Toyota was listed among over 50 global corporations targeted in a large-scale data theft campaign by the **Scattered LAPSUS$ Hunters** group. The attackers exploited vulnerabilities in **Salesforce customer environments**, including weak OAuth protections and inadequate two-factor authentication, to exfiltrate **multiple terabytes of sensitive data**. The stolen records reportedly include **personally identifiable information (PII)** such as driver’s licenses, dates of birth, social security numbers, and other regulated fields. The group claims to hold **strategic corporate data** that could undermine Toyota’s market position, with sample leaks ranging from single-digit gigabytes to hundreds of gigabytes per victim. The threat actors set a **public disclosure deadline (October 10, 2025)**, demanding ransom payments under the threat of full data exposure. While Toyota has not confirmed the authenticity of the leaked samples, the breach aligns with a year-long campaign targeting high-profile enterprises across industries, raising severe compliance risks under **GDPR, CCPA, and other privacy regulations**. The attack’s scale and the nature of the exfiltrated data suggest **profound operational, financial, and reputational consequences** for the automaker.
TPRM report: https://www.rankiteo.com/company/toyota
"id": "toy5893258100325",
"linkid": "toyota",
"type": "Cyber Attack",
"date": "10/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'industry': 'Automotive',
'location': 'Global',
'name': 'Toyota',
'size': 'Large Enterprise',
'type': 'Corporation'},
{'industry': 'Transportation/Logistics',
'location': 'Global',
'name': 'FedEx',
'size': 'Large Enterprise',
'type': 'Corporation'},
{'industry': 'Entertainment/Hospitality',
'location': 'Global',
'name': 'Disney/Hulu',
'size': 'Large Enterprise',
'type': 'Corporation'},
{'industry': 'Transportation/Logistics',
'location': 'Global',
'name': 'UPS',
'size': 'Large Enterprise',
'type': 'Corporation'},
{'industry': 'Aviation/Transportation',
'location': 'Mexico/Global',
'name': 'Aeroméxico',
'size': 'Large Enterprise',
'type': 'Corporation'},
{'industry': 'Retail',
'location': 'Global',
'name': 'Home Depot',
'size': 'Large Enterprise',
'type': 'Corporation'},
{'industry': 'Hospitality',
'location': 'Global',
'name': 'Marriott',
'size': 'Large Enterprise',
'type': 'Corporation'},
{'industry': 'Retail/Pharmacy',
'location': 'Global',
'name': 'Walgreens',
'size': 'Large Enterprise',
'type': 'Corporation'},
{'industry': 'Automotive',
'location': 'Global',
'name': 'Stellantis',
'size': 'Large Enterprise',
'type': 'Corporation'},
{'industry': 'Aviation/Transportation',
'location': 'Global',
'name': 'Qantas',
'size': 'Large Enterprise',
'type': 'Corporation'},
{'industry': 'Technology/Advertising',
'location': 'Global',
'name': 'Google AdSense',
'size': 'Large Enterprise',
'type': 'Subsidiary'},
{'industry': 'Technology/Networking',
'location': 'Global',
'name': 'Cisco',
'size': 'Large Enterprise',
'type': 'Corporation'},
{'industry': 'Financial Services/Credit Reporting',
'location': 'Global',
'name': 'TransUnion',
'size': 'Large Enterprise',
'type': 'Corporation'}],
'attack_vector': ['Exploitation of Salesforce Customer Instances',
'OAuth Abuse',
'Third-Party App Compromises (e.g., Salesloft’s '
'Drift/Drift)',
'VPN Masking for Exfiltration',
'Weak 2FA Enforcement'],
'data_breach': {'data_exfiltration': 'Confirmed (Multiple TBs Exfiltrated)',
'number_of_records_exposed': 'Near 1 billion',
'personally_identifiable_information': ['Driver’s Licenses',
'Social Security '
'Numbers',
'Dates of Birth'],
'sensitivity_of_data': 'High (PII, Regulated Fields, '
'Market-Sensitive Data)',
'type_of_data_compromised': ['PII (Driver’s Licenses, SSNs, '
'Dates of Birth)',
'Strategic Corporate Data',
'Raw Regulated Records']},
'description': 'The hacking and cybercrime collective Scattered LAPSUS$ '
'Hunters published a dedicated online portal claiming '
'responsibility for a wide-scale data-theft campaign involving '
'the exploitation of Salesforce products. The group posted '
'samples tied to over 50 corporate victims, including major '
'global brands across automotive, retail, transportation, '
'hospitality, and cloud SaaS. They claim to have exfiltrated '
"'multiple TBs' of data and 'near 1 billion records' "
"containing sensitive PII (e.g., driver's licenses, SSNs, "
'dates of birth). The group set a public disclosure deadline '
'of October 10, 2025, threatening full data release unless '
'victims comply. The campaign allegedly exploited weak OAuth '
'protections, poor 2FA enforcement, and third-party '
'integrations (e.g., Salesloft’s Drift/Drift). Victims span '
'jurisdictions with strict privacy laws (GDPR, CCPA, HIPAA), '
'and some have previously disclosed Salesforce-related '
'breaches, while others were newly disclosed. The actors '
'demand ransom payments in exchange for data deletion and '
'offer litigation support to pressure compliance.',
'impact': {'brand_reputation_impact': 'High (Public Disclosure Threat, Global '
'Brands Affected)',
'data_compromised': ['Sensitive PII (Driver’s Licenses, Social '
'Security Numbers, Dates of Birth)',
'Strategic Corporate Data (Market Position '
'Compromise Risk)',
'Raw Records (Regulated Fields)'],
'identity_theft_risk': 'High (PII Exfiltrated)',
'legal_liabilities': ['Potential GDPR/CCPA/HIPAA Violations',
'Litigation Risks (Threat Actors Offer '
'Support to Pressure Compliance)'],
'systems_affected': ['Salesforce Customer Instances',
'Third-Party Integrations (e.g., Salesloft’s '
'Drift/Drift)',
'OAuth-Connected Apps']},
'initial_access_broker': {'data_sold_on_dark_web': 'Threatened (Public '
'Disclosure Deadline: '
'October 10, 2025)',
'entry_point': ['Salesforce Customer Instances',
'Third-Party Integrations (e.g., '
'Salesloft’s Drift/Drift)',
'OAuth Abuse'],
'high_value_targets': ['PII Databases',
'Strategic Corporate Data'],
'reconnaissance_period': 'Over 1 Year (Campaign '
'Spanning >12 Months)'},
'investigation_status': 'Ongoing (No Victim Confirmation of Leaked Data '
'Authenticity as of Reporting)',
'motivation': ['Financial Gain (Ransom Extortion)',
'Data Theft for Resale/Leverage',
'Public Disclosure Threats',
'Litigation Support as Pressure Tactic'],
'post_incident_analysis': {'root_causes': ['Weak OAuth Protections',
'Poor 2FA Enforcement',
'Third-Party Integration '
'Vulnerabilities',
'VPN Exfiltration Masking']},
'ransomware': {'data_exfiltration': 'Yes (Primary Tactics)',
'ransom_demanded': 'Implied (Payment for Data Deletion)'},
'references': [{'source': 'CyberInsider'}],
'regulatory_compliance': {'legal_actions': 'Threat Actors Offer Litigation '
'Support to Pressure Compliance',
'regulations_violated': ['Potential GDPR (EU)',
'CCPA (California)',
'HIPAA (Healthcare Data, '
'if applicable)']},
'response': {'communication_strategy': 'Threat actors demand victims verify '
'corporate emails to establish '
'real-time communication for ransom '
'negotiations.'},
'threat_actor': 'Scattered LAPSUS$ Hunters',
'title': 'Scattered LAPSUS$ Hunters Data-Theft Campaign Exploiting Salesforce '
'Products',
'type': ['Data Breach', 'Data Theft', 'Unauthorized Access', 'Extortion'],
'vulnerability_exploited': ['Poor OAuth Protections',
'Lack of Multi-Factor Authentication (2FA) '
'Enforcement',
'Third-Party Integration Vulnerabilities '
'(Salesforce-connected apps)']}