Salesforce-Related Data Breach Affecting Multiple Companies

[Update] August 12, 2025: “ShinyHunters Reopens Telegram Channel, Claims BreachForums Is Law Enforcement–Run”

In mid-2025, a series of coordinated intrusions targeted the Salesforce environments of multiple high-profile companies across diverse sectors, including Technology, Retail, Luxury Fashion, Aviation, and Insurance. In one high-profile ransom message, the threat actors claimed the campaign had compromised data from 91 organizations worldwide. Victims included Adidas, Cartier, Google, Louis Vuitton, Dior, Chanel, Tiffany & Co., Qantas Airways, Air France–KLM, Allianz Life, Cisco, Pandora, and others. The campaign, attributed to a financially motivated group tracked by Google as UNC6040 and often linked to the ShinyHunters name, relied entirely on social engineering rather than exploiting any flaw in Salesforce’s infrastructure.

While no vulnerabilities within Salesforce itself have been exploited, the incidents demonstrate how social engineering can bypass technical controls when users are misled into granting permissions. In multiple cases, stolen data has later been linked to extortion attempts, sometimes occurring months after the initial breach. The threat actors have, at times, claimed affiliation with the well-known group ShinyHunters during these extortion efforts, likely to increase pressure on victims.

How the Salesforce Data Breach Happened

The intrusions were carried out through a combination of targeted voice phishing (vishing) and abuse of Salesforce’s Connected Apps feature, according to Google. Posing as corporate IT staff, the attackers called employees, often in English-speaking branches of multinational companies, and convinced them to follow “urgent” troubleshooting steps. Victims were directed to Salesforce’s Connected Apps authorization page and asked to enter an eight-digit connection code provided during the call.

By entering this code, the victim unknowingly authorized a malicious OAuth application controlled by the attackers, often a trojanized version of Salesforce’s legitimate Data Loader tool. In some cases, the app was disguised with names like “My Ticket Portal” to appear legitimate. Once approved, the malicious app granted the attackers API-level access to Salesforce data, enabling them to query and export large volumes of records including customer profiles, contact lists, loyalty program information and internal business data.

According to Google’s Threat Intelligence Group (GTIG), the attackers did not exploit any technical vulnerability in Salesforce itself. Instead, they relied entirely on manipulating end users and taking advantage of misconfigured or overly permissive third-party app settings. Because this access relied on OAuth tokens, multi-factor authentication could be bypassed. The attackers often started with small data queries to avoid raising suspicion before escalating to bulk extractions. In certain cases, the compromised Salesforce access was used to infiltrate other cloud platforms such as Office 365 for deeper data theft.

To increase pressure on victims, the group created a Telegram channel named Scattered Lapsu$ Hunters. There they post small samples of allegedly stolen data and list targeted companies. These public “teaser leaks” act as a psychological tool, warning affected organizations that more damaging disclosures could follow if demands are not met. A group that had operated quietly in the background for some time revealed itself on August 8 by becoming active on Telegram. Alongside the teaser leaks, they also published screenshots from negotiation chats with some of the targeted companies, further intensifying the extortion pressure.

Who Is Behind This Attack?

At first, the use of voice phishing and IT help desk impersonation led many to suspect Scattered Spider, a group notorious for the 2023 MGM Resorts breach. Their hallmark tactics, including phone-based social engineering, guiding employees to authorize malicious apps, and bypassing MFA through OAuth abuse, closely matched the activity observed in the Salesforce campaign.

As more details emerged and Google’s Threat Intelligence Group (GTIG) published its findings, responsibility shifted toward ShinyHunters. The group began sending ransom emails under its own name, and investigators identified infrastructure overlaps with ShinyHunters’ earlier Snowflake breach operations. The campaign appeared to combine ShinyHunters’ data-theft-for-extortion model with Scattered Spider’s social engineering expertise, suggesting collaboration or shared membership.

In June 2025, French authorities arrested a BreachForums administrator linked to ShinyHunters, coinciding with the forum’s shutdown. Many expected this to disrupt the group, but the Salesforce campaign continued. This persistence indicates that ShinyHunters functions as a decentralized, extortion-as-a-service collective rather than a single coordinated team. The structure enables affiliated actors, potentially including Scattered Spider operatives and former Lapsus$ members, to conduct attacks under the ShinyHunters banner.

The choice of the name “Scattered Lapsu$ Hunters” appears intentional. It combines the identities of multiple notorious threat groups into a single label, which may not represent an actual merged entity. Instead, it is likely designed to amplify the group’s perceived reach and influence, leveraging the reputations of these well-known actors to intimidate victims and attract media attention.

Scattered Spider, in particular, is known for forming opportunistic alliances with other cybercriminal groups, having previously collaborated with Qilin Ransomware operators in past campaigns. Such associations make the inclusion of their name in this branding a calculated move to project greater power and capability.

By combining technical abuse of cloud platform features with targeted human deception, ShinyHunters has evolved into a resilient and adaptable threat actor capable of sustaining high-profile campaigns even after law enforcement actions.

Impact and Data Compromised

The scope of the Salesforce-related breach campaign was broad, affecting organizations across retail, luxury, technology, aviation, and insurance. While the exact data varied by company, the majority of exposed records contained customer contact information and account details that could be exploited for targeted phishing or social engineering. In most cases, companies stated that no passwords, payment card data, or highly sensitive financial information was stolen.

The table below summarizes the known affected companies, the nature of compromised data, and public response measures:

Table: Known companies affected by the Salesforce-related data breach, compromised data types, and response actions. In all public disclosures, companies reported that passwords, financial account details, and payment card numbers were not stolen. The primary impact was the exposure of personal contact information and customer records.

Inside the Telegram Operations of Scattered Spider, Lapsus$, and ShinyHunters

The Telegram channel linked to Scattered Spider, Lapsus$, and ShinyHunters was launched on August 8, with its first posts appearing a day later. The early messages offered various alleged databases for sale, including those claimed to belong to Victoria’s Secret, Neiman Marcus, and Brazilian police and court records. The group also posted a screenshot of a Monero wallet holding a large balance, suggesting ransom payments.

They shared snippets from ransom negotiations conducted via qTox and mocked a company that had accidentally included the group’s email address in internal communications. A ransom demand directed at Salesforce CEO Marc Benioff threatened to leak data from “91 organizations, multinational conglomerates, and governments” unless 20 Bitcoins were paid. The group also claimed several major aviation companies were caught up in their campaign.

Beyond Salesforce-related claims, the group advertised a Linux local privilege escalation exploit for 10 BTC, suggested leaking Oracle source code if their post received 100 likes, and posted databases allegedly tied to the Snowflake breach. They commented on law enforcement actions, mocking the seizure of the cryptocurrency exchange TradeOgre, and announced plans for their own Ransomware-as-a-Service (RaaS) program, boasting it would outperform DragonForce and LockBit.

One of the most notable claims involved Coca-Cola Europacific Partners. The group launched a Telegram poll about leaking a Salesforce database allegedly containing 23 million CRM records. This data had previously been advertised for sale on DarkForums by a threat actor using the alias “Gehenna,” but at the time was not made public. According to the claim, the records spanned from 2016 to 2025 and included account data, contact lists, product information, and customer support cases. The data was later posted in the Telegram channel, fueling speculation about possible links between Gehenna and the group.

In addition to Coca-Cola Europacific Partners, the group shared full data allegedly tied to Allianz Life, and samples from Cartier, Gucci, and Subaru, along with claims of possessing sensitive information from government entities in India and Brazil. They also teased the future leak of a Coinbase database and offered to reveal the real identity of the Qilin ransomware administrator if their post received enough engagement.

The channel mixes aggressive marketing of alleged data breaches with manifesto-style statements, often attacking cybersecurity companies, law enforcement, and federal agencies. The group frames itself as a reliable “business partner” for those willing to pay, while portraying non-paying victims as responsible for subsequent data exposure.

Mitigation and Readiness Strategies

The Salesforce-related breach underscores the need for a defense-in-depth approach that blends strong technical controls, user awareness, and proactive threat detection. Key measures include:

• Enforcing least privilege for connected applications like Data Loader, ensuring API access is granted only to trusted, essential accounts.
• Whitelisting and vetting connected apps to prevent malicious OAuth integrations from being authorized.
• Implementing strict IP restrictions for both user logins and connected app access, blocking unauthorized sources.
• Applying robust MFA policies and training staff to resist MFA fatigue and voice phishing.
• Monitoring for abnormal data access patterns such as large-scale downloads or API spikes that may indicate exfiltration.

SOCRadar’s Attack Surface Management and Cyber Threat Intelligence modules can directly strengthen these defenses. The Threat Hunting feature enables continuous monitoring for compromised credentials, malicious IPs, and mentions of company assets across underground channels.

Threat Actor Intelligence delivers detailed profiles of adversaries like ShinyHunters, mapping their TTPs and providing actionable IoCs for immediate containment. With Attack Surface Monitoring, suspicious changes or unauthorized connections to Salesforce are detected in real time, while Dark Web Monitoring uncovers threats before they materialize into active compromises.

ShinyHunters Reopens Telegram Channel, Claims BreachForums Is Law Enforcement–Run

ShinyHunters opened a new Telegram channel after the previous one, which shared Salesforce breach claims, was shut down within three days. In the new channel, leader Shiny posted a PGP-signed message with serious allegations.

Shiny claimed that BreachForums and its official PGP key are under the control of French law enforcement (BL2C) working with the U.S. DOJ and FBI. Shiny said the “Hollow” and “ShinyHunters” admin accounts were compromised, and the “Founder” account is run by a federal agent.

According to Shiny, all private messages, plaintext passwords, IP addresses, emails, and other user data collected since the forum’s relaunch are in law enforcement hands. Shiny said the forum’s source code was changed to log every action, and that posts signed with the official PGP key can no longer be trusted.

Shiny also admitted that the “Anastasia” and “Hollow” admin accounts were his own and managed solely by him. This is notable because a person identified as “Hollow” was arrested in recent BreachForums-related operations.

In a follow-up post, Shiny claimed the domain breachforums.hn and all .onion mirrors are compromised, saying the entire site is now a law enforcement honeypot.

Conclusion

The Salesforce-related data breach of 2025 serves as a stark reminder that even the most trusted platforms can be compromised when human factors and interconnected systems are exploited. Over a span of several months, coordinated social-engineering and OAuth abuse allowed attackers to gain access to sensitive customer data from high-profile organizations worldwide. The breach did not result from a Salesforce vulnerability but from the misuse of legitimate features combined with effective deception of employees.

The incident highlights that supply chain risks extend far beyond traditional IT boundaries. Third-party platforms, integrations, and vendors can all become entry points for threat actors. This reality underscores the critical need for comprehensive supply chain intelligence to identify hidden dependencies and weak links before they are exploited.

SOCRadar’s Supply Chain Intelligence module addresses these challenges by giving organizations end-to-end visibility across their extended networks, monitoring over 50 million companies, and applying dynamic risk scoring to prioritize the most critical vulnerabilities. By coupling this intelligence with real-time alerts and tiered prioritization, organizations can strengthen their defenses, reduce exposure, and maintain operational resilience against evolving threats.

Ultimately, the lessons from this breach are clear: security must extend beyond internal systems to encompass the full ecosystem of partners and service providers. Proactive intelligence and continuous monitoring are no longer optional—they are essential for preventing the next large-scale compromise.