A hacking collective known as Scattered LAPSUS$ Hunters, reportedly comprising members from ShinyHunters, Lapsus$, and Scattered Spider, has launched a dark web leak site claiming to have exfiltrated approximately 1 billion records from Salesforce customer databases. The group is demanding ransom payments from affected organizations, threatening to release the stolen data publicly if their demands are not met by October 10, 2025.
How the Breach Occurred
The attackers exploited vulnerabilities in third-party integrations, particularly through the Salesloft-Drift platform. By compromising OAuth tokens associated with these integrations, they gained unauthorized access to Salesforce instances, allowing them to exfiltrate sensitive data from various object tables, including “Account,” “Contact,” “Case,” “Opportunity,” and “User.” This method bypassed traditional security measures, highlighting potential weaknesses in cloud-based CRM systems.
Companies Affected
Among the organizations reportedly impacted by this breach are major corporations such as FedEx, Toyota, Qantas, Google, and TransUnion. The stolen data includes personal and corporate information, potentially exposing millions of individuals to identity theft and fraud.
Response from Affected Organizations
In response to the breach, affected companies have initiated internal investigations and are working with cybersecurity experts to assess the scope of the damage. Salesforce and Salesloft have revoked compromised OAuth tokens and removed the affected applications from their platforms. However, some organizations have yet to publicly disclose the full extent of the breach.
Recommendations for Organizations
Experts advise organizations to take immediate action to mitigate potential risks:
- Audit and Revoke OAuth Tokens: Review and revoke any compromised OAuth tokens associated with third-party integrations.
- Enhance Authentication Measures: Implement multi-factor authentication (MFA) to add an additional layer of security.
- Monitor for Suspicious Activity: Regularly monitor systems for any unusual access patterns or data exfiltration attempts.
- Educate Employees: Conduct training sessions to raise awareness about phishing attacks and other social engineering tactics.
Conclusion
The alleged theft of 1 billion records underscores the critical need for robust security measures in cloud-based platforms. Organizations must remain vigilant and proactive in safeguarding sensitive data to prevent such breaches. As investigations continue, the full impact of this breach may become clearer, potentially leading to broader implications for data security practices across industries.
