Automotive giant **Stellantis** suffered a **data breach** after attackers infiltrated a **third-party Salesforce platform** used for North American customer services. The breach exposed **customer contact details** (names, emails, phone numbers), which were later used for **phishing campaigns and extortion attempts**. The attack was linked to the **ShinyHunters extortion group**, which exploited **OAuth token vulnerabilities** in Salesforce integrations (e.g., Salesloft’s Drift AI chat tool) to harvest metadata, credentials, and AWS keys. Stellantis confirmed **no financial, health, or deeply sensitive data (e.g., SSNs, payment details)** was compromised. The company activated incident response protocols, contained the breach, notified authorities, and warned customers about phishing risks. While the exact number of affected customers was undisclosed, ShinyHunters claimed to have stolen **18 million records** from Stellantis’ Salesforce instance. The breach aligns with a broader wave of attacks targeting Salesforce clients, including Google, Allianz, and Dior.
Source: https://www.foxnews.com/tech/jeep-chrysler-parent-stellantis-confirms-data-breach
TPRM report: https://www.rankiteo.com/company/stellantis
"id": "ste4792047100725",
"linkid": "stellantis",
"type": "Breach",
"date": "10/2025",
"severity": "50",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'customers_affected': 'Undisclosed (ShinyHunters '
'claims 18 million records)',
'industry': 'Automotive',
'location': 'Global (HQ in Amsterdam, Netherlands)',
'name': 'Stellantis N.V.',
'size': 'Large (5th largest automaker by volume, 14 '
'brands including Jeep, Dodge, Peugeot, '
'Maserati)',
'type': 'Automotive Manufacturer'}],
'attack_vector': ['OAuth Token Exploitation',
"Third-Party Integration (Salesloft's Drift AI chat tool)",
'Salesforce Environment Pivoting'],
'customer_advisories': ['Direct Notifications to Affected Customers',
'Public Statement on Breach Scope'],
'data_breach': {'data_exfiltration': 'Yes',
'number_of_records_exposed': '18 million (claimed by '
'ShinyHunters)',
'personally_identifiable_information': ['Names',
'Email Addresses',
'Phone Numbers'],
'sensitivity_of_data': 'Low (no financial/health data)',
'type_of_data_compromised': ['Contact Information (names, '
'emails, phone numbers)',
'Possibly addresses']},
'description': 'Automotive giant Stellantis suffered a data breach exposing '
'customer contact details after attackers infiltrated a '
'third-party Salesforce platform used for North American '
'customer services. The breach is linked to the ShinyHunters '
'extortion campaign, which has targeted multiple Salesforce '
'clients. Stellantis confirmed only contact information (e.g., '
'names, emails, phone numbers) was compromised, with no '
'financial or highly sensitive data (e.g., SSNs, payment '
'details) accessed. The company activated incident response '
'protocols, contained the breach, notified authorities, and '
'warned customers about phishing risks. ShinyHunters claims to '
"have stolen 18 million records from Stellantis' Salesforce "
'instance as part of a broader campaign affecting 760+ '
'companies and 1.5 billion records.',
'impact': {'brand_reputation_impact': ['Potential Erosion of Trust',
'Associated with Broader Salesforce '
'Breach Wave'],
'data_compromised': ['Customer Contact Details (names, emails, '
'phone numbers, possibly addresses)'],
'identity_theft_risk': ['Low (limited to contact details)',
'Phishing/Scam Risk Elevated'],
'operational_impact': ['Incident Response Activation',
'Customer Notifications',
'Phishing Warning Campaigns'],
'payment_information_risk': 'None (confirmed not exposed)',
'systems_affected': ['Third-Party Salesforce Platform',
'Salesloft Drift AI Chat Integration']},
'initial_access_broker': {'data_sold_on_dark_web': "Likely (ShinyHunters' "
'modus operandi)',
'entry_point': 'Salesloft Drift AI Chat Tool (OAuth '
'Token Exploitation)',
'high_value_targets': ['Salesforce Metadata',
'AWS Keys',
'Snowflake Tokens']},
'investigation_status': 'Ongoing (full investigation launched by Stellantis)',
'lessons_learned': ['Third-party SaaS integrations (e.g., Salesforce, '
'Salesloft) introduce significant attack surfaces.',
'OAuth token security requires rigorous oversight to '
'prevent pivoting into core systems.',
'Contact details alone enable high-impact phishing/scam '
'campaigns, necessitating proactive customer warnings.',
'Cross-sector breach patterns (e.g., Salesforce-targeted '
'campaigns) demand collaborative threat intelligence '
'sharing.'],
'motivation': ['Data Theft for Extortion',
'Phishing Campaign Enablement',
'Dark Web Data Monetization'],
'post_incident_analysis': {'corrective_actions': ['Token rotation and '
'least-privilege '
'enforcement for '
'integrations.',
'Salesforce environment '
'hardening (per FBI '
'recommendations).',
'Enhanced logging for '
'third-party access '
'patterns.'],
'root_causes': ['Insecure OAuth token management '
'in third-party integrations.',
'Lack of segmentation between '
'Salesforce and connected SaaS '
'tools.',
'Delayed detection of metadata '
'harvesting activities.']},
'ransomware': {'data_exfiltration': 'Yes (but not ransomware-related)'},
'recommendations': ['Hardening OAuth token policies and monitoring for '
'anomalous usage.',
'Implementing zero-trust principles for third-party SaaS '
'integrations.',
'Regular audits of cloud CRM environments for '
'misconfigurations or exposed metadata.',
'Customer education on phishing risks post-breach, with '
'clear reporting channels.',
'Adoption of data removal services to mitigate long-term '
'exposure from leaked contact details.',
'Enhanced identity theft protection for affected '
'customers, despite low sensitivity of exposed data.'],
'references': [{'source': 'Fox News / CyberGuy Report',
'url': 'https://www.foxnews.com/tech/stellantis-data-breach-exposes-customer-contact-details'},
{'source': 'Bleeping Computer',
'url': 'https://www.bleepingcomputer.com/news/security/shinyhunters-claims-theft-of-18-million-stellantis-customer-records/'},
{'source': 'FBI Flash Alert (Salesforce Attacks)'}],
'regulatory_compliance': {'regulatory_notifications': ['Authorities Notified '
'(unspecified)']},
'response': {'communication_strategy': ['Public Statement',
'Direct Customer Alerts',
'Media Outreach'],
'containment_measures': ['Breach Isolation',
'Salesforce Environment Securing'],
'enhanced_monitoring': 'Likely (implied by FBI Flash alert '
'compliance)',
'incident_response_plan_activated': 'Yes',
'law_enforcement_notified': 'Yes',
'recovery_measures': ['Customer Notifications',
'Phishing Awareness Campaigns'],
'remediation_measures': ['Investigation Launch',
'OAuth Token Review',
'Integration Hardening']},
'stakeholder_advisories': ['Phishing Risk Warnings',
'Suspicious Link Avoidance Guidance'],
'threat_actor': 'ShinyHunters (alleged, in collaboration with Scattered '
'Spider)',
'title': 'Stellantis Data Breach via Third-Party Salesforce Platform',
'type': ['Data Breach', 'Third-Party Vulnerability', 'Cloud CRM Compromise'],
'vulnerability_exploited': ['Improper OAuth Token Security',
'Weak SaaS Integration Controls',
'Metadata Harvesting in Salesforce']}