A notorious hacking group has launched a dark web extortion site claiming to have stolen nearly 1 billion records from Salesforce customer databases, targeting dozens of major companies that use the cloud platform for customer management. The group, known as “Scattered LAPSUS$ Hunters” and linked to ShinyHunters, Scattered Spider, and LAPSUS$, demands ransom payments to prevent the release of sensitive data, including personally identifiable information (PII) from entities like Google, Toyota, FedEx, Disney, and Home Depot. For cybersecurity professionals, enterprise IT leaders, and data privacy advocates searching Salesforce hack 1 billion records, ShinyHunters Salesforce breach, or Salesforce data extortion 2025, this campaign—first reported by TechCrunch on October 3, 2025—exploits compromised third-party integrations like Salesloft and Drift via vishing (voice phishing) to access API-level data, bypassing Salesforce’s core systems. Salesforce maintains that its platform was not directly hacked, attributing incidents to past or unsubstantiated events, and is supporting affected customers. With at least 14 lawsuits filed in September 2025 alleging negligence, the breach could cost victims millions in remediation and regulatory fines.
The hackers’ site lists 39 victims and threatens leaks by October 10 unless demands are met, escalating a year-long campaign that has already exposed data from Allianz Life (1.4 million records) and TransUnion (4.4 million).
The Breach Mechanics: Vishing and Third-Party Exploits
The attacks, tracked by Google’s Threat Intelligence Group as UNC6040, rely on social engineering rather than Salesforce vulnerabilities. Hackers impersonate employees via phone to trick IT helpdesks into installing modified versions of tools like Salesforce’s Data Loader, granting access to customer databases.
- Entry Point: Compromised OAuth tokens from integrations like Drift AI and Salesloft, enabling bulk data exports.
- Data Scope: PII including names, addresses, SSNs, emails, and business contacts from Salesforce objects like Account, Contact, Case, Opportunity, and User.
- Extortion Tactic: Dark web site demands payments; non-payment leads to leaks, as seen with Balenciaga, Gucci, and Alexander McQueen in September 2025.
Salesforce spokesperson Nicole Aranda stated: “Our findings indicate these attempts relate to past or unsubstantiated incidents… there is no indication the Salesforce platform has been compromised.”
| Attack Vector | Method | Impacted Data |
|---|---|---|
| Vishing | Phone Impersonation | OAuth Tokens |
| Malicious Apps | Modified Data Loader | Bulk Exports |
| Third-Party Hacks | Drift/Salesloft | Customer PII |
Affected Companies and Confirmed Breaches
The hackers claim 760 companies, with 39 named on the site. Confirmed victims include:
- Allianz Life: 1.4 million customer records exposed.
- TransUnion: 4.4 million US consumers’ data.
- Stellantis: Third-party incident confirmed.
- Workday: Customer data stolen.
- Others: Walgreens, McDonald’s, KFC, IKEA, Marriott, Chanel, Cartier, Kering subsidiaries.
Lawsuits in Northern California seek class-action status over alleged negligence.
Implications: A Wake-Up for Cloud Security
This breach highlights risks in third-party integrations:
- Cost to Victims: Potential $100-500 million in fines and remediation.
- Regulatory Scrutiny: FTC and EU GDPR probes loom.
- Mitigation: Enable MFA, least privilege, and audit logs.
Conclusion: Salesforce’s Third-Party Shadow
The claimed 1 billion record Salesforce hack via vishing and integrations is a stark reminder of supply chain vulnerabilities. As ShinyHunters retires, victims scramble. For enterprises, audit now—will it spark reforms? The tokens threaten. Tech crunch
