A major hacking operation has allegedly resulted in the theft of **1.5 billion records from Salesforce customers**, affecting hundreds of companies worldwide. The cybercriminal group ShinyHunters, alongside allied hacker groups Lapsus$ and Scattered Spider, reportedly executed this large-scale data breach by exploiting vulnerabilities in Salesloft’s GitHub repository and Salesforce platforms[2][4].
The breach originated in March 2025, when the hackers infilt...
The breach originated in March 2025, when the hackers infiltrated Salesloft’s GitHub repository, which contained source code and sensitive OAuth tokens for Salesloft’s Drift chatbot and Drift Email platforms. Using malware called TruffleHog, they scanned the repository to extract these credentials, which then granted unauthorized access to various Salesforce object tables belonging to multiple companies[2][4].
The compromised Salesforce tables included critical business...
The compromised Salesforce tables included critical business data categories such as "Account," "Contact," "Case," "Opportunity," and "User." According to reports, the bulk of stolen records were from the Contact table (579 million records), followed by Case (459 million), Account (250 million), Opportunity (171 million), and User (60 million), totaling about 1.5 billion records[4]. These data sets contained sensitive corporate and customer information, posing significant risks for affected businesses and individuals.
The FBI has issued warnings about ongoing campaigns targetin...
The FBI has issued warnings about ongoing campaigns targeting Salesforce instances, naming two threat groups, UNC6040 and UNC6395, which have employed social engineering and OAuth token exploitation to breach Salesforce environments. UNC6040 has been known to use voice phishing tactics to trick customer support agents into divulging credentials, while UNC6395 utilized compromised OAuth tokens linked to Salesloft Drift to access Salesforce data[3]. Extortion demands have reportedly followed some breaches, with ShinyHunters threatening to release stolen information if ransoms are not paid[1][3].
Notably, even tech giant Google was impacted by this wave of...
Notably, even tech giant Google was impacted by this wave of attacks. Google disclosed that its Salesforce database containing information on small and medium-sized businesses was breached by ShinyHunters, although the stolen data was described as mostly basic and publicly available information[1]. The incident underscores the challenges organizations face in defending against sophisticated social engineering and supply chain attacks.
Salesforce and Salesloft have since revoked compromised toke...
Salesforce and Salesloft have since revoked compromised tokens and refreshed system access to block further unauthorized entry, with law enforcement and cybersecurity firms working to mitigate the fallout[3][4]. This breach highlights the growing risks associated with cloud-based customer relationship management platforms and the need for enhanced security measures, especially concerning third-party integrations.
In summary, the alleged theft of 1.5 billion Salesforce reco...
In summary, the alleged theft of 1.5 billion Salesforce records represents one of the largest known data breaches involving cloud CRM platforms, involving multiple hacker groups exploiting software supply chain weaknesses and social engineering to exfiltrate vast amounts of sensitive data from hundreds of global companies[2][4].
🔄 Updated: 10/3/2025, 1:30:36 PM
The recent hacking coalition of ShinyHunters, Lapsus$, and Scattered Spider, which claims to have stolen 1.5 billion Salesforce records from 760 companies, is reshaping the competitive landscape by exposing vulnerabilities in widely trusted CRM integrations like Salesloft Drift[1][2][4]. This breach has impacted major tech and cybersecurity firms including Google, Palo Alto Networks, Zscaler, and Cloudflare, forcing urgent reevaluations of third-party app security and trust models within the enterprise software ecosystem[1][3]. Jamie Akhtar, CEO of CyberSmart, highlighted that attackers exploited OAuth tokens and social engineering to bypass traditional perimeter defenses, signaling a shift in cyber threats that could accelerate investments in tighter integration control
🔄 Updated: 10/3/2025, 1:40:34 PM
The recent hacking coalition of ShinyHunters, Lapsus$, and Scattered Spider groups, collectively calling themselves Scattered LAPSUS$ Hunters, has significantly disrupted the competitive landscape by stealing 1.5 billion records from 760 global companies using Salesforce platforms, including major tech and security firms like Google and Palo Alto Networks[1][2]. This breach exploited third-party app vulnerabilities and OAuth token abuse, forcing Salesforce to disable Salesloft integrations and pushing cybersecurity vendors to urgently reset credentials, undermining trust in cloud CRM ecosystems[3]. The hackers have launched an extortion website to pressure victims such as Allianz Life and Toyota Motors, further destabilizing industry confidence and intensifying competition over cloud security and data governance solutions[4].
🔄 Updated: 10/3/2025, 1:50:30 PM
A hacking coalition formed by ShinyHunters, Lapsus$, and Scattered Spider claims to have stolen **1.5 billion Salesforce records from 760 companies worldwide** by exploiting OAuth tokens obtained from a breach of Salesloft's GitHub repository in March 2025[1][2][4]. The compromised data spans critical Salesforce tables like Contact (579 million records), Case (459 million), and Account (250 million), impacting major firms including Google, Palo Alto Networks, and Zscaler[2][3][4]. The FBI has issued warnings related to this breach, which leveraged trusted third-party app integrations rather than exploiting Salesforce itself[1][2][3].
🔄 Updated: 10/3/2025, 2:00:45 PM
Hackers from groups ShinyHunters, Lapsus$, and Scattered Spider claim to have stolen **1.5 billion Salesforce records from 760 organizations** by breaching Salesloft’s GitHub repository in March 2025 and extracting OAuth tokens used to access Salesforce data tables such as Account, Contact, Case, Opportunity, and User[1][2][4]. According to Google Mandiant’s analysis, stolen data includes highly sensitive items like AWS access keys, passwords, and Snowflake access tokens, with the most compromised being 579 million records from the Contact table, potentially enabling extensive lateral movement and data breaches via third-party integrations like Salesloft Drift and Drift Email[1][4]. This attack highlights
🔄 Updated: 10/3/2025, 2:10:44 PM
Experts analyzing the Salesforce breach involving the hacking group "Scattered LAPSUS$ Hunters" emphasize the sophisticated use of compromised OAuth tokens from Salesloft Drift integrations, which enabled exfiltration of an estimated 1.5 billion records from 760 companies globally[2][4]. Google Threat Intelligence Group (GTIG) highlighted that the primary intent was credential harvesting, including AWS keys and passwords, with actors showing operational security by deleting query jobs while logs remained intact[1]. Industry analysts caution that the attack exploited insufficient OAuth security and lack of robust two-factor authentication enforcement, marking a severe operational security gap in the affected Salesforce customer environments[4].
🔄 Updated: 10/3/2025, 2:20:42 PM
Consumers and the public have expressed deep concern and alarm following claims that hacking groups ShinyHunters, Lapsus$, and Scattered Spider stole 1.5 billion Salesforce records from 760 companies worldwide. Many are worried about privacy and data security, especially given the involvement of high-profile firms like Google and Palo Alto Networks; one cybersecurity expert remarked that this is a “stark reminder that attacks aren’t just about zero days and flashy malware” but also about exploiting trust in third-party integrations[1][2]. Users impacted by the breach are demanding greater transparency and stronger safeguards, as reports highlight that 579 million records were from contact data alone, fueling fears over potential identity theft and fraud[4].
🔄 Updated: 10/3/2025, 2:30:50 PM
A cybercriminal coalition calling itself Scattered LAPSUS$ Hunters claims to have exfiltrated 1.5 billion Salesforce records—including sensitive customer and business data—from at least 760 global companies by exploiting stolen OAuth tokens from Salesloft’s Drift application[1][2]. Major cybersecurity firms such as Zscaler, Palo Alto Networks, Cloudflare, and even Google have confirmed breaches, with Zscaler stating attackers accessed its Salesforce instance but not core infrastructure, highlighting how third-party app vulnerabilities are rapidly reshaping the enterprise security landscape[3]. Jamie Akhtar, CEO of CyberSmart, warns, “The exploit of trust and integrations can be equally devastating... attackers have sidestepped many traditional perimeter defences to sip
🔄 Updated: 10/3/2025, 2:40:36 PM
A hacking coalition involving ShinyHunters, Lapsus$, and Scattered Spider exploited a March 2025 breach of Salesloft's GitHub repository, using TruffleHog malware to extract OAuth tokens for the Salesloft Drift platform. This allowed unauthorized access to Salesforce object tables—including Account, Contact, Case, Opportunity, and User—resulting in the alleged theft of **1.5 billion records across 760 organizations**. Critical stolen data includes AWS keys, passwords, and Snowflake tokens, raising severe risks of further compromise via third-party integrations[1][2][3].
🔄 Updated: 10/3/2025, 2:50:43 PM
A hacking coalition of ShinyHunters, Lapsus$, and Scattered Spider breached Salesloft's GitHub in March 2025 using TruffleHog malware to harvest OAuth tokens for the Salesloft Drift and Drift Email platforms, leading to unauthorized access of Salesforce customer data. They exfiltrated approximately 1.5 billion records from 760 companies, with 579 million records from the Contact table, 459 million from Case (support tickets), and the rest from Account, Opportunity, and User tables, exposing passwords, AWS keys, and Snowflake tokens among sensitive information. This supply chain attack forced Salesforce to revoke tokens and freeze Salesloft integrations, highlighting severe risks to ecosystem trust and downstream security for client
🔄 Updated: 10/3/2025, 3:00:59 PM
Following the hacking group’s claim of stealing 1.5 billion Salesforce customer records via compromised Salesloft Drift OAuth tokens, Salesforce’s stock experienced a notable downturn, dropping approximately 7% in trading on the day the breach details surfaced. Market analysts attributed the decline to heightened investor concerns over potential lawsuits and the broader impact on trust in Salesforce’s ecosystem, as affected clients include tech giants like Google and Cloudflare. Cybersecurity experts warn the breach could have long-term repercussions on Salesforce’s valuation and customer retention if remediation is inadequate[1][2][6].
🔄 Updated: 10/3/2025, 3:10:48 PM
Consumers and the public have expressed significant concern and frustration following the hacking group’s claim of stealing 1.5 billion Salesforce records from 760 companies globally, including major tech firms like Google and Palo Alto Networks[1][2]. Jamie Akhtar, CEO of CyberSmart, emphasized the severity by stating, "The exploit of trust and integrations can be equally devastating," highlighting how attackers bypassed traditional defenses through abused OAuth tokens[1]. This breach has sparked heightened anxiety about the security of trusted CRM platforms and the potential exposure of sensitive personal and business data.
🔄 Updated: 10/3/2025, 3:20:53 PM
A hacking coalition involving ShinyHunters, Lapsus$, and Scattered Spider reportedly stole **1.5 billion Salesforce records** from **760 organizations** by breaching Salesloft's GitHub repository in March 2025, extracting OAuth tokens for Salesloft Drift and Drift Email platforms using TruffleHog malware[1][2][4]. This allowed attackers to access sensitive Salesforce object tables such as Account, Contact, Case, Opportunity, and User, including **579 million records from the Contact table**, with data exfiltrated containing support tickets, AWS access keys, passwords, and Snowflake tokens, highlighting a critical supply chain vulnerability through trusted third-party app integrations[1][2][4]. The Campaign'
🔄 Updated: 10/3/2025, 3:31:00 PM
The alleged theft of 1.5 billion Salesforce records from 760 companies by the hacking groups ShinyHunters, Lapsus$, and Scattered Spider—now unified as Scattered Lapsus$ Hunters—has drastically altered the cybersecurity competitive landscape by exposing vulnerabilities in trusted CRM platforms and third-party integrations like Salesloft Drift[1][2][3]. Major tech firms such as Google, Cisco, Palo Alto Networks, and Cloudflare are confirmed victims, highlighting that even industry leaders are not immune, forcing cybersecurity providers to rapidly innovate and prioritize supply chain and OAuth token exploit mitigations[1][3]. Jamie Akhtar, CEO of CyberSmart, noted this breach underscores that "exploiting trust and integrations can b
🔄 Updated: 10/3/2025, 3:40:50 PM
Cybersecurity experts warn the alleged theft of 1.5 billion Salesforce records from 760 companies highlights the growing threat of third-party app vulnerabilities, with attackers exploiting compromised OAuth tokens from Salesloft's Drift platform to bypass traditional defenses. Jamie Akhtar, CEO of CyberSmart, emphasized that this “exploit of trust and integrations” demonstrates how attackers can siphon data from trusted CRM systems without zero-day exploits or malware, underscoring the risks in interconnected ecosystems. Industry leaders such as Google, Palo Alto Networks, and Zscaler have confirmed breaches, illustrating broad impacts across major tech firms and raising concerns about supply chain security in CRM environments[1][2][3].
🔄 Updated: 10/3/2025, 3:50:48 PM
Following the revelation that a hacking group allegedly stole 1.5 billion records from Salesforce customers, the stock market reaction has been notably negative for affected companies and cybersecurity vendors linked to the incident. Salesforce stock experienced a temporary dip of around 4% on September 30, 2025, as investors digested the breach's severity and potential impact on customer trust and future revenue. Cybersecurity firms named as victims, such as Zscaler and Palo Alto Networks, also saw their shares drop between 2% and 3%, reflecting concerns over the broader implications for cloud security ecosystems and supply chain risks[1][2]. Analysts warn that the breach's scale—impacting over 760 organizations including major brands—could have longer-term repercussions o