Cybersecurity

One Billion Salesforce Records Reportedly Stolen

Daniel John
By Daniel Chinonso John
7 Min Read
One Billion Salesforce Records Reportedly Stolen

One Billion Salesforce Records Reportedly Stolen

Contents

A hacker group says it has stolen nearly one billion records from organizations that use Salesforce, raising fears of one of the largest data exposures linked to a cloud platform in years. Salesforce, however, says there is no sign that its own systems were breached.

The group calling itself Scattered LAPSUS$ Hunters announced that it had obtained data from companies using Salesforce software. According to statements seen on hacking forums and an extortion site, the group claims to have taken almost one billion customer records.

It says the attack did not target Salesforce’s own systems directly, but rather the systems of Salesforce’s customers. The group alleges that it accessed those organizations through weaknesses in their configurations or through third-party tools connected to Salesforce.

The hackers have threatened to release the stolen information publicly if ransom demands are not met. Their online post lists around forty companies as victims and gives a deadline of October 10 for payment or negotiations.

Salesforce’s Response

Salesforce has publicly denied that its platform was breached. In statements shared with Reuters and other media outlets, the company said it found no evidence that attackers gained access to its infrastructure.

The firm added that some of the claims appear to relate to past or unverified incidents. Salesforce said it is working with affected customers and investigating the reports.

No direct confirmation has yet come from any of the listed companies that their Salesforce data was stolen.

How the Attack Was Said to Work

Security researchers following the case say the method described by the attackers matches earlier activity linked to a hacking group tracked as UNC6040, sometimes associated with ShinyHunters.

Those campaigns used a mix of social engineering, voice-based phishing (also called vishing), and fake IT support calls to trick employees into revealing credentials or installing malicious tools.

Investigators believe the attackers may have exploited Salesforce’s Data Loader, a legitimate program used by customers to import and export large volumes of information. In a previous wave of attacks, modified versions of this tool were used to pull data directly from corporate Salesforce environments once credentials had been obtained.

This pattern suggests the hackers targeted individual companies rather than Salesforce itself.

Possible Connection to OAuth Token Theft

Separate reports suggest that another group linked to the same network may have compromised integrations between Salesforce and third-party sales platforms such as Salesloft and Drift.

According to SC World and Bleeping Computer, the attackers allegedly accessed OAuth tokens (digital keys that allow connected applications to share data automatically). If true, this would have enabled them to pull data from hundreds of organizations through authorized connections, even without breaching Salesforce directly.

That campaign reportedly led to the theft of up to 1.5 billion records from around 760 companies. The data was said to include information from common Salesforce tables such as Account, Contact, Opportunity, User, and Case records.

These details remain unverified, but the overlap between both incidents has drawn attention to the security of app integrations within large cloud ecosystems.

Who Might Be Affected

Names appearing on the hackers’ extortion site reportedly include well-known companies such as FedEx, Qantas, Toyota, TransUnion, Hulu, Cisco, Disney, Walgreens, and Saks Fifth Avenue.

Reuters and TechCrunch noted that these companies use Salesforce widely for customer relationship management and marketing automation. However, none of them have publicly confirmed a breach as of this writing.

Google told PYMNTS that one of its corporate Salesforce instances was affected in a separate but related campaign earlier this year, though it said the exposure was limited to business contact data.

What Data Could Be at Risk

If genuine, the stolen information could contain personal and business details such as names, email addresses, phone numbers, and company account information. Records from “Case” tables (often used for customer support) may also include communications or service notes.

Such data could be used for targeted phishing, identity theft, or fraud. Even basic customer information, when collected in bulk, can fuel large-scale social engineering attacks.

Security experts say that with access to internal names, departments, and contact patterns, attackers can craft messages that appear highly convincing. These kinds of breaches can therefore lead to secondary waves of attacks long after the initial data theft.

If confirmed, this would be one of the largest data exposures ever linked to a cloud-based service. Yet what makes it striking is not that Salesforce itself was hacked, but that its ecosystem may have been the entry point.

Modern software platforms rely on hundreds of plug-ins, connectors, and integrations. Each adds convenience but also expands the potential attack surface.

By compromising a tool or stealing access tokens that many clients share, attackers can reach multiple organizations at once — a chain reaction that is difficult to contain.

This mirrors the supply-chain breaches seen in other sectors, where one trusted component becomes a bridge into many targets.

Salesforce continues to emphasize that its platform is secure. The company says it is working closely with security teams at customer organizations to review logs, revoke suspicious tokens, and ensure that any potentially affected integrations are disabled.

It has not disclosed how many clients may be under review, nor has it confirmed whether any of the attackers’ claims have been independently validated.

The company also reiterated that it regularly audits its app marketplace and third-party tools for vulnerabilities, and that customers should maintain strong authentication and access-control measures.

If the group’s claims are accurate, the breach would expose vast amounts of personal and corporate information and could take months or years to fully assess. Even if only part of the data is genuine, the incident underlines the fragility of cloud-based business ecosystems.

Follow us on Google News Google News

Discover more from Aree Blog

Subscribe now to keep reading and get access to the full archive.

Prompt-Based Attacks on AI
Cloud Security Engineer Salary Landscape in 2025
IoT Security 101: Why Your Smart Devices Are Vulnerable
8 Cybersecurity Misconceptions That Put You at Risk
How to Recover Hacked Accounts Without Tech Skills
TAGGED:
Share This Article
Daniel John
ByDaniel Chinonso John
Follow:
Daniel Chinonso John focuses on four key areas (Productivity, AI, Cybersecurity, and Blogging) to shape his workflow and creativity. As a certified ethical hacker (Hacker X, Udemy), he combines hands-on penetration-testing expertise with the latest AI insights to secure digital environments. Driven by a vision to make complex tech accessible, he turns each discovery into straightforward, actionable articles that provides value to readers.
Previous Article MEA Consumer Tech Market Update MEA Consumer Tech Market Update
Next Article Embodied AI: How Machines Learn by Doing Embodied AI: How Machines Learn by Doing
Subscribe
Notify of
guest
0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments

More Updates

Running Linux on Android 16
Running Linux on Android 16
Tech Updates
Understanding Microsegmentation for Real Networks
Microsegmentation for Real Networks
Cybersecurity
Content Repurposing Strategy for SEO
Content Repurposing Strategy for SEO
Digital Marketing
Gmail Data Leak: What Happened, and What We Know
Cybersecurity
ZTNA vs VPN: A Comparison of Security, Performance, and Cost
ZTNA vs VPN: A Comparison of Security, Performance, and Cost
Cybersecurity
The Gmail Data Leak: What Happened, and What We Know
Windows SMB Vulnerability CVE-2025-33073 Actively Exploited After Patch Delay, CISA Warns
Cybersecurity
AI Content Strategy for Brands: How to Stay Authentic as You Scale
AI Content Strategy for Brands: How to Stay Authentic as You Scale
Digital Marketing
Apple M5 Chip: The Next Leap in Apple’s AI-Powered Hardware Refresh
Apple M5 Chip: The Next Leap in Apple’s AI-Powered Hardware Refresh
Tech Updates
Vishing and Smishing Scams: How Voice and Text Phishing Works
Vishing and Smishing Scams: How Voice and Text Phishing Works
Cybersecurity
SpaceX Launches 28 Starlink Satellites in Predawn Falcon 9 Flight
SpaceX Launches 28 Starlink Satellites in Predawn Falcon 9 Flight
Tech Updates
Blogarama - Blog Directory