Necessary Always Active
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
|
||||||
|
||||||
|
||||||
|
Published on
October 3, 2025
5 min read
Salesforce Data Breach: Hackers Threaten to Leak 1 Billion Records
In Focus
- A hacking group threatens to leak a billion records stolen in a Salesforce cyber attack
- The hackers have set up a data leak site called Scattered LAPSUS$ Hunters
- Toyota Motors, FedEX, and Hulu among companies listed on the data leak site
- Hacking group demands that Salesforce negotiates a ransom
A notorious hacking group blackmailing victims with the release of 1 billion records stolen in a Salesforce data breach. According to TechCrunch, the hacking group, which operates mainly in English, stole customer data from companies that use Salesforce cloud databases.
A Data Leak Site
The hacking group operates loosely and has been known as ShinyHunters, Scattered Spider, and Lapsus$. In recent weeks, the group has allegedly hacked various high-profile firms by gaining unauthorized access into their Salesforce-hosted cloud-based databases.
ShinyHunters launched a Salesforce data leak site called Scattered LAPSUS$ Hunters on the dark web. The site is designed to blackmail victims into paying the hacking group to keep it from publishing the stolen data online.
“Contact us to regain control on data governance and prevent public disclosure of your data. Do not be the next headline. All communications demand strict verification and will be handled with discretion,” the site reads in part.
Threat intelligence researchers first noticed the website on October 3, 2025.
High-Profile Companies Targeted
Some of the companies that have confirmed theft of customer data due to mass hacks are Google, insurance firm Allianz Life, Qantas, Kering, TransUnion, and Stellantis. Workday, which recently acquired AI firm Sana Labs, also confirmed data theft.
The hacking group listed alleged victims, who include Toyota Motors, FedEX, and Hulu. It remains unclear whether firms whose data was hacked but don’t appear on the hacking group’s website paid a ransom to keep their data from being published.
According to TechCrunch, a representative from ShinyHunters said “there are numerous other companies that have not been listed” without disclosing the reason.
Salesforce Data Leak Threat at a Glance:
- Hacking group operates loosely, is known as ShinyHunters, Scattered Spider, Lapsus$
- Hackers stole customer data from firms that use Salesforce cloud databases
- Workday, Google among firms that confirmed theft of customer data
- Salesforce confirmed extortion attempts
Demanding Ransom from Salesforce
Among executives that the cyber group is targeting for extortion are those in Salesforce. At the top of its data leak site, ShinyHunters mentions the software giant and demands that it negotiates a ransom. The hacking group says it will leak all the customer records if the software company fails to do so. This means Salesforce has not engaged it yet.
“Our findings indicate these attempts relate to past or unsubstantiated incidents, and we remain engaged with affected customers to provide support. At this time, there is no indication that the Salesforce platform has been compromised, nor is this activity related to any known vulnerability in our technology,” The company said in a statement.
Salesforce acquired data management firm, Own in 2024 to strengthen secure end-to-end solutions that protect customer data. Security experts have been speculating that the hacking group was planning to extort its victims by publishing a data leak site.
Traditionally, such websites have been linked to Russian-speaking ransomware groups. But organized cybercrime has evolved from data theft and encrypting victim data, to asking for ransoms privately and threatening publication of stolen data unless they receive payment.
How Cybercrime has Evolved Overtime
Investigators have not published a conclusive report about the cybersecurity incident. Recent hacking campaigns that utilize ShinyHunters’ Salesforce tactics are now leveraging social engineering, SIM swaps, multi-factor authentication fatigue, and abuse of recovery workflows to override legitimate sessions.
Leading incident responders recommend controls to mitigate cyber attacks including:
Implementing phishing-resistant multi-factor authentications
Backing hardware keys for admins
Identity-based conditional access
IP allowlists for API-heavy integrations
Continuous monitoring of abnormal exports
Experts recommend that companies that were affected by the Salesforce cybersecurity breach need to audit connected Apps, verify data access policies, and revoke unused refresh tokens.
