Stellantis, the automotive giant and parent company of brands like Chrysler, Jeep, and Ram, suffered a significant data breach in September 2025 as part of a coordinated ransomware campaign by the **Trinity of Chaos** group (linked to Lapsus$, ShinyHunters, and Scattered Spider). The attack exploited vulnerabilities in **Salesforce instances**, leading to the exfiltration of **personally identifiable information (PII)** of North American customers. While the leaked data samples reportedly lacked passwords, they contained substantial sensitive records, likely obtained via **vishing attacks and stolen OAuth tokens** tied to Salesloft’s Drift AI chat integration. The breach disrupted Stellantis’ operations, mirroring a prior attack on **Jaguar Land Rover**, which severely impacted retail and production activities. The FBI issued a flash warning about the threat actors’ tactics, emphasizing risks of **large-scale extortion, AI-driven exploitation of stolen data**, and follow-on attacks like **targeted phishing, identity theft, and social engineering schemes**. The Trinity of Chaos threatened to publish over **1.5 billion records** on their **TOR-based Data Leak Site (DLS)** if ransom demands were unmet, signaling a broader, undisclosed wave of breaches across Fortune 100 firms, aviation, and auto sectors.
TPRM report: https://www.rankiteo.com/company/stellantis
"id": "ste3502735100425",
"linkid": "stellantis",
"type": "Ransomware",
"date": "9/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'industry': 'Aviation',
'location': 'Mexico',
'name': 'Aeromexico',
'type': 'Airline'},
{'industry': 'Aviation',
'location': 'France',
'name': 'Air France',
'type': 'Airline'},
{'industry': 'Technology',
'location': 'USA',
'name': 'Google',
'size': 'Large',
'type': 'Corporation'},
{'industry': 'Technology',
'location': 'USA',
'name': 'Cisco',
'size': 'Large',
'type': 'Corporation'},
{'customers_affected': 'North American customers '
'(disclosed September 21, 2025)',
'industry': 'Automotive',
'location': 'Netherlands/USA',
'name': 'Stellantis',
'size': 'Large',
'type': 'Corporation'},
{'industry': 'Aviation',
'location': 'Australia',
'name': 'Qantas Airlines',
'type': 'Airline'},
{'industry': 'Automotive',
'location': 'UK',
'name': 'Jaguar Land Rover',
'size': 'Large',
'type': 'Corporation'}],
'attack_vector': ['vishing',
'stolen OAuth tokens',
'exploitation of Salesforce vulnerabilities',
'Salesloft’s Drift AI chat integration'],
'data_breach': {'data_exfiltration': 'Yes (data leaked on TOR-based DLS)',
'number_of_records_exposed': '1.5 billion (claimed by threat '
'actors)',
'personally_identifiable_information': 'Yes (substantial '
'amounts)',
'sensitivity_of_data': 'High (PII and corporate data)',
'type_of_data_compromised': ['PII', 'corporate records']},
'date_publicly_disclosed': '2025-10-03',
'description': 'The Trinity of Chaos, a ransomware collective associated with '
'Lapsus$, Scattered Spider, and ShinyHunters, launched a Data '
'Leak Site (DLS) on the TOR network containing 39 companies. '
'The attack exploited vulnerable Salesforce instances and '
'other vulnerabilities, primarily through vishing attacks and '
'stolen OAuth tokens used for Salesloft’s Drift AI chat '
'integration. The group claims to have compromised over 1.5 '
'billion records, with victims spanning Fortune 100 companies, '
'financial services, technology, aviation, retail, and '
'automotive sectors. The incident includes data breaches at '
'Stellantis (disclosed September 21, 2025) and Jaguar Land '
'Rover, causing severe disruptions to retail and production '
'activities.',
'impact': {'brand_reputation_impact': 'High (targeting Fortune 100 and '
'high-profile companies)',
'data_compromised': ['PII (Personally Identifiable Information)',
'corporate data'],
'downtime': 'Severe disruptions at Jaguar Land Rover (retail and '
'production)',
'identity_theft_risk': 'High (PII exposure enables identity theft '
'and targeted phishing)',
'operational_impact': 'Significant operational disruptions, '
'particularly in automotive and aviation '
'sectors',
'systems_affected': ['Salesforce instances',
'Salesloft’s Drift AI chat integration',
'retail and production systems (Jaguar Land '
'Rover)']},
'initial_access_broker': {'data_sold_on_dark_web': 'Yes (via TOR-based Data '
'Leak Site)',
'entry_point': ['Salesforce vulnerabilities',
'stolen OAuth tokens',
'vishing attacks'],
'high_value_targets': ['Fortune 100 companies',
'financial services',
'technology',
'aviation',
'automotive sectors']},
'investigation_status': 'Ongoing (new victims and incidents continuing to '
'emerge)',
'lessons_learned': 'The incident highlights the risks of third-party '
'integrations (e.g., Salesloft’s Drift AI) and OAuth token '
'misuse. Organizations must monitor Salesforce '
'environments for unauthorized access and implement robust '
'authentication mechanisms to prevent vishing-based '
'attacks. The scale of the breach underscores the need for '
'proactive threat intelligence sharing and coordinated '
'response efforts, especially against sophisticated threat '
'actor alliances.',
'motivation': ['financial gain', 'data extortion', 'reputation damage'],
'post_incident_analysis': {'root_causes': ['Exploitation of Salesforce '
'vulnerabilities',
'Misuse of OAuth tokens for '
'third-party integrations (e.g., '
'Salesloft’s Drift AI)',
'Successful vishing attacks to '
'gain initial access',
'Lack of proactive monitoring for '
'unauthorized access in cloud '
'environments']},
'ransomware': {'data_exfiltration': 'Yes (via DLS on TOR)'},
'recommendations': ['Monitor Salesforce instances for indicators of '
'compromise (IoCs) as outlined by the FBI.',
'Enhance authentication protocols for third-party '
'integrations (e.g., OAuth tokens).',
'Implement multi-factor authentication (MFA) and '
'zero-trust architectures to mitigate vishing risks.',
'Conduct regular audits of AI chat integrations and other '
'third-party tools connected to critical systems.',
'Prepare for extortion attempts by establishing clear '
'communication protocols and legal strategies.',
'Collaborate with threat intelligence providers (e.g., '
'Resecurity) to track emerging campaigns by groups like '
'Trinity of Chaos.'],
'references': [{'date_accessed': '2025-10-03',
'source': 'SecurityAffairs',
'url': 'https://securityaffairs.com/'},
{'source': 'Resecurity Threat Intelligence Report'},
{'source': 'FBI Flash Warning (Salesforce Vulnerabilities)'}],
'response': {'enhanced_monitoring': 'FBI recommended monitoring for technical '
'indicators of Salesforce infiltration',
'law_enforcement_notified': 'Yes (FBI involved)',
'third_party_assistance': ['FBI (flash warning issued)',
'Resecurity (threat intelligence)']},
'threat_actor': ['Trinity of Chaos',
'Lapsus$',
'Scattered Spider',
'ShinyHunters'],
'title': 'Trinity of Chaos Ransomware Campaign Targeting Salesforce '
'Vulnerabilities',
'type': ['ransomware', 'data breach', 'extortion'],
'vulnerability_exploited': ['Salesforce instance vulnerabilities',
'OAuth token misuse']}