enhanced_monitoring': ['Salesforce Instance Logs',
'Cloud Platform (Google Workspace, '
'Microsoft 365, Okta) Activity'],
'incident_response_plan_activated': 'Yes (Salesforce, Mandiant, '
'and Affected Companies)',
'law_enforcement_notified': 'Yes (FBI Issued Advisory on '
'2023-09-12)',
'network_segmentation': 'Recommended (to Limit Lateral Movement)',
'recovery_measures': ['Data Backup Restoration (if applicable)',
'Customer Notification Plans',
'Dark Web Monitoring for Leaked Data'],
'remediation_measures': ['Enforcing 2FA for OAuth Apps',
'Patching Salesloft Drift '
'Vulnerabilities',
'Audit of Third-Party Integrations'],
'third_party_assistance': ['Mandiant (Google’s Incident '
'Response)',
'Salesforce Security Team',
'FBI Cyber Division']},
'stakeholder_advisories': ['Salesforce Security Bulletin (Pending)',
'Vendor Notifications to Affected Customers',
'Regulatory Disclosures (e.g., SEC Filings for '
'Public Companies)'],
'threat_actor': ['Scattered Lapsus$ Hunters (aka ShinyHunters)',
'UNC6040',
'The Com (English-speaking cybercrime collective)'],
'title': 'Scattered Lapsus$ Hunters Ransomware Attack on Salesforce Customer '
'Data via Salesloft Drift Integration',
'type': ['Data Breach',
'Ransomware',
'Supply Chain Attack',
'Social Engineering'],
'vulnerability_exploited': ['Weak OAuth Token Security',
'Lack of Multi-Factor Authentication (2FA) for '
'OAuth Apps',
'Unpatched Third-Party Integrations (Salesloft '
'Drift)',
'Human Error (Support Staff Tricked via '
'Impersonation)']}