Stellantis, the automaker behind brands like Jeep, Citroën, and FIAT, suffered a data breach via a compromised third-party vendor (Salesforce/Salesloft integration). Attackers, allegedly the **ShinyHunters** group, accessed **18+ million customer records**, including **names, addresses, phone numbers, and email addresses**—though no financial or highly sensitive data (e.g., SSNs, payment details) was exposed. The breach exploited stolen **OAuth tokens** from Salesloft’s Drift AI chat tool, allowing unauthorized Salesforce data exfiltration. Stellantis activated incident response protocols, notified authorities, and warned customers of potential phishing risks. While operational disruption was minimal, the incident underscores **third-party vulnerabilities** in automotive supply chains and the escalating tactics of persistent threat actors targeting cloud ecosystems. The FBI issued an alert urging Salesforce users to revoke suspicious tokens, highlighting the breach’s broader implications for industries reliant on SaaS platforms.
Source: https://www.esecurityplanet.com/threats/stellantis-hack-exposes-18m-records-shinyhunters-strike/
TPRM report: https://www.rankiteo.com/company/stellantis
"id": "ste1093810092425",
"linkid": "stellantis",
"type": "Breach",
"date": "9/2025",
"severity": "50",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'customers_affected': 'Undisclosed (Claimed 18+ '
'million records by '
'ShinyHunters)',
'industry': 'Automotive',
'location': 'North America (Primary Impact)',
'name': 'Stellantis',
'size': 'Large (Global Corporation)',
'type': 'Multinational Automaker'}],
'attack_vector': ['Compromised Third-Party Service Provider',
'Stolen OAuth Tokens',
'Salesforce Integration Exploitation'],
'customer_advisories': ['Remain alert for phishing attempts using stolen '
'contact details.',
'Avoid clicking suspicious links or providing '
'personal details in unsolicited messages.',
'Verify authenticity of all communications from '
'Stellantis.'],
'data_breach': {'data_exfiltration': True,
'number_of_records_exposed': '18,000,000+ (Claimed by '
'ShinyHunters)',
'personally_identifiable_information': ['Names',
'Addresses',
'Phone Numbers',
'Email Addresses'],
'sensitivity_of_data': ['Low (No Financial or Highly '
'Sensitive Data)'],
'type_of_data_compromised': ['Customer Contact Information']},
'description': 'Stellantis, the multinational automaker behind brands such as '
'Jeep, Citroën, FIAT, Chrysler, and Peugeot, confirmed a data '
'breach where attackers accessed customer contact details '
'through a compromised third-party service provider. The '
'breach is linked to the ShinyHunters group, which exploited '
'stolen OAuth tokens from Salesloft’s Drift AI chat '
'integration with Salesforce to exfiltrate over 18 million '
'records, primarily customer contact data. No financial or '
'highly sensitive information was exposed, but customers were '
'warned about potential phishing risks.',
'impact': {'brand_reputation_impact': ['Moderate (Due to Customer Data '
'Exposure and Phishing Risks)'],
'data_compromised': ['Customer Names',
'Addresses',
'Phone Numbers',
'Email Addresses'],
'identity_theft_risk': ['Low (No Financial/Sensitive Data '
'Exposed)'],
'operational_impact': ['Potential Phishing Risks for Customers',
'Reputation Damage'],
'payment_information_risk': ['None'],
'systems_affected': ['Salesforce (via Third-Party Integration)',
'Customer Service Operations']},
'initial_access_broker': {'entry_point': ['Compromised Salesloft Drift AI '
'Chat Integration with Salesforce'],
'high_value_targets': ['Customer Contact Data']},
'investigation_status': 'Ongoing (Comprehensive Investigation Initiated)',
'lessons_learned': ['Third-party vendors can introduce significant security '
'risks, even in well-defended systems.',
'OAuth token management and SaaS integrations require '
'rigorous monitoring and access controls.',
'Proactive customer communication is critical to mitigate '
'phishing risks post-breach.',
'Collaboration with law enforcement (e.g., FBI Flash '
'alerts) enhances threat intelligence sharing.'],
'motivation': ['Data Theft', 'Extortion', 'Phishing Enablement'],
'post_incident_analysis': {'corrective_actions': ['Revoke and rotate OAuth '
'tokens linked to '
'third-party integrations.',
'Implement stricter access '
'controls for SaaS '
'platforms.',
'Enhance threat detection '
'for anomalous API/OAuth '
'activity.',
'Expand customer education '
'on phishing prevention.'],
'root_causes': ['Exploitation of stolen OAuth '
'tokens in third-party Salesforce '
'integration.',
'Inadequate monitoring of vendor '
'access to customer data.',
'Scalable attack method by '
'ShinyHunters targeting multiple '
'high-profile organizations.']},
'ransomware': {'data_exfiltration': True},
'recommendations': ['Audit and limit third-party integrations with access to '
'sensitive systems.',
'Enforce multi-factor authentication (MFA) across all '
'SaaS platforms.',
'Monitor OAuth tokens and API keys for anomalous '
'activity.',
'Share threat intelligence to preempt evolving attack '
'campaigns.',
'Educate customers on phishing risks and verification of '
'communications.',
'Conduct regular security assessments of vendor '
'ecosystems.'],
'references': [{'source': 'eSecurity Planet'},
{'source': 'FBI Flash Alert (Salesforce OAuth Token '
'Exploitation)'}],
'regulatory_compliance': {'regulatory_notifications': ['Federal Authorities '
'(U.S.)']},
'response': {'communication_strategy': ['Public Disclosure',
'Customer Notifications',
'FBI Flash Alert Collaboration'],
'containment_measures': ['Immediate Activation of Incident '
'Response Protocols',
'Comprehensive Investigation',
'Revoking Suspicious OAuth Tokens (Per '
'FBI Recommendation)'],
'enhanced_monitoring': ['Review of Access Logs (Salesforce/OAuth '
'Tokens)'],
'incident_response_plan_activated': True,
'law_enforcement_notified': True,
'remediation_measures': ['Direct Notification to Affected '
'Customers',
'Advisories on Phishing Risks']},
'stakeholder_advisories': ['Federal Authorities Notified',
'Affected Customers Informed Directly'],
'threat_actor': ['ShinyHunters'],
'title': 'Stellantis Data Breach Affecting North American Customers',
'type': ['Data Breach', 'Third-Party Compromise', 'Unauthorized Access'],
'vulnerability_exploited': ['Weak OAuth Token Management',
'Third-Party Vendor Security Gaps']}