Executive Summary: Salesforce-Related Data Theft & Extortion (Oct 2025)

Who did it

• A coalition using the name “Scattered LAPSUS$ Hunters,” reportedly combining tactics or personnel from ShinyHunters, Scattered Spider, and Lapsus$.
• FBI and industry tracking overlap this activity with clusters sometimes labeled UNC6040 and UNC6395.

How they did it

• Social engineering / vishing: attackers impersonated IT or staff to trick employees into approving malicious Salesforce connected-apps or installing tampered tools.
• OAuth token abuse via third-party integrations: notably through a Drift / Salesloft integration, allowing unauthorized API queries and large-scale data export from Salesforce objects.
• Data-extortion model: creation of a dark-web leak site listing victims and demanding ransom to prevent public release of data.

Repercussions

• Large-scale exposure: hackers claim roughly 1 billion records across many firms — scope still under verification.
• Legal / regulatory risk: potential GDPR, CCPA, and PIPEDA exposure, plus civil suits; several have already been filed.
• Reputational & secondary risks: leaked customer or support data could enable phishing and lateral intrusions.
• SaaS supply-chain warning: shows that CRM security depends on connected apps and OAuth hygiene, not only Salesforce’s core platform.

Is the breach proven?

• Partially verified: Google confirmed one of its Salesforce instances was compromised, with limited data exfiltration during a short window.
• Scale unproven: the headline “~1 billion records” claim has not been independently verified across all named victims.
• Salesforce’s position: no evidence of a platform-level compromise; incidents appear to stem from customer-side credentials and integrations.

Key sources

• Reuters — Hackers claim ~1B Salesforce records
• Google Cloud Blog — Vishing + Connected-App Abuse
• Google Cloud Blog — Salesloft / Drift Token Abuse
• Bank Info Security — Leak Portal & Victim Listing
• CSO Online — Extortion Site & Tactics Overview

Comments

This is the real security issue that I feel is going to plague large cloud providers and their customers -- social engineering. In the end, I'm not sure its possible to secure a provider with 76K+ employees and thousands of third party integrators.

At many large organizations, one could expect that there are people under a lot of pressure, which makes these type of attacks even easier.
Regarding the OAuth attacks. Let's clear this up. These large data systems are incredibly complex. Complexity (especially being connected to endless third parties) makes the job of IT much more difficult to secure the system.

I think in the end the social issues combined with the size and complexity makes protecting these systems extremely difficult. The larger a cloud application grows, the more complex the code will become and the staff systems to support it.

What is the solution? Perhaps AI will help. However, we are not just dealing with the technical challenges anymore, we are dealing with people. In that case, smaller teams and platforms is a clear winner here. What does that mean? It means that some companies will continue to adopt a hybrid cloud / on-premise model. With the costs of cloud services growing, greater complexity and security challenges its not unheard today for customers to develop their own applications and run them internally again. With the continued power of AI coding systems, it may be time for organizations taking some core applications back in their own hands.

Dataforge provides on-premise and datacenter located virtualization platforms (server) as well as conductivity, 24/7 monitored cyber security and application development services. We allow customers to have a choice again.

Most importantly, we provide great people that care about our customers. We have the skills, services and products that allow you to take control back of critical systems your company depends on.