Hacking Group Claims Theft of 1 Billion Salesforce Customer Records

A notorious hacking group calling itself "Scattered LAPSUS$ Hunters" has launched a data leak website claiming to have stolen approximately 1-1.5 billion records from companies that store customer data in Salesforce. The group, linked to ShinyHunters, Scattered Spider, and Lapsus$, has given companies until October 10 to pay ransom demands or face public data release.

The alleged victims include major corporations such as Google, FedEx, Qantas, TransUnion, Toyota, HBO Max, and Walgreens. The hackers claim the stolen data includes personally identifiable information (PII) from Salesforce object tables including Account, Contact, Case, Opportunity, and User records.

According to security researchers, the breach didn't target Salesforce's core platform directly. Instead, hackers exploited compromised OAuth tokens from Salesloft Drift, a third-party AI marketing tool that integrates with Salesforce. The attack began with a March breach of Salesloft's GitHub repository, where threat actors discovered OAuth credentials using security scanning tools.

Using these stolen tokens, the hackers gained API-level access to Salesforce customer instances, allowing them to extract massive amounts of data without compromising Salesforce's main infrastructure. Google Threat Intelligence tracks this activity under groups UNC6040 and UNC6395.

Salesforce maintains that its core platform was not compromised, stating that the attacks relate to "past or unsubstantiated incidents." The company emphasized that there's no indication of a vulnerability in their technology and that the incidents primarily involved social engineering tactics targeting end users.

However, the company faces mounting legal pressure with at least 14 lawsuits already filed in Northern California District Court, including proposed class actions alleging negligence and privacy violations. The legal challenges could result in significant financial penalties and reputational damage for the cloud software giant.

This incident highlights critical vulnerabilities in third-party integrations and API security across cloud platforms. The attack demonstrates how a single compromised integration can cascade into widespread data theft affecting hundreds of organizations, even when the core platform remains secure.

The FBI has already issued warnings about these threat actors, and the incident is likely to drive increased scrutiny of vendor risk management practices. Companies may need to implement stricter security requirements for third-party applications and enhance employee training to combat sophisticated social engineering tactics.