Salesforce
Company Details
Linkedin ID:
salesforce
Website:
Employees number:
84,115
Number of followers:
6,028,213
NAICS:
5112
Industry Type:
Homepage:
salesforce.com
IP Addresses:
4
Company ID:
SAL_2246365
Scan Status:
Completed
Salesforce Company CyberSecurity Posture
salesforce.com
We're the #1 AI CRM—where humans with agents drive customer success together with AI, data, and Customer 360 apps on one platform. Privacy Statement: http://www.salesforce.com/company/privacy/
Salesforce A.I CyberSecurity Scoring
Salesforce Risk Score (AI oriented)Between 0 and 549
Salesforce
Updated:
- Powered by our proprietary A.I cyber incident model
- Insurance preferes TPRM score to calculate premium
Salesforce Global Score (TPRM)XXXX
Salesforce
- Instant access to detailed risk factors
- Benchmark vs. industry & size peers
- Vulnerabilities
- Findings
Salesforce Company CyberSecurity News & History
Past Incidents
20
Attack Types
4
Salesforce
Breach
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: Salesforce is facing multiple lawsuits following a cyberattack that exposed customer data due to a breach involving third-party integrations (Salesloft Drift). Attackers stole OAuth tokens from Salesloft’s GitHub in March 2025, later exploiting them to access Salesforce systems in July 2025. The breach led to the theft of personally identifiable information (PII), putting victims at risk of identity theft and fraud. Lawsuits, including a class action led by Staci Johnson, allege Salesforce failed to implement adequate security measures, forcing affected individuals to monitor financial accounts and credit reports. While Salesforce denies platform compromise, the attack impacted major clients like TransUnion (4.5M individuals) and Farmers Insurance (1M customers). Google’s analysis confirmed the attack relied on social engineering, impersonating IT support to trick employees into sharing credentials—no inherent Salesforce vulnerability was exploited. The incident highlights risks in third-party integrations and credential theft.
Salesforce
Breach
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: Salesforce experienced a data breach originating from a third-party provider, **SalesLoft**, specifically via its **Drift app**—an integration used for automated customer communications. The breach was executed by the hacker group **ShinyHunters**, who exploited compromised **GitHub credentials** at SalesLoft between **March and June**, stealing tokens linking Drift to Salesforce environments. This allowed attackers to infiltrate **Drift’s AWS environment**, obtaining **OAuth tokens** from multiple customer organizations, including **Cloudflare, Zscaler, Palo Alto Networks, and others**.The stolen data primarily included **customer contact details, basic IT support information, access tokens, and IT configuration details**. While Salesforce confirmed no direct vulnerability in its own systems, the breach exposed **CRM fields, support cases, and integration data** across **hundreds of affected organizations**. Salesforce refused to pay ransom demands, emphasizing a **no-negotiation stance** against extortion. The **Drift app remains disabled**, and affected customers were advised to **renew access tokens** to mitigate further risks. The full scope of impacted customers and long-term consequences remain undisclosed.
Salesforce
Breach
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: A widespread data breach in **Salesforce** was uncovered by Google’s Threat Intelligence Group (GTIG) and Mandiant, orchestrated by the threat actor **UNC6395** between **August 8–18, 2025**. The attackers exploited **stolen OAuth tokens** from the **Salesloft Drift** third-party application, bypassing **Multi-Factor Authentication (MFA)** by abusing non-human identities (NHIs). This allowed them to **systematically exfiltrate large volumes of data** from corporate Salesforce accounts, focusing on **customer accounts, user details, and high-value secrets**—including **AWS access keys, Snowflake tokens, and other credentials**. The breach targeted **sensitive customer data**, with attackers deleting query logs to obscure their activity. While **Google Cloud customers were unaffected**, Salesforce and Salesloft responded by **revoking all Drift app tokens** and temporarily removing the app from the **AppExchange** during investigations. The incident highlights a growing trend of **NHI-based attacks**, where persistent, high-privilege non-human identities are exploited to **steal credentials and escalate access**. Organizations were urged to **harden access controls, rotate compromised keys, and enforce IP restrictions** to mitigate future risks. The breach underscores critical gaps in **identity governance**, as many firms lack even basic inventories of NHIs, leaving them vulnerable to such **covert, high-impact exfiltration campaigns**.
Salesforce
Breach
Rankiteo Explanation
Attack with significant impact with internal employee data leaks
Description: A financially motivated threat actor group, UNC6040, has been targeting Salesforce customers through voice phishing (Vishing). The group impersonates IT support personnel to trick employees into granting sensitive access or sharing credentials. This campaign has resulted in the compromise of organizational data and subsequent extortion attempts, posing a significant threat to the company's security and reputation.
Salesforce
Cyber Attack
Rankiteo Explanation
Attack threatening the organization's existence
Description: Salesforce's North American and European customers endured a 15-hour outage after a cyber attack. The incident came after the salesforce technology team blocked access to certain instances that contain customers affected by a database script deployment that inadvertently gave users broader data access than intended. To protect the customers, the company blocked access to all instances that contain affected customers until they could block access to orgs with the inadvertent permissions. As a result, customers who were not affected may also experienced service disruption.
Salesforce (via targeted customers)
Cyber Attack
Rankiteo Explanation
Attack limited on finance or reputation
Description: Google’s Mandiant reported an ongoing social engineering campaign by the criminal gang **UNC6040**, which impersonates IT support personnel via **voice phishing (vishing)** to trick employees—particularly those in English-speaking branches of multinational corporations—into granting access to **Salesforce instances**. The attackers manipulate end-users (often with elevated SaaS access) into clicking malicious links or sharing credentials, leading to **unauthorized data exfiltration from Salesforce environments**. No inherent Salesforce vulnerabilities were exploited; the breach relied entirely on human deception. Mandiant emphasized the need for **defense-in-depth strategies**, including caller verification and strict validation of third-party requests. The attack highlights the persistent risk of **credential theft via social engineering**, with potential exposure of sensitive customer or corporate data stored in Salesforce.
Salesforce (via targeted CRM platforms)
Cyber Attack
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: UNC6040 executed a highly sophisticated **vishing (voice phishing) campaign** targeting enterprise **Customer Relationship Management (CRM) platforms**, particularly **Salesforce**, to perform **large-scale data exfiltration**. The attack leveraged **OAuth 2.0 exploitation**, tricking victims into granting malicious apps **elevated API permissions** (including `api`, `refresh_token`, and full scopes) via spoofed IT support calls. Using **SIP spoofing, VoIP routing via Tor/Mullvad VPN**, and modified **Data Loader applications with custom Python scripts**, the threat actors automated **bulk data extraction** via **SOQL queries and REST API calls**, bypassing detection through rate-limiting. The compromised data likely included **customer records, financial details, and sensitive corporate information**, enabling **persistent access for extortion**. The group’s infrastructure—segmented across **Tor hidden services, commercial VPNs, and bulletproof hosting**—hinted at preparations for a **Data Leak Site (DLS)**, escalating from private ransom demands to **public pressure tactics**. Partnerships with **UNC6240 (ransomware/extortion specialists)** suggest potential **follow-on ransomware or data auction threats**.
Salesforce
Cyber Attack
Rankiteo Explanation
Attack threatening the organization’s existence
Description: The FBI's seizure of **BreachForums**, a hacking forum used by cybercriminal groups like **Scattered Lapsus$ Hunters** (including Baphomet, IntelBroker, and ShinyHunters), has exposed Salesforce as a key target in a series of high-profile attacks. These actors exploited vulnerabilities to breach Salesforce environments, compromising customer data of major corporations such as **Google, Palo Alto Networks, Zscaler, Cloudflare, Disney, Qantas, Air France-KLM, and Toyota**. The stolen data was leaked on BreachForums, where attackers also conducted extortion campaigns, threatening to expose or sell sensitive information unless ransoms were paid. The breach highlights systemic risks in Salesforce’s ecosystem, where third-party integrations and misconfigured access controls enabled attackers to infiltrate high-value SaaS platforms. While the FBI’s takedown disrupted the forum’s operations, the attackers have pivoted to encrypted channels like **Telegram**, continuing their monetization efforts through ransomware, data resale, and targeted extortion. The incident underscores the broader threat to enterprise tenants, where compromised Salesforce instances serve as gateways to wider corporate networks, financial records, and proprietary customer databases. The cumulative impact includes reputational damage, financial losses from extortion, and erosion of trust in cloud-based CRM security.
Salesforce
Cyber Attack
Rankiteo Explanation
Attack threatening the organization’s existence
Description: Salesforce was targeted by the newly formed **Scattered LAPSUS$ Hunters (SLH)**, a federated cybercriminal collective merging the capabilities of **Scattered Spider, ShinyHunters, and LAPSUS$**. The attack involved **AI-driven vishing, spearphishing, and zero-day exploitations** (e.g., **CVE-2025-61882** in Oracle E-Business Suite) to compromise Salesforce’s cloud infrastructure. SLH leveraged **credential harvesting, lateral movement, and privilege escalation** to exfiltrate sensitive data, likely including **customer and enterprise SaaS records**. The group announced the breach on their **Telegram-based data-leak site (DLS)**, using psychological tactics to maximize reputational damage. Given SLH’s **Extortion-as-a-Service (EaaS) model** and history of targeting high-value enterprises, the attack likely resulted in **financial fraud, operational disruption, and erosion of customer trust**. The involvement of actors like **‘yuka’ (linked to BlackLotus UEFI bootkit)** suggests advanced persistence mechanisms, increasing the risk of **long-term data exposure or ransomware deployment**. The breach aligns with SLH’s strategy of **high-impact, brand-damaging extortion**, posing existential threats to Salesforce’s market position and regulatory compliance.
Salesforce
Cyber Attack
Rankiteo Explanation
Attack threatening the organization’s existence
Description: Salesforce is facing a major extortion attempt by a crime syndicate known as **Scattered LAPSUS$ Hunters** (tracked as **UNC6040** by Mandiant), which claims to have stolen approximately **1 billion records** from **dozens of Salesforce customers**, including high-profile companies like **Toyota and FedEx**. The attack began in **May 2024**, with the threat actors using **voice phishing (vishing)** to trick employees into connecting a malicious app to their Salesforce portals. The group created a **dedicated leak site**, demanding a ransom from Salesforce itself—threatening to **publicly dump all stolen customer data** if payment was not made by a specified deadline. Salesforce has **refused to negotiate**, risking potential exposure of sensitive customer records. The stolen data reportedly includes **personal, financial, and corporate information** from affected organizations, posing severe reputational, financial, and operational risks. The scale of the breach—nearly **1 billion records**—suggests a **systemic compromise** with far-reaching consequences for Salesforce’s client base, including potential **fraud, identity theft, and regulatory penalties**.
Salesforce
Cyber Attack
Rankiteo Explanation
Attack threatening the organization’s existence
Description: Salesforce suffered a **massive data breach** via two distinct campaigns in 2025, orchestrated by threat actors **Scattered Lapsus$ Hunters** and **ShinyHunters**. The first wave (late 2024) involved **social engineering attacks** impersonating IT support to trick employees into linking malicious OAuth apps to Salesforce instances, enabling the theft of databases. The second wave (August 2025) exploited **stolen SalesLoft Drift OAuth tokens** to pivot into customer CRM environments, exfiltrating **support ticket data, credentials, API tokens, and authentication details**. The attackers claimed to have stolen **~1 billion records** in the first campaign and **1.5 billion records across 760+ companies** in the second, targeting high-profile victims like **Google, Cisco, Disney, FedEx, and Marriott**. A **data leak site** was launched to extort victims, threatening public release if ransoms were unpaid. Salesforce **refused to negotiate or pay**, and the leak site was later **shut down** (potentially via FBI seizure). The breach exposed **sensitive customer and corporate data**, including **authentication tokens, API keys, and support logs**, risking downstream attacks on affected companies. The scale and sophistication of the operation—leveraging **supply-chain and OAuth abuses**—highlighted critical vulnerabilities in Salesforce’s ecosystem, with **prolonged unauthorized access** and **large-scale data exfiltration** as core impacts.
Salesforce
Cyber Attack
Rankiteo Explanation
Attack threatening the organization's existence
Description: The cybercriminal group **Scattered LAPSUS$ Hunters** (a collaboration of Scattered Spider, ShinyHunters, and Lapsus$) has resurfaced, claiming to have stolen **1 billion customer records** from **40 companies’ Salesforce environments**. The gang is demanding **$989.45** to prevent the data from being leaked online, setting an **October 10 deadline** for negotiation. While Salesforce denies a direct platform breach, the attack appears linked to a prior **OAuth token abuse campaign** via **Salesloft’s Drift integration**, which compromised hundreds of organizations in August 2024. Google and Mandiant confirmed the intrusions, attributing them to **UNC6040 (Salesforce-related breaches)**. The group had previously announced retirement but reemerged following arrests of UK teens tied to **Scattered Spider**, suggesting operational shifts. The leaked data reportedly includes **customer records**, posing severe reputational, financial, and operational risks to affected businesses. Salesforce maintains no evidence of a **platform-level vulnerability**, but the extortion attempt escalates pressure on victims.
Salesforce
Cyber Attack
Rankiteo Explanation
Attack threatening the organization’s existence
Description: A cyber gang known as **Scattered LAPSUS$ Hunters** (linked to UNC6040 and UNC6240) has resurfaced, threatening to leak **around a billion customer records** from **40 companies** using Salesforce’s CRM platform unless a **$989 million ransom** is paid by October 10. The attack leverages **telephone social engineering (vishing)**, where criminals impersonate IT staff to trick users into authorizing malicious applications within Salesforce, granting access to sensitive customer data without exploiting technical vulnerabilities. While Salesforce denies a direct platform breach, the group claims to have exfiltrated data via the Salesforce API using custom Python tools, hiding their tracks via VPNs and TOR.Google’s Threat Intelligence Group confirmed a similar **June 2024 breach** in its own Salesforce environment, involving **basic SMB data**, which was swiftly contained. The attackers now employ a **double-extortion model**, with UNC6240 demanding ransoms months post-breach under the guise of **ShinyHunters**, a known data leak collective. The tactics mirror those of **Lapsus$** and **Scattered Spider**, suggesting shared methodologies within the broader cybercriminal network **‘The Com.’** Authorities and external specialists are assisting Salesforce, but the incident underscores persistent threats from financially motivated groups despite prior disruptions.Recommended mitigations include **restricting Data Loader permissions, enforcing MFA, IP-based access controls, and stricter app authorization policies** to prevent unauthorized data exfiltration.
Salesforce
Cyber Attack
Rankiteo Explanation
Attack threatening the organization's existence
Description: The **ShinyHunters** extortion group exploited compromised **Drift OAuth tokens** linked to **Salesloft** to steal over **1.5 billion Salesforce records** from **760 companies**. Attackers used **social engineering and malicious OAuth apps** to infiltrate Salesforce environments, exfiltrating massive CRM data—including **250M Account records, 579M Contact records, 171M Opportunity records, 60M User records, and 459M Case records**. The breach originated from a **GitHub repository compromise** at Salesloft, where attackers used **TruffleHog** to extract secrets, including OAuth tokens for Drift and Drift Email, enabling unauthorized access to Salesforce-integrated systems.The stolen **Case data** was further mined for **AWS keys, Snowflake tokens, and other credentials**, facilitating deeper intrusions into victim networks. High-profile targets allegedly include **Google, Cloudflare, Palo Alto Networks, Zscaler, Tenable, CyberArk, and others**. The attackers demanded **ransom payments** to prevent data leaks, while also **searching for additional secrets** to expand their campaign. The FBI issued an advisory on the threat actors (**UNC6040/6395**), warning of ongoing risks. Salesforce advised customers to enforce **MFA, least-privilege access, and stricter OAuth app management** to mitigate exposure.
Salesforce
Cyber Attack
Rankiteo Explanation
Attack threatening the organization's existence
Description: The cybercriminal group **ShinyHunters** (operating under the alias *Scattered LAPSUS$ Hunters*) executed a **voice phishing (vishing) campaign** in **May 2025**, tricking employees into connecting a malicious app to their **Salesforce portals**. This breach led to the theft of **over a billion customer records** from **dozens of Fortune 500 firms**, including Toyota, FedEx, Disney/Hulu, and UPS. The group threatened to **publicly leak stolen data** unless ransoms were paid by **October 10, 2025**, via a victim-shaming extortion blog. The compromised data included **customer engagement records, internal communications, and sensitive business details**. Salesforce confirmed the attack but refused to negotiate, stating it would not pay extortion demands. The incident also exposed a broader **supply-chain risk**, as the group claimed responsibility for stealing **authentication tokens from Salesloft** (a Salesforce-integrated AI chatbot provider), further expanding the attack surface. The group’s actions were linked to **multiple zero-day exploits**, including **CVE-2025-61882** in Oracle’s E-Business Suite, which they weaponized for additional data theft.
Salesforce
Ransomware
Rankiteo Explanation
Attack threatening the organization's existence
Description: The FBI seized **BreachForums**, a hacking forum operated by **ShinyHunters**, which was used as a platform for leaking corporate data stolen via **ransomware and extortion campaigns**. Among the targeted victims was **Salesforce**, part of a high-profile breach campaign where hackers claimed to have stolen **over one billion customer records** from multiple companies, including FedEx, Disney, Google, and others. The ShinyHunters group confirmed the seizure of BreachForums’ infrastructure, including **all database backups since 2023 and escrow databases**, but emphasized that their **Salesforce data leak was still proceeding as planned**, scheduled for public release. The breach involved **massive customer data exposure**, with the hackers leveraging the forum to extort companies that refused ransom payments. While the FBI’s takedown disrupted the forum’s operations, the **dark web leak site remained active**, indicating persistent risk. The attack highlights a **large-scale, coordinated extortion scheme** targeting enterprise-level customer databases, with **potential financial, reputational, and operational fallout** for Salesforce and its clients. The stolen records likely include **sensitive personal and corporate information**, amplifying the severity of the incident.
Salesforce
Ransomware
Rankiteo Explanation
Attack threatening the organization’s existence
Description: The ransomware group **ShinyHunters (Scattered Lapsus$ Hunters)** breached **Salesforce** by exploiting stolen OAuth tokens from **Salesloft Drift’s AI chatbot integration**, compromising **1.5 billion records** across **760 companies** (including Cisco, Disney, and Marriott). The leaked data includes **PII (names, DOBs, passports, employment histories)**, shipping details, chat transcripts, flight records, and car ownership data—validated by cybersecurity researchers. Attackers first infiltrated **Salesloft’s GitHub repository**, extracting private source code and OAuth tokens, then laterally moved to **Google Workspace, Microsoft 365, and Okta platforms** of victims. The group demanded **separate ransoms** from Salesforce and listed **39 high-profile victims** on a darkweb leak site, pressuring them to pay under threat of full data exposure. The attack leveraged **social engineering (vishing, phishing, IT impersonation)** to trick employees into granting access, highlighting vulnerabilities in **third-party supply-chain integrations** and weak **2FA/OAuth security controls**.
Salesforce
Ransomware
Rankiteo Explanation
Attack threatening the organization’s existence
Description: A cybercriminal collective known as **Scattered Lapsus$ Hunters**—an alliance of the notorious **ShinyHunters, Scattered Spider, and LAPSUS$ ransomware groups**—threatened to leak **one billion records** allegedly exfiltrated from **Salesforce’s systems**, targeting **39 of the world’s largest corporations**, including Disney, Toyota, and McDonald’s. The attackers demanded a ransom, warning that failure to comply by **October 10, 2023**, would result in the **massive exposure of customer data** across dark web and Clearnet platforms. The breach, if executed, would compromise **sensitive personal and corporate information** of Salesforce’s high-profile clients, leading to **severe reputational damage, financial fraud risks, and potential regulatory penalties**. The threat underscores a **large-scale, coordinated extortion campaign** leveraging ransomware tactics to pressure Salesforce into negotiation, with the attackers explicitly stating their intent to **‘target each and every individual customer’** if demands were unmet. The incident highlights the **escalating sophistication of cybercriminal syndicates** in exploiting enterprise vulnerabilities for maximal disruption.
Salesforce
Ransomware
Rankiteo Explanation
Attack threatening the organization's existence
Description: Hackers under the alias **Shiny Hunters** claimed to have breached Salesforce systems via **social engineering attacks**, targeting users rather than the platform itself. They allegedly stole **nearly 1 billion records** from **39 companies** (including Adidas, Cisco, FedEx, and Disney) and demanded a ransom by **October 10, 2025**, threatening to leak the data on a dark web site called *Scattered Lapsus$ Hunters*. The breach stemmed from **voice phishing (vishing) attacks** tricking victims into installing malicious OAuth apps and exploiting a **vulnerable integration between Salesloft Drift and Salesforce** (disabled in August 2025). The incident escalated to **14 lawsuits against Salesforce** by September 2025, with critics arguing the company bears responsibility despite the third-party attack vectors. The stolen data includes **sensitive corporate and customer information**, with samples already published as proof. The attack represents a **large-scale, coordinated ransomware-driven data exfiltration campaign** with severe reputational, financial, and operational consequences for Salesforce and its clients.
Salesforce
Vulnerability
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: A critical vulnerability named **ForcedLeak** was discovered in Salesforce’s **Agentforce** AI platform, enabling external attackers to exploit **prompt injection** via an expired trusted domain (`my-salesforce-cms.com`), purchased for $5. By leveraging the **Web-to-Lead** feature’s unsecured **description field** (42,000-character limit), researchers embedded malicious instructions that tricked AI agents into querying and exfiltrating **sensitive customer lead data**—including email addresses—from Salesforce’s CRM. The attack bypassed traditional security controls by abusing AI’s trust boundaries, sending stolen data to an attacker-controlled server via a crafted HTML snippet. While Salesforce patched the flaw by enforcing **trusted URL allow-lists** and re-securing the expired domain, the vulnerability underscored risks in AI-driven automation, particularly when human oversight is lacking. The exploit, rated **9.4 (Critical)** via CVSS 4.0, highlighted how low-cost domain acquisitions and prompt injection can facilitate large-scale data breaches. Salesforce confirmed no evidence of abuse but acknowledged the evolving threat landscape of AI security.
Salesforce Company Scoring based on AI Models
Cyber Incidents Likelihood 3 - 6 - 9 months
A.I Risk Score Likelihood 3 - 6 - 9 months
Underwriter Stats for Salesforce
Incidents vs Software Development Industry Average (This Year)
Salesforce has 2854.55% more incidents than the average of same-industry companies with at least one recorded incident.
Incidents vs All-Companies Average (This Year)
Salesforce has 1900.0% more incidents than the average of all companies with at least one recorded incident.
Incident Types Salesforce vs Software Development Industry Avg (This Year)
Salesforce reported 13 incidents this year: 6 cyber attacks, 2 ransomware, 1 vulnerabilities, 4 data breaches, compared to industry peers with at least 1 incident.
Incident History — Salesforce (X = Date, Y = Severity)
Salesforce cyber incidents detection timeline including parent company and subsidiaries
Salesforce Company Subsidiaries
We're the #1 AI CRM—where humans with agents drive customer success together with AI, data, and Customer 360 apps on one platform. Privacy Statement: http://www.salesforce.com/company/privacy/
Loading...
Salesforce Similar Companies
Rakuten
Rakuten Group, Inc. (TSE: 4755) is a global technology leader in services that empower individuals, communities, businesses and society. Founded in Tokyo in 1997 as an online marketplace, Rakuten has expanded to offer services in e-commerce, fintech, digital content and communications to 2 billion m
Bosch USA
The Bosch Group’s strategic objective is to create solutions for a connected life. Bosch improves quality of life worldwide with innovative products and services that are "Invented for life" and spark enthusiasm. Podcast: http://bit.ly/beyondbosch Imprint: https://www.bosch.us/corporate-informatio
Amazon Fulfillment Technologies & Robotics
On the Fulfillment Technologies & Robotics Team, we build dynamic partnerships between people and intelligent machines. This intricate collaboration helps Amazon fulfill orders with unmatched accuracy. Since we began working with robotics, we've added over a million new jobs worldwide. Working in s
Wolt
Wolt is a Helsinki-based technology company with a mission to bring joy, simplicity and earnings to the neighborhoods of the world. Wolt develops a local commerce platform that connects people looking to order food, groceries, and other goods with people interested in selling and delivering them. Wo
Thomson Reuters
Thomson Reuters is the world’s leading provider of news and information-based tools to professionals. Our worldwide network of journalists and specialist editors keep customers up to speed on global developments, with a particular focus on legal, regulatory and tax changes. Our customers operat
Shopee
Shopee is the leading e-commerce platform in Southeast Asia and Taiwan. It is a platform tailored for the region, providing customers with an easy, secure and fast online shopping experience through strong payment and logistical support. Shopee aims to continually enhance its platform and become th
Cisco
Cisco is the worldwide technology leader that is revolutionizing the way organizations connect and protect in the AI era. For more than 40 years, Cisco has securely connected the world. With its industry leading AI-powered solutions and services, Cisco enables its customers, partners and communities
Zoho
Zoho offers beautifully smart software to help you grow your business. With over 100 million users worldwide, Zoho's 55+ products aid your sales and marketing, support and collaboration, finance, and recruitment needs—letting you focus only on your business. Zoho respects user privacy and does not h
Xiaomi Technology
Xiaomi Corporation was founded in April 2010 and listed on the Main Board of the Hong Kong Stock Exchange on July 9, 2018 (1810.HK). Xiaomi is a consumer electronics and smart manufacturing company with smartphones and smart hardware connected by an IoT platform at its core. Embracing our vision
.png)
Salesforce CyberSecurity News
October 15, 2025 07:00 AM
Salesforce-Linked Security Breach Fallout Escalates With Qantas Leak
Hackers said they published data on more than five million Qantas Airways customers this weekend, fulfilling a threat to do so unless paid a...
October 15, 2025 07:00 AM
Qantas Data Breach Exposes Millions, Tied to Wider Salesforce Campaign
A major breach at Qantas Airways has taken on broader significance this week, after hackers leaked personal data from more than five million...
October 14, 2025 07:00 AM
Cybersecurity News: Salesforce data leak, SimonMed breach, Chipmaker vs. Dutch government
Millions of records exposed in Salesforce data leak. Scattered LAPSUS$ Hunters has leaked millions of records allegedly stolen from Salesforce...
October 14, 2025 07:00 AM
Anthropic and Salesforce expand partnership to bring Claude to regulated industries
Anthropic and Salesforce today announced an expanded partnership to make Claude a preferred model for Salesforce's Agentforce platform,...
October 13, 2025 07:00 AM
Extortion Group Leaks Millions of Records From Salesforce Hacks
Scattered LAPSUS$ Hunters extortion group leaked millions of records allegedly stolen in a recent campaign targeting Salesforce customers.
October 13, 2025 07:00 AM
Salesforce bandits run into hiding amid arrests, seizures
The Scattered Lapsus$ Hunters (SLSH) cybercrime collective - compriseed primarily of teenagers and twenty-somethings - announced it will go...
October 12, 2025 07:00 AM
Week in review: Hackers extorting Salesforce, CentreStack 0-day exploited
Here's an overview of some of last week's most interesting news, articles, interviews and videos: How to get better results from bug bounty...
October 10, 2025 07:00 AM
FBI Takes Down BreachForums: A Notorious Cybercrime Marketplace Tied To Salesforce Data Extortion
October 09, 2025 07:54 AM
Salesforce turns down ransomware payment demands
Salesforce turns down ransomware payment demands ... In the wake of the recent cyberattack on Salesforce, companies worldwide are being strongly advised against...
Frequently Asked Questions
Explore insights on cybersecurity incidents, risk posture, and Rankiteo's assessments.
Salesforce CyberSecurity History Information
Official Website of Salesforce
The official website of Salesforce is http://www.salesforce.com.
Salesforce’s AI-Generated Cybersecurity Score
According to Rankiteo, Salesforce’s AI-generated cybersecurity score is 244, reflecting their Critical security posture.
How many security badges does Salesforce’ have ?
According to Rankiteo, Salesforce currently holds 0 security badges, indicating that no recognized compliance certifications are currently verified for the organization.
Does Salesforce have SOC 2 Type 1 certification ?
According to Rankiteo, Salesforce is not certified under SOC 2 Type 1.
Does Salesforce have SOC 2 Type 2 certification ?
According to Rankiteo, Salesforce does not hold a SOC 2 Type 2 certification.
Does Salesforce comply with GDPR ?
According to Rankiteo, Salesforce is not listed as GDPR compliant.
Does Salesforce have PCI DSS certification ?
According to Rankiteo, Salesforce does not currently maintain PCI DSS compliance.
Does Salesforce comply with HIPAA ?
According to Rankiteo, Salesforce is not compliant with HIPAA regulations.
Does Salesforce have ISO 27001 certification ?
According to Rankiteo,Salesforce is not certified under ISO 27001, indicating the absence of a formally recognized information security management framework.
Industry Classification of Salesforce
Salesforce operates primarily in the Software Development industry.
Number of Employees at Salesforce
Salesforce employs approximately 84,115 people worldwide.
Subsidiaries Owned by Salesforce
Salesforce presently has no subsidiaries across any sectors.
Salesforce’s LinkedIn Followers
Salesforce’s official LinkedIn profile has approximately 6,028,213 followers.
NAICS Classification of Salesforce
Salesforce is classified under the NAICS code 5112, which corresponds to Software Publishers.
Salesforce’s Presence on Crunchbase
Yes, Salesforce has an official profile on Crunchbase, which can be accessed here: https://www.crunchbase.com/organization/salesforce.
Salesforce’s Presence on LinkedIn
Yes, Salesforce maintains an official LinkedIn profile, which is actively utilized for branding and talent engagement, which can be accessed here: https://www.linkedin.com/company/salesforce.
Cybersecurity Incidents Involving Salesforce
As of November 27, 2025, Rankiteo reports that Salesforce has experienced 20 cybersecurity incidents.
Number of Peer and Competitor Companies
Salesforce has an estimated 26,564 peer or competitor companies worldwide.
What types of cybersecurity incidents have occurred at Salesforce ?
Incident Types: The types of cybersecurity incidents that have occurred include Vulnerability, Breach, Cyber Attack and Ransomware.
How does Salesforce detect and respond to cybersecurity incidents ?
Detection and Response: The company detects and responds to cybersecurity incidents through an containment measures with blocked access to affected instances, and remediation measures with blocked access to orgs with inadvertent permissions, and and third party assistance with google threat intelligence group (gtig), third party assistance with mandiant, third party assistance with astrix security, and containment measures with revoked all active access tokens for drift app (august 20, 2025), containment measures with temporarily removed drift from salesforce appexchange, and remediation measures with restricting connected app scopes, remediation measures with searching for exposed secrets in salesforce data, remediation measures with rotating compromised credentials, remediation measures with enforcing ip restrictions, and communication strategy with advisories issued by gtig/mandiant, communication strategy with notifications to affected organizations, communication strategy with public blog post by astrix security, and enhanced monitoring with checking for specific ip addresses/user-agent strings linked to attackers, and containment measures with web application firewall (waf) with rate-limiting for api calls, containment measures with siem correlation of oauth events with api usage, containment measures with user and entity behavior analytics (ueba) deployment, containment measures with conditional access policies for oauth apps (ip/device/risk-based), and remediation measures with revoke compromised oauth tokens, remediation measures with audit and restrict connected apps permissions, remediation measures with implement hardware security modules (hsm) for api keys, remediation measures with enforce perfect forward secrecy (pfs) for authentication tokens, remediation measures with deploy caa records and dane for domain spoofing prevention, and adaptive behavioral waf with rate-limiting for bulk api operations (e.g., /services/data/v58.0/jobs/query), and network segmentation with isolate crm api endpoints from untrusted networks, and enhanced monitoring with real-time api call anomaly detection, enhanced monitoring with geofencing for oauth authorizations, and third party assistance with google mandiant (threat intelligence), third party assistance with fbi (advisory & investigation), and law enforcement notified with fbi, and remediation measures with salesforce recommendations: enforce multi-factor authentication (mfa), remediation measures with apply principle of least privilege, remediation measures with closely manage connected applications, and communication strategy with salesforce customer advisories, communication strategy with fbi public advisory on unc6040/6395, and and containment measures with enforced trusted url allow-lists for agentforce/einstein ai, containment measures with re-secured expired domain (my-salesforce-cms.com), and remediation measures with patches to prevent ai agents from sending data to untrusted urls, and communication strategy with public statement to the register, communication strategy with blog post by noma security, and incident response plan activated with yes (salesforce, mandiant, and affected companies), and third party assistance with mandiant (google’s incident response), third party assistance with salesforce security team, third party assistance with fbi cyber division, and law enforcement notified with yes (fbi issued advisory on 2023-09-12), and containment measures with revoking compromised oauth tokens, containment measures with isolating affected salesforce instances, containment measures with disabling salesloft drift integrations, and remediation measures with enforcing 2fa for oauth apps, remediation measures with patching salesloft drift vulnerabilities, remediation measures with audit of third-party integrations, and recovery measures with data backup restoration (if applicable), recovery measures with customer notification plans, recovery measures with dark web monitoring for leaked data, and communication strategy with public disclosure via media (ismg, bleepingcomputer), communication strategy with customer advisories (pending), communication strategy with regulatory notifications, and network segmentation with recommended (to limit lateral movement), and enhanced monitoring with salesforce instance logs, enhanced monitoring with cloud platform (google workspace, microsoft 365, okta) activity, and incident response plan activated with yes (salesforce engaged external experts and authorities), and third party assistance with mandiant (google), third party assistance with external cybersecurity experts, and law enforcement notified with yes (us and uk authorities involved), and remediation measures with customer notifications, remediation measures with investigation of oauth abuse, and communication strategy with public security advisory, communication strategy with media statements, and and third party assistance with external specialists, third party assistance with authorities, and and containment measures with supporting potentially affected customers, containment measures with investigating claims, and communication strategy with public denial of platform hack, communication strategy with advisories to customers, and incident response plan activated with yes (salesforce disabled vulnerable salesloft drift integration on aug 28, 2025), and third party assistance with google threat intelligence (reported attacks in june and august 2025), and containment measures with disabled salesloft drift integration (aug 28–sep 7, 2025), and remediation measures with reinstated integration with security fixes (sep 7, 2025), and communication strategy with public security alert issued, communication strategy with denial of direct platform compromise, and incident response plan activated with yes (salesforce notified customers), and law enforcement notified with likely (fbi may have seized extortion domain), and remediation measures with refusal to pay ransom, remediation measures with customer notifications, and communication strategy with public statements and customer emails, and and third party assistance with google threat intelligence group (gtig), third party assistance with mandiant (malware analysis), third party assistance with law enforcement (fbi, uk nca), and and containment measures with salesforce: disabled malicious oauth apps, containment measures with red hat: isolated compromised gitlab server, containment measures with discord: terminated third-party vendor access, containment measures with oracle: emergency patch for cve-2025-61882, and remediation measures with salesforce: forensic analysis, customer support, remediation measures with red hat: customer notifications, repository audits, remediation measures with discord: affected user notifications, password resets, remediation measures with oracle: urged customers to apply patch, and recovery measures with salesforce: refused to pay ransom, focused on defense, recovery measures with red hat: restored gitlab from backups, recovery measures with discord: enhanced vendor security controls, and communication strategy with salesforce: customer advisories (no negotiation policy), communication strategy with red hat: public disclosure (october 2, 2025), communication strategy with discord: direct emails to affected users, communication strategy with oracle: security advisory for cve-2025-61882, and enhanced monitoring with salesforce: increased logging for oauth integrations, enhanced monitoring with red hat: gitlab access audits, and and third party assistance with google threat intelligence group (warnings), and containment measures with disabled drift app integration, containment measures with token renewal mandate for customers, and remediation measures with customer support outreach, remediation measures with oauth token rotation, and recovery measures with reactivated salesloft integrations (except drift), and communication strategy with internal memo (bloomberg-leaked), communication strategy with public statement on non-payment of ransom, communication strategy with customer advisories, and enhanced monitoring with likely (implied by google threat intelligence collaboration), and incident response plan activated with likely (salesforce refused ransom demand), and third party assistance with mandiant (google-owned threat intelligence), and communication strategy with public refusal of ransom demand (email statement), and incident response plan activated with yes (fbi and france's bl2c unit), and third party assistance with french law enforcement (bl2c unit), and law enforcement notified with yes (fbi-led operation), and containment measures with domain seizure, containment measures with backend server seizure, containment measures with nameserver redirection to fbi, and remediation measures with permanent shutdown of breachforums, remediation measures with prevention of data leak (salesforce campaign disrupted), and communication strategy with public announcement via bleepingcomputer, communication strategy with pgp-signed message from shinyhunters on telegram, and incident response plan activated with yes (fbi-led operation), and third party assistance with europol (in prior operations), and law enforcement notified with yes (fbi-led, with international coordination), and containment measures with domain seizure, containment measures with disruption of forum operations, and communication strategy with public announcement by fbi, communication strategy with media coverage (e.g., itpro), and third party assistance with mandiant (google), and containment measures with end unsolicited support calls without providing access/information, containment measures with verify callers via trusted, on-file contact information, containment measures with require explicit verification from account managers before fulfilling requests, and remediation measures with defense-in-depth strategy for caller verification, remediation measures with employee training on social engineering and phishing, remediation measures with rigorous communication of third-party request verification protocols, and communication strategy with mandiant blog post, communication strategy with knowbe4 advisory, and enhanced monitoring with monitoring for unauthorized saas access, and incident response plan activated with yes (salesforce offered support to affected customers), and remediation measures with salesforce directed customers to its trust page for protective steps; denied platform compromise, and communication strategy with public notices, communication strategy with media statements, communication strategy with trust page updates..
Incident Details
Can you provide details on each incident ?
Title: Salesforce 15-Hour Outage Due to Cyber Attack
Description: Salesforce's North American and European customers endured a 15-hour outage after a cyber attack. The incident came after the salesforce technology team blocked access to certain instances that contain customers affected by a database script deployment that inadvertently gave users broader data access than intended. To protect the customers, the company blocked access to all instances that contain affected customers until they could block access to orgs with the inadvertent permissions. As a result, customers who were not affected may also experienced service disruption.
Type: Cyber Attack
Attack Vector: Database Script Deployment
Vulnerability Exploited: Inadvertent Permissions
Title: UNC6040 Vishing Campaign Targeting Salesforce Customers
Description: A financially motivated threat actor, tracked as UNC6040, is conducting a vishing campaign to compromise organizational data of Salesforce customers and carry out subsequent extortion.
Type: Vishing
Attack Vector: Telephone-based social engineering
Vulnerability Exploited: Human error and social engineering
Threat Actor: UNC6040
Motivation: Financial gain
Title: Widespread Data Breach in Salesforce via OAuth Token Abuse by UNC6395
Description: A widespread data theft campaign targeting Salesforce was carried out by threat actor UNC6395 between August 8 and August 18, 2025. The attackers bypassed MFA by compromising OAuth tokens from the Salesloft Drift third-party application, exporting large volumes of data from corporate Salesforce accounts. Their primary goal was to harvest credentials and high-value 'secrets' like AWS access keys and Snowflake tokens. The breach was detected and mitigated through revocation of access tokens and removal of the Drift app from Salesforce’s AppExchange.
Date Detected: 2025-08-18
Date Publicly Disclosed: 2025-08-20
Date Resolved: 2025-08-20
Type: Data Breach
Attack Vector: OAuth Token AbuseNon-Human Identity (NHI) ExploitationBypassing MFA
Vulnerability Exploited: Compromised OAuth tokens from Salesloft Drift third-party application (no core Salesforce vulnerability)
Threat Actor: UNC6395
Motivation: Data ExfiltrationCredential HarvestingHigh-Value Secrets Theft (e.g., AWS keys, Snowflake tokens)
Title: Sophisticated Vishing Campaigns by UNC6040 Exploiting OAuth and Salesforce APIs for Large-Scale Data Exfiltration
Description: Voice phishing (vishing) campaigns by UNC6040 have reached unprecedented sophistication, leveraging OAuth-based authentication and API exploitation to execute large-scale data exfiltration. The group targets enterprise CRM platforms (e.g., Salesforce) via SIP spoofing, VoIP/Tor routing, and malicious Connected Apps to gain persistent access for extortion. Their infrastructure uses segmented C2 channels (Tor for recon, VPNs like Mullvad for exfiltration) and collaborates with UNC6240 for ransom operations. Countermeasures include Zero Trust API security, WAF rate-limiting, UEBA, and HSM-based key management.
Type: Social Engineering
Attack Vector: Voice Phishing (Vishing)SIP SpoofingOAuth 2.0 ExploitationAPI Abuse (Salesforce SOQL)Malicious Connected AppsVoIP/Tor Routing
Vulnerability Exploited: Trust in IT Support InteractionsSalesforce Connected Apps OAuth Endpoint (/oauth2/authorize)Elevated OAuth Scopes (api, refresh_token, full)Lack of API Rate-Limiting DetectionInsufficient User Behavior Analytics (UBA/UEBA)Weak Conditional Access Policies for OAuth Apps
Threat Actor: UNC6040UNC6240 (associated extortion specialists)
Motivation: Financial GainData ExtortionInitial Access Brokerage (Threat-as-a-Service)
Title: ShinyHunters Exploits Compromised Drift OAuth Tokens to Steal 1.5B Salesforce Records
Description: The ShinyHunters extortion group claims to have stolen over 1.5 billion Salesforce records from 760 companies by exploiting compromised Drift OAuth tokens linked to Salesloft. Attackers used social engineering and malicious OAuth apps to infiltrate Salesforce environments, exfiltrating data and extorting victims with ransom demands. The campaigns are tied to groups operating under the names ShinyHunters, Scattered Spider, and Lapsus$ (now calling themselves 'Scattered Lapsus$ Hunters'). In March, an actor breached Salesloft’s GitHub repository, locating secrets—including OAuth tokens for Drift and Drift Email—using the TruffleHog tool. The stolen data spans Salesforce objects including Account, Contact, Opportunity, User, and Case tables. Attackers also searched Case data for secrets like AWS keys and Snowflake tokens to enable further intrusions. Victims allegedly include Google, Cloudflare, Palo Alto Networks, Zscaler, and others. The FBI issued an advisory on UNC6040/6395, warning of ongoing campaigns.
Type: Data Breach
Attack Vector: Social EngineeringMalicious OAuth ApplicationsCompromised GitHub RepositoryExploited OAuth Tokens (Drift/Salesloft)Secrets Exposure (TruffleHog)
Vulnerability Exploited: Weak OAuth Token ManagementLack of Multi-Factor Authentication (MFA)Excessive Privileges in Connected ApplicationsExposed Secrets in GitHub Repository
Threat Actor: ShinyHuntersScattered SpiderLapsus$UNC6040 (Google Mandiant)UNC6395 (Google Mandiant)Scattered Lapsus$ Hunters
Motivation: Financial Gain (Extortion)Data Theft for ResaleReputation DamageFurther Intrusion (Credential Harvesting)
Title: ForcedLeak: Salesforce Agentforce AI Prompt Injection Vulnerability
Description: A now-fixed flaw in Salesforce’s Agentforce allowed external attackers to steal sensitive customer data via prompt injection. The vulnerability, dubbed 'ForcedLeak,' exploited a DNS misconfiguration and an expired trusted domain (my-salesforce-cms.com) purchased by researchers for $5. Attackers could inject malicious prompts into the Web-to-Lead form's description field (42,000-character limit), tricking AI agents into querying CRM records and exfiltrating data to an attacker-controlled server. Salesforce patched the issue by enforcing trusted URL allow-lists for Agentforce and Einstein Generative AI agents.
Date Publicly Disclosed: 2023-09-07
Date Resolved: 2023-09-08
Type: Data Breach
Attack Vector: Indirect Prompt InjectionDNS MisconfigurationExpired Trusted Domain Exploitation
Vulnerability Exploited: ForcedLeak (CVE-not-applicable; CVSS v4.0: 9.4 - Critical)
Threat Actor: Security Researchers (Noma Security)
Motivation: Research/Proof-of-Concept (No evidence of malicious exploitation)
Title: Scattered Lapsus$ Hunters Ransomware Attack on Salesforce Customer Data via Salesloft Drift Integration
Description: A notorious ransomware group, Scattered Lapsus$ Hunters (aka ShinyHunters), launched a darkweb data-leak site targeting 39 victims—including Cisco, Disney, KFC, Ikea, Marriott, McDonald's, Walgreens, Albertsons, and Saks Fifth Avenue—whose Salesforce CRM was integrated with the Salesloft Drift AI chatbot. The group claims to have stolen **1.5 billion Salesforce records** from **760 Salesloft Drift-using companies**, with leaked samples confirming exposure of **PII (names, DOBs, nationalities, passport numbers, contact details, employment histories)**, shipping data, marketing leads, support case records, chat transcripts, flight details, and car ownership records. The attack exploited **stolen OAuth tokens** from Salesloft’s GitHub repository, granting access to Salesforce instances and other cloud resources (Google Workspace, Microsoft 365, Okta). The FBI and Google’s Mandiant linked the attacks to **UNC6040**, a threat cluster using **social engineering (vishing, phishing, IT impersonation)** to trick support staff into granting access. ShinyHunters demanded separate ransoms from Salesforce and listed victims, threatening to leak data for non-payment.
Date Detected: 2023-08-08
Date Publicly Disclosed: 2023-09-15
Type: Data Breach
Attack Vector: Stolen OAuth TokensGitHub Repository CompromiseSocial Engineering (Vishing/Phishing)Third-Party Software Exploitation (Salesloft Drift)Lateral Movement to Cloud Platforms (Google Workspace, Microsoft 365, Okta)
Vulnerability Exploited: Weak OAuth Token SecurityLack of Multi-Factor Authentication (2FA) for OAuth AppsUnpatched Third-Party Integrations (Salesloft Drift)Human Error (Support Staff Tricked via Impersonation)
Threat Actor: Scattered Lapsus$ Hunters (aka ShinyHunters)UNC6040The Com (English-speaking cybercrime collective)
Motivation: Financial Gain (Extortion/Ransom)Data Theft for Dark Web SalesReputation Damage
Title: Scattered LAPSUS$ Hunters Extortion Campaign Targeting Salesforce Environments
Description: A threat actor group calling itself Scattered LAPSUS$ Hunters (SLH) has launched a data-leak site listing about 40 companies’ Salesforce environments, demanding $989.45 to prevent the publication of what it claims is about 1 billion stolen records. The group set an October 10 deadline for Salesforce to negotiate payment or face data leakage. The incident is linked to prior OAuth token abuse campaigns via Salesloft's Drift integration, which affected hundreds of organizations. Salesforce denies platform compromise but acknowledges extortion attempts tied to past or unsubstantiated incidents. The group includes members from Scattered Spider, ShinyHunters, and Lapsus$, some of whom were recently arrested in connection with other high-profile attacks.
Date Publicly Disclosed: 2024-09-27
Type: Extortion
Attack Vector: OAuth Token Abuse (via Salesloft's Drift integration)Social EngineeringCredential Stuffing
Vulnerability Exploited: Misconfigured OAuth integrations (historical, via Salesloft's Drift)
Threat Actor: Scattered LAPSUS$ Hunters (SLH)Scattered SpiderShinyHuntersLapsus$
Motivation: Financial GainExtortionReputation Damage
Title: Scattered LAPSUS$ Hunters Extortion Threat Targeting Salesforce CRM Users
Description: A cyber gang previously known as LAPSUS$, now rebranded as Scattered LAPSUS$ Hunters, has resurfaced with a massive extortion threat. The group claims to have accessed data from ~40 companies using Salesforce CRM and demands $989 million to prevent the leak of ~1 billion customer records. The threat involves telephone social engineering (vishing) attacks, where criminals pose as IT staff to trick users into authorizing malicious applications within Salesforce, granting access to sensitive data without exploiting technical vulnerabilities. Salesforce denies its platform was hacked and is assisting affected customers. The group is linked to UNC6040 and UNC6240, with tactics overlapping those of Lapsus$ and Scattered Spider.
Type: Extortion
Attack Vector: Telephone Social Engineering (Vishing)Malicious Application Authorization via Salesforce API
Vulnerability Exploited: Human vulnerability (tricking users into authorizing malicious apps)
Threat Actor: Scattered LAPSUS$ HuntersUNC6040UNC6240
Motivation: Financial gain (extortion)
Title: Shiny Hunters Ransom Demand for Nearly 1 Billion Stolen Salesforce Records
Description: Hackers claiming to be part of the Shiny Hunters group set up a dark web site called 'Scattered Lapsus$ Hunters,' demanding a ransom from 39 companies and Salesforce itself for nearly 1 billion allegedly stolen Salesforce records. The hackers provided a deadline of October 10, 2025, and published samples of stolen data from brands like Adidas, Cisco, FedEx, and Disney. Salesforce attributed the breach to social engineering attacks targeting its users, not a direct compromise of its platform. The incident follows a series of related attacks, including voice phishing (vishing) and exploitation of third-party app integrations (e.g., Salesloft Drift). Fourteen companies filed lawsuits against Salesforce in September 2025 over unauthorized data access.
Date Publicly Disclosed: 2025-10-03
Type: Data Breach
Attack Vector: Social Engineering (Voice Phishing/Vishing)Malicious OAuth ApplicationsThird-Party App Exploitation (Salesloft Drift Integration)
Vulnerability Exploited: Human Error (Tricked into Installing Malicious Apps)Weak Third-Party Integration Security
Threat Actor: Shiny Hunters
Motivation: Financial Gain (Ransom Extortion)Data Theft for Dark Web Sale
Title: Salesforce Data Theft and Extortion Campaigns (2024-2025)
Description: Salesforce confirmed it would not negotiate with or pay ransom to the threat actors behind a massive wave of data theft attacks impacting its customers in 2025. The attacks involved two separate campaigns: (1) social engineering impersonating IT support to trick employees into linking malicious OAuth apps to Salesforce instances (late 2024), and (2) exploitation of stolen SalesLoft Drift OAuth tokens to pivot to CRM environments and exfiltrate data (August 2025). Threat actors, including 'Scattered Lapsus$ Hunters' and 'ShinyHunters,' claimed to have stolen nearly 1 billion records in the first campaign and 1.5 billion records (760+ companies) in the second. A data leak site was launched to extort 39 companies, including FedEx, Disney, Google, and others, but was later shut down. The FBI may have seized the domain.
Date Publicly Disclosed: 2025-09-17T00:00:00Z
Type: Data Breach
Attack Vector: Social Engineering (OAuth Phishing)Stolen OAuth Tokens (SalesLoft Drift)Supply Chain Compromise
Vulnerability Exploited: OAuth Application AbuseStolen Credentials/API TokensImproper Access Controls
Threat Actor: Scattered Lapsus$ HuntersShinyHunters
Motivation: Financial Gain (Extortion)
Title: ShinyHunters/Scattered LAPSUS$ Hunters Multi-Company Data Breach and Extortion Campaign (2025)
Description: A cybercriminal group (ShinyHunters/Scattered LAPSUS$ Hunters) used voice phishing (vishing) to compromise Salesforce instances of Fortune 500 companies, stealing over a billion records. The group launched a victim-shame blog threatening to leak data unless ransoms were paid. Additional breaches included Discord (via a third-party vendor), Red Hat (GitLab server compromise), and exploitation of a zero-day in Oracle E-Business Suite (CVE-2025-61882). The group also sent malware-laced threats to security researchers and leveraged ASYNCRAT trojan for persistence. Law enforcement actions targeted members, including arrests and extraditions.
Date Detected: 2025-05
Date Publicly Disclosed: 2025-06-01
Type: Data Breach
Attack Vector: Voice Phishing (Vishing)Malicious OAuth App Integration (Salesforce)Exploit of CVE-2025-61882 (Oracle E-Business Suite)Compromised Third-Party Vendor (Discord)GitLab Server Exfiltration (Red Hat)Malware-Laced Emails (ASYNCRAT Trojan)
Vulnerability Exploited: CVE-2025-61882 (Oracle E-Business Suite - Unauthenticated RCE)Salesforce OAuth Misconfiguration (via Vishing)Third-Party Customer Service Provider (Discord)GitLab Server Misconfiguration (Red Hat)
Threat Actor: Name: ShinyHunters (UNC6040), Aliases: ['Scattered LAPSUS$ Hunters', 'UNC6240', 'UNC6395'], Affiliation: ['Scattered Spider', 'Lapsus$', 'The Com (Cybercriminal Community)'], Nationality: English-speaking (Multinational), Name: Crimson Collective, Role: Claimed Responsibility for Red Hat Breach, Name: Clop Ransomware Gang, Role: Exploited CVE-2025-61882 Prior to Public Disclosure.
Motivation: Financial Gain (Extortion)Data Theft for Resale (Dark Web)Reputation Damage (Victim-Shaming)Harassment of Security Researchers
Title: Salesforce Data Breach via SalesLoft's Drift App by ShinyHunters
Description: Salesforce informed customers that it will not pay ransom to hackers (ShinyHunters) threatening to publish stolen customer data. The breach originated from a security incident at third-party provider SalesLoft, specifically its Drift app (integrated with Salesforce for automated customer communications). Attackers accessed SalesLoft’s GitHub account (March–June), stole OAuth tokens linking Drift to Salesforce environments, and penetrated Drift’s AWS environment to exfiltrate data from hundreds of organizations, including Cloudflare, Zscaler, and Palo Alto Networks. Stolen data included customer contact details, IT support info, access tokens, and IT configurations. Salesforce disabled the Drift app and is supporting affected customers without negotiating with attackers.
Type: Data Breach
Attack Vector: Compromised GitHub AccountStolen OAuth TokensAWS Environment InfiltrationThird-Party App Exploitation (Drift)
Vulnerability Exploited: Improper Token ManagementGitHub Account Security WeaknessThird-Party Integration Risks
Threat Actor: ShinyHunters
Motivation: Financial ExtortionData Theft for Dark Web Sale
Title: Salesforce Data Extortion Campaign by Scattered LAPSUS$ Hunters
Description: Salesforce refused to pay an extortion demand made by a crime syndicate (Scattered LAPSUS$ Hunters) claiming to have stolen roughly 1 billion records from dozens of Salesforce customers. The group, tracked as UNC6040 by Mandiant, initiated the campaign in May 2024 by making voice calls to organizations, tricking them into connecting an attacker-controlled app to their Salesforce portals. The group created a website naming affected customers (including Toyota and FedEx) and demanded ransom from Salesforce, threatening to leak the data if unpaid. Salesforce rejected the demand.
Date Detected: 2024-05-01
Date Publicly Disclosed: 2024-06-01
Type: Data Breach
Attack Vector: Voice Phishing (Vishing)Malicious App IntegrationSocial Engineering
Vulnerability Exploited: Human Error (Compliance with Fraudulent Requests)
Threat Actor: Scattered LAPSUS$ HuntersUNC6040 (Mandiant designation)
Motivation: Financial Gain (Extortion)
Title: FBI Seizure of BreachForums Hacking Forum Operated by ShinyHunters
Description: The FBI, in collaboration with law enforcement authorities in France, seized all domains for the BreachForums hacking forum, a platform primarily used by the ShinyHunters group to leak corporate data stolen in ransomware and extortion attacks. The seizure occurred before the Scattered Lapsus$ Hunters hacker could leak data from Salesforce breaches targeting companies that refused to pay ransoms. The operation compromised all BreachForums database backups since 2023, including escrow databases, and seized backend servers. Despite the takedown, the gang's dark web data leak site remains operational, and the Salesforce data leak (affecting over 1 billion customer records from companies like FedEx, Disney, Google, and others) is still scheduled for release. ShinyHunters confirmed no arrests of core admin team members but declared the 'era of forums' over, warning future platforms may be honeypots.
Date Publicly Disclosed: 2025-10-09
Type: Law Enforcement Takedown
Threat Actor: ShinyHuntersScattered Lapsus$ Hunters
Motivation: Financial Gain (Extortion)Data LeakageCybercrime Facilitation
Title: Scattered Lapsus$ Hunters Threatens to Leak One Billion Records Allegedly Stolen from Salesforce Systems
Description: A message on the BreachForums extortion site threatened to leak one billion records allegedly stolen from the Salesforce systems of 39 of the largest companies in the world, including Disney, Toyota, Adidas, McDonald's, IKEA, and Home Depot. The threat was issued by a super-alliance of the ShinyHunters, Scattered Spider, and LAPSUS$ ransomware groups, known as Scattered Lapsus$ Hunters. The group vowed to carry out the leak via dark web and Clearnet sites if Salesforce did not pay a ransom by 11:59 p.m. EST on October 10, 2023. The message warned of targeting individual customers of Salesforce if the company failed to comply.
Type: data breach
Threat Actor: ShinyHuntersScattered SpiderLAPSUS$Scattered Lapsus$ Hunters
Motivation: financial gainextortion
Title: FBI Seizes Domains Linked to BreachForums Hacking Forum
Description: The FBI has seized control of domains linked to the BreachForums hacking forum, a platform used by cybercriminals (including groups like Baphomet, IntelBroker, and ShinyHunters) to buy, sell, and trade hacked or stolen data. The forum was used to leak data and conduct extortion attempts against high-profile targets such as Salesforce, Google, Palo Alto Networks, Zscaler, Cloudflare, Disney, Qantas, Air France-KLM, and Toyota. This takedown disrupts a key hub for cybercriminal monetization, recruitment, and targeting across multiple sectors. The operation follows prior seizures in March 2023 and a 2023 joint effort with Europol, though the forum had repeatedly resurfaced. Cybercriminals are now shifting to Telegram for communications and extortion, signaling the 'end of an era' for centralized hacking forums.
Type: Forum Takedown
Threat Actor: BaphometIntelBrokerShinyHuntersScattered Lapsus$ Hunters
Motivation: Financial GainData MonetizationExtortionRecruitment of Collaborators
Title: Social Engineering Attacks Targeting Salesforce Instances via Fake Support Calls
Description: Google's Mandiant reported an ongoing wave of social engineering attacks by the criminal gang UNC6040, targeting organizations' Salesforce instances. The attackers impersonate IT support personnel in voice phishing (vishing) calls to trick employees—particularly those with elevated access to SaaS applications—into granting access or sharing sensitive credentials. The attacks rely on manipulating end-users rather than exploiting Salesforce vulnerabilities. Mandiant observed cases where attackers posed as third-party vendors, providing malicious links to authenticate and exfiltrate data. The threat actor primarily targets English-speaking branches of multinational corporations.
Date Publicly Disclosed: 2025-10-21
Type: Social Engineering
Attack Vector: Voice Phishing (Vishing)Impersonation of IT Support/VendorsMalicious Links
Vulnerability Exploited: Human Error (Social Engineering)
Threat Actor: UNC6040 (Organized Criminal Gang)
Motivation: Financial GainData TheftEspionage (Potential)
Title: Formation of Scattered LAPSUS$ Hunters (SLH) Cybercriminal Collective and Targeting of Salesforce
Description: The cybercriminal underground witnessed a significant consolidation as three notorious threat actors—Scattered Spider, ShinyHunters, and LAPSUS$—formally aligned to create the **Scattered LAPSUS$ Hunters (SLH)**, a federated collective that emerged in **early August 2025**. The alliance operates primarily through **Telegram**, leveraging it as both a coordination tool and a performative marketing channel. SLH announced **Salesforce** as one of its victims, targeting high-value enterprises including SaaS providers. The group exhibits sophisticated technical capabilities, including **AI-automated vishing, spearphishing, exploit development (e.g., CVE-2025-61882, CVE-2025-31324), and zero-day vulnerability brokerage**, while formalizing an **Extortion-as-a-Service (EaaS) model**. Core operators include **'shinycorp' (principal orchestrator)** and **'yuka' (exploit developer linked to BlackLotus UEFI bootkit and Medusa rootkit)**. The collective demonstrates **adaptive resilience** through repeated Telegram channel recreations and centralized decision-making, blending **theatrical brand management** with calculated extortion tactics.
Date Detected: 2025-08-08
Date Publicly Disclosed: 2025-08-08
Type: Cybercriminal Alliance Formation
Attack Vector: AI-automated vishingSpearphishingCredential HarvestingLateral MovementPrivilege EscalationZero-day Exploitation (e.g., CVE-2025-61882, CVE-2025-31324)Exploit BrokerageData ExfiltrationExtortion-as-a-Service (EaaS)
Vulnerability Exploited: CVE-2025-61882 (Oracle E-Business Suite)CVE-2025-31324 (unspecified CRM/DBMS/SaaS target)Zero-day vulnerabilities in cloud infrastructure/SaaS platforms
Threat Actor: Name: Scattered LAPSUS$ Hunters (SLH), Aliases: ['SLH', 'scattered LAPSUS$ hunters 7.0'], Affiliated Groups: ['Scattered Spider', 'ShinyHunters', 'LAPSUS$', 'The Com'], Core Members: [{'alias': 'shinycorp', 'handles': ['@sp1d3rhunters', '@shinyc0rp'], 'role': 'Principal Orchestrator'}, {'alias': 'yuka', 'handles': None, 'role': 'Exploit Developer', 'associated_malware': ['BlackLotus UEFI bootkit', 'Medusa rootkit']}, {'alias': 'Alg0d', 'handles': None, 'role': 'Auxiliary Operator'}, {'alias': 'UNC5537', 'handles': None, 'role': 'Auxiliary Operator'}], Operational Model: ['Extortion-as-a-Service (EaaS)', 'Crowdsourced Extortion', 'Vulnerability Brokerage'].
Motivation: Financial GainReputational CapitalOperational ResilienceNarrative ControlPsychological Impact (Theatrical Branding)
Title: Salesforce Cyberattack Exposing Customer Data via OAuth Token Theft
Description: Salesforce is facing multiple lawsuits following a cyberattack that exposed customer data. The breaches involved the theft of OAuth tokens from the third-party Salesloft Drift app, leading to unauthorized access to Salesforce systems. Attackers used social engineering to impersonate IT support and trick employees into sharing credentials. Salesforce denies its platform was compromised, attributing the issue to third-party vulnerabilities. Lawsuits allege negligence in securing PII, with victims at risk of identity theft.
Date Publicly Disclosed: 2025-07
Type: Data Breach
Attack Vector: Social EngineeringOAuth Token TheftThird-Party Compromise (GitHub/Salesloft Drift)
Vulnerability Exploited: Human error (social engineering via impersonation of IT support); Stolen OAuth tokens from Salesloft Drift
Motivation: Data TheftCredential HarvestingPotential Financial Gain (identity theft/fraud)
What are the most common types of attacks the company has faced ?
Common Attack Types: The most common types of attacks the company has faced is Cyber Attack.
How does the company identify the attack vectors used in incidents ?
Identification of Attack Vectors: The company identifies the attack vectors used in incidents through Telephone-based social engineering, Compromised OAuth tokens from Salesloft Drift application, Vishing Calls Spoofing IT SupportSIP Spoofing via VoIP/Tor, Compromised Salesloft GitHub Repository (Secrets Exposure)Malicious OAuth Applications (Drift/Salesforce Integration), Web-to-Lead Form (Description Field), Salesloft GitHub Repository (Stolen OAuth Tokens), OAuth tokens via Salesloft's Drift integration, Telephone social engineering (vishing) to trick users into authorizing malicious Salesforce apps, Voice Phishing (Vishing) CallsMalicious OAuth AppsExploited Third-Party Integrations (e.g., Salesloft Drift), Malicious OAuth ApplicationsStolen SalesLoft Drift OAuth Tokens, Voice Phishing Calls (Salesforce)Compromised Third-Party Vendor (Discord)Exploited GitLab Misconfiguration (Red Hat)Zero-Day Exploit (Oracle CVE-2025-61882)Malicious OAuth App (Salesforce), SalesLoft GitHub Account (Compromised March–June 2024), Voice Phishing (Vishing) Calls, BreachForums (for data trading)Compromised SaaS/enterprise accounts (for extortion), Voice Phishing (Vishing) CallsMalicious Links, AI-automated vishingSpearphishingCredential Harvesting and Salesloft Drift GitHub repository (compromised in March 2025).
Impact of the Incidents
What was the impact of each incident ?
Incident : Cyber Attack SAL215719323
Systems Affected: Customer Instances
Downtime: 15 hours
Operational Impact: Service Disruption
Incident : Data Breach SAL729082725
Data Compromised: Customer account data, User data, Opportunities data, Aws access keys, Snowflake tokens, High-value secrets
Systems Affected: Salesforce corporate accountsSalesloft Drift application
Operational Impact: Temporary removal of Drift app from Salesforce AppExchangeRevocation of active access tokens
Brand Reputation Impact: Potential reputational damage due to unauthorized data access and credential theft
Identity Theft Risk: High (due to stolen credentials and secrets)
Incident : Social Engineering SAL815090225
Data Compromised: Crm data (salesforce), Customer records, Sensitive business information
Systems Affected: Salesforce CRM PlatformsConnected Apps InfrastructureVoIP/Tor Communication Channels
Operational Impact: Persistent Unauthorized AccessAutomated Data Exfiltration via APIPotential Extortion Leverage
Brand Reputation Impact: Risk of Public Data Leak via DLS (Data Leak Site)Loss of Customer Trust
Identity Theft Risk: ['High (PII likely exposed via CRM data)']
Incident : Data Breach SAL5732257091825
Data Compromised: Salesforce Account: 2, 5, 0, , m, i, l, l, i, o, n, , r, e, c, o, r, d, s, Salesforce Contact: 5, 7, 9, , m, i, l, l, i, o, n, , r, e, c, o, r, d, s, Salesforce Opportunity: 1, 7, 1, , m, i, l, l, i, o, n, , r, e, c, o, r, d, s, Salesforce User: 6, 0, , m, i, l, l, i, o, n, , r, e, c, o, r, d, s, Salesforce Case: 4, 5, 9, , m, i, l, l, i, o, n, , r, e, c, o, r, d, s, Total: 1, ., 5, , b, i, l, l, i, o, n, , r, e, c, o, r, d, s,
Systems Affected: Salesforce CRMDrift AI Chat/Email ServicesSalesloft PlatformGitHub Repository (Salesloft)Connected Applications (AWS, Snowflake, etc.)
Operational Impact: Unauthorized Data AccessExtortion ThreatsPotential Further Intrusions via Stolen CredentialsReputation Damage for Affected Companies
Brand Reputation Impact: High (Public Disclosure of Breach)Loss of Customer TrustPotential Regulatory Scrutiny
Identity Theft Risk: ['High (PII in Contact/Account Records)', 'Credential Stuffing Risk']
Incident : Data Breach SAL5403154092725
Data Compromised: Customer lead data, Email addresses, Potentially other crm records
Systems Affected: Salesforce AgentforceEinstein Generative AI AgentsWeb-to-Lead Feature
Operational Impact: High (Risk of sensitive data exfiltration via AI agents)
Brand Reputation Impact: Moderate (Public disclosure of critical AI security flaw)
Identity Theft Risk: Potential (Exposed email addresses and lead data)
Incident : Data Breach SAL5592855100325
Data Compromised: Personally identifiable information (pii), Shipping information, Marketing lead data, Customer support case records, Chat transcripts, Flight details, Car ownership records, Employment histories, Passport numbers, Full contact information
Systems Affected: Salesforce CRM InstancesSalesloft Drift AI ChatbotGoogle WorkspaceMicrosoft 365Okta PlatformsGitHub Repository (Salesloft)
Operational Impact: Potential Disruption to CRM OperationsCustomer Data Exposure RisksIncident Response Activation
Brand Reputation Impact: High (Public Data Leak Site)Loss of Customer TrustMedia Scrutiny
Legal Liabilities: Potential GDPR/CCPA ViolationsRegulatory FinesClass-Action Lawsuits
Identity Theft Risk: High (Exposed PII Includes Passport Numbers, DOBs, Contact Details)
Incident : Extortion SAL2102121100425
Data Compromised: 1 billion records (claimed by threat actors)
Systems Affected: Salesforce environments of ~40 companiesCustomer data via OAuth abuse
Brand Reputation Impact: High (public extortion threats, media coverage)
Identity Theft Risk: Potential (if PII was exposed)
Incident : Extortion SAL4932949100625
Data Compromised: Customer records (~1 billion), Sensitive customer information
Systems Affected: Salesforce CRM environments of ~40 companies
Brand Reputation Impact: Potential reputational damage to Salesforce and affected companies
Identity Theft Risk: High (due to compromised customer data)
Incident : Data Breach SAL0693606100625
Data Compromised: Nearly 1 billion records (claimed)
Systems Affected: Salesforce User AccountsThird-Party Integrations (e.g., Salesloft Drift)
Operational Impact: Disruption of Third-Party Integrations (Aug 28–Sep 7, 2025)Legal Actions (14 Lawsuits Filed)
Customer Complaints: High (across online platforms like LinkedIn and Reddit)
Brand Reputation Impact: Severe (described as a 'slow-motion train wreck' by observers; criticism over accountability)
Legal Liabilities: 14 Lawsuits Filed by Affected Companies (as of September 2025)
Identity Theft Risk: High (PII likely included in stolen data)
Incident : Data Breach SAL0962109100825
Data Compromised: Customer data, Support tickets, Credentials, Api tokens, Authentication tokens
Systems Affected: Salesforce CRM InstancesSalesLoft Drift Environments
Operational Impact: Potential infrastructure breaches due to stolen credentials/tokens
Brand Reputation Impact: High (public extortion of major brands)
Identity Theft Risk: High (PII and credentials exposed)
Incident : Data Breach SAL0562205100825
Data Compromised: Salesforce customer records (>1b), Discord user data (usernames, emails, ip addresses, payment card last 4 digits, government ids), Red hat gitlab repositories (28,000+ repos, 5,000+ customer engagement reports, api tokens, infrastructure details), Oracle e-business suite data (via cve-2025-61882), Salesloft authentication tokens (cloud services: snowflake, aws)
Systems Affected: Salesforce Instances (Multiple Fortune 500 Companies)Discord Third-Party Customer Service ProviderRed Hat GitLab ServerOracle E-Business Suite ServersSalesloft AI Chatbot Platform
Operational Impact: Forensic Investigations (Salesforce, Red Hat, Discord)Customer Notifications (Ongoing)Regulatory ScrutinyReputation Damage for Victim Companies
Customer Complaints: Expected (Due to Data Leak Threats)
Brand Reputation Impact: Salesforce (Extortion Refusal Publicized)Fortune 500 Victims (Named on Victim-Shame Blog)Red Hat (Trust Erosion Due to GitLab Breach)Discord (User Privacy Concerns)
Legal Liabilities: Potential GDPR/CCPA Violations (Discord, Salesforce Customers)Regulatory Fines (Pending Investigations)Lawsuits from Affected Individuals
Identity Theft Risk: High (Discord Government IDs, Payment Data)
Payment Information Risk: Moderate (Discord: Last 4 Digits of Cards)
Incident : Data Breach SAL3132231100825
Data Compromised: Customer contact details, It support information, Access tokens, It configurations, Crm fields, Support cases, Integration data
Systems Affected: SalesLoft Drift AppSalesforce IntegrationsDrift’s AWS EnvironmentGitHub Account (SalesLoft)
Operational Impact: Disabled Drift App IntegrationToken Renewal Required for CustomersOngoing Customer Support Efforts
Brand Reputation Impact: Public Refusal to Pay RansomThird-Party Trust ErosionMedia Coverage (Bloomberg, Google Threat Intelligence)
Identity Theft Risk: ['Low (Primarily Corporate Data)']
Incident : Data Breach SAL5002150100925
Data Compromised: ~1 billion records
Systems Affected: Salesforce Customer Portals
Brand Reputation Impact: High (Public extortion threat and data leak risk)
Identity Theft Risk: Potential (depends on compromised data types)
Incident : Law Enforcement Takedown SAL4232242101025
Data Compromised: Corporate data, Customer records (1+ billion), Escrow databases, Database backups (since 2023)
Systems Affected: BreachForums DomainsBackend ServersDatabase Backups
Downtime: ['BreachForums (Permanent)', 'Forum Infrastructure (Seized)']
Operational Impact: Termination of BreachForums OperationsDisruption of Cybercrime EcosystemLoss of Trust in Hacking Forums
Brand Reputation Impact: Negative (for Affected Companies)Loss of Anonymity for Cybercriminals
Legal Liabilities: Potential Charges for BreachForums Admins (e.g., Kai West aka 'IntelBroker')Regulatory Scrutiny for Affected Companies
Identity Theft Risk: ['High (1+ billion customer records exposed)']
Incident : data breach SAL5602056101125
Data Compromised: one billion records (alleged)
Brand Reputation Impact: high (potential, due to threat of massive data leak)
Identity Theft Risk: high (potential, given scale of alleged breach)
Incident : Forum Takedown SAL4432144101325
Data Compromised: Hacked/stolen data (traded on breachforums), Leaked corporate data (e.g., salesforce, google, disney, etc.)
Systems Affected: BreachForums Domain Infrastructure
Downtime: ['BreachForums and successor sites disrupted']
Operational Impact: Disruption of cybercriminal operationsReduced trust in hacking forumsShift to decentralized platforms (e.g., Telegram)
Brand Reputation Impact: Erosion of credibility for BreachForums and similar platformsIncreased skepticism among cybercriminal communities
Legal Liabilities: Potential legal consequences for forum operators (e.g., Conor Brian Fitzpatrick)
Identity Theft Risk: ['High (due to traded stolen data)']
Payment Information Risk: ['High (if financial data was traded)']
Incident : Social Engineering SAL4493244102125
Data Compromised: Salesforce data, Sensitive credentials
Systems Affected: Salesforce InstancesSaaS Applications
Operational Impact: Unauthorized Access to SaaS ApplicationsPotential Data Exfiltration
Brand Reputation Impact: Potential Loss of Trust Due to Credential Theft
Identity Theft Risk: ['High (Due to Stolen Credentials)']
Incident : Cybercriminal Alliance Formation SAL5402554110625
Data Compromised: Potential crm/saas/database records (salesforce and other high-value enterprises)
Systems Affected: Cloud InfrastructureSaaS Platforms (e.g., Salesforce)Database Systems
Operational Impact: Disruption of SaaS OperationsPotential Supply Chain Risks
Brand Reputation Impact: High (Targeting of Salesforce and public extortion tactics)
Identity Theft Risk: ['Potential (PII in compromised databases)']
Incident : Data Breach SAL5090350110725
Data Compromised: Personally identifiable information (pii), Aws access keys, Passwords, Snowflake-related access tokens
Systems Affected: Salesforce CRM (via third-party integration)Salesloft DriftGitHub repositories
Customer Complaints: Multiple lawsuits filed (15+ cases, including class actions)
Brand Reputation Impact: Significant (lawsuits, media coverage, customer distrust)
Legal Liabilities: Class action lawsuits (e.g., Staci Johnson v. Salesforce)Potential regulatory fines
Identity Theft Risk: High (victims required to monitor financial accounts/credit reports)
What types of data are most commonly compromised in incidents ?
Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Customer Account Data, User Data, Opportunities Data, Credentials, Aws Access Keys, Snowflake Tokens, High-Value Secrets, , Crm Data, Customer Records, Business Intelligence, Potentially Pii, , Crm Data (Salesforce Objects), Account Records, Contact Records (Pii), Opportunity Records, User Records, Case Records (Support Tickets), Aws Keys, Snowflake Tokens, Other Credentials, , Customer Lead Information, Email Addresses, , Pii, Customer Support Records, Chat Transcripts, Marketing Data, Shipping Information, Flight Details, Employment Histories, , Customer Data, Potentially Pii (Unconfirmed), , Customer Records, Sensitive Customer Information, Basic Business Information (For Google Breach), , Customer Records, Sensitive Corporate Data, , Customer Records, Support Tickets, Credentials, Api Tokens, Authentication Tokens, , Customer Records (Salesforce), User Pii (Discord: Emails, Ips, Government Ids), Source Code (Red Hat Git Repos), Api Tokens (Red Hat Cers), Infrastructure Details (Red Hat Audits), Authentication Tokens (Salesloft), , Customer Contact Details, It Support Information, Oauth Tokens, It Configurations, Crm Data, Support Cases, , Customer Records, Corporate Data, Escrow Databases, Database Backups, , Corporate Data, Stolen Credentials, Sensitive Information (Varies By Victim), , Salesforce Data, Credentials, , Potentially Pii, Crm Data, Saas Configuration Details, , Pii, Credentials (Aws Keys, Passwords), Access Tokens and .
Which entities were affected by each incident ?
Incident : Cyber Attack SAL215719323
Entity Name: Salesforce
Entity Type: Company
Industry: Technology
Location: North AmericaEurope
Incident : Vishing SAL633060625
Entity Name: Salesforce customers
Entity Type: Organizations
Industry: Multinational corporations
Location: English-speaking branches
Incident : Data Breach SAL729082725
Entity Name: Salesforce
Entity Type: Cloud CRM Platform
Industry: Technology
Location: Global
Size: Large Enterprise
Customers Affected: Multiple corporate Salesforce accounts (exact number undisclosed)
Incident : Data Breach SAL729082725
Entity Name: Salesloft (Drift application)
Entity Type: Third-Party SaaS Provider
Industry: Sales Engagement
Location: Global
Incident : Data Breach SAL729082725
Entity Name: Multiple Unnamed Organizations
Entity Type: Corporate, Enterprise
Industry: Various
Location: Global
Incident : Social Engineering SAL815090225
Entity Type: Enterprise Organizations
Industry: Multiple (Targeting CRM Users)
Incident : Data Breach SAL5732257091825
Entity Name: Salesforce
Entity Type: Cloud CRM Provider
Industry: Technology/Software
Location: Global (HQ: San Francisco, USA)
Size: Enterprise
Customers Affected: 760 companies
Incident : Data Breach SAL5732257091825
Entity Name: Salesloft
Entity Type: Sales Engagement Platform
Industry: Technology/Software
Location: USA (HQ: Atlanta, Georgia)
Size: Mid-to-Large Enterprise
Incident : Data Breach SAL5732257091825
Entity Name: Drift
Entity Type: Conversational Marketing Platform
Industry: Technology/Software
Location: USA (HQ: Boston, Massachusetts)
Size: Mid-to-Large Enterprise
Incident : Data Breach SAL5732257091825
Entity Name: Google
Entity Type: Technology Conglomerate
Industry: Technology/Internet Services
Location: Global (HQ: Mountain View, USA)
Size: Mega-Enterprise
Incident : Data Breach SAL5732257091825
Entity Name: Cloudflare
Entity Type: Web Infrastructure & Security
Industry: Technology/Cybersecurity
Location: Global (HQ: San Francisco, USA)
Size: Enterprise
Incident : Data Breach SAL5732257091825
Entity Name: Palo Alto Networks
Entity Type: Cybersecurity
Industry: Technology/Cybersecurity
Location: Global (HQ: Santa Clara, USA)
Size: Enterprise
Incident : Data Breach SAL5732257091825
Entity Name: Zscaler
Entity Type: Cloud Security
Industry: Technology/Cybersecurity
Location: Global (HQ: San Jose, USA)
Size: Enterprise
Incident : Data Breach SAL5732257091825
Entity Name: Tenable
Entity Type: Vulnerability Management
Industry: Technology/Cybersecurity
Location: Global (HQ: Columbia, USA)
Size: Enterprise
Incident : Data Breach SAL5732257091825
Entity Name: CyberArk
Entity Type: Privileged Access Management
Industry: Technology/Cybersecurity
Location: Global (HQ: Petah Tikva, Israel)
Size: Enterprise
Incident : Data Breach SAL5732257091825
Entity Name: Elastic
Entity Type: Search & Analytics
Industry: Technology/Software
Location: Global (HQ: Mountain View, USA)
Size: Enterprise
Incident : Data Breach SAL5732257091825
Entity Name: Qualys
Entity Type: IT Security & Compliance
Industry: Technology/Cybersecurity
Location: Global (HQ: Foster City, USA)
Size: Enterprise
Incident : Data Breach SAL5732257091825
Entity Name: Nutanix
Entity Type: Cloud Computing
Industry: Technology/Software
Location: Global (HQ: San Jose, USA)
Size: Enterprise
Incident : Data Breach SAL5732257091825
Entity Name: Proofpoint
Entity Type: Cybersecurity (Email Security)
Industry: Technology/Cybersecurity
Location: Global (HQ: Sunnyvale, USA)
Size: Enterprise
Incident : Data Breach SAL5732257091825
Entity Name: BeyondTrust
Entity Type: Privileged Access Management
Industry: Technology/Cybersecurity
Location: Global (HQ: Phoenix, USA)
Size: Enterprise
Incident : Data Breach SAL5732257091825
Entity Name: Rubrik
Entity Type: Data Management & Security
Industry: Technology/Cybersecurity
Location: Global (HQ: Palo Alto, USA)
Size: Enterprise
Incident : Data Breach SAL5732257091825
Entity Name: Cato Networks
Entity Type: Network Security
Industry: Technology/Cybersecurity
Location: Global (HQ: Tel Aviv, Israel)
Size: Mid-to-Large Enterprise
Incident : Data Breach SAL5403154092725
Entity Name: Salesforce
Entity Type: Corporation
Industry: Cloud Computing / CRM
Location: San Francisco, California, USA
Size: Enterprise (150,000+ employees)
Incident : Data Breach SAL5592855100325
Entity Name: Salesforce
Entity Type: Software Company (CRM)
Industry: Technology
Location: Global (HQ: San Francisco, USA)
Size: Enterprise
Customers Affected: 760+ (via Salesloft Drift integration)
Incident : Data Breach SAL5592855100325
Entity Name: Salesloft (Drift)
Entity Type: Software Company (AI Chatbot)
Industry: Technology/SaaS
Location: Global (HQ: Atlanta, USA)
Size: Mid-to-Large
Customers Affected: 760+
Incident : Data Breach SAL5592855100325
Entity Name: Cisco
Entity Type: Corporation
Industry: Technology
Location: Global (HQ: San Jose, USA)
Size: Enterprise
Incident : Data Breach SAL5592855100325
Entity Name: The Walt Disney Company
Entity Type: Corporation
Industry: Entertainment
Location: Global (HQ: Burbank, USA)
Size: Enterprise
Incident : Data Breach SAL5592855100325
Entity Name: KFC (Yum! Brands)
Entity Type: Restaurant Chain
Industry: Food & Beverage
Location: Global
Size: Enterprise
Incident : Data Breach SAL5592855100325
Entity Name: IKEA
Entity Type: Retailer
Industry: Furniture
Location: Global (HQ: Netherlands)
Size: Enterprise
Incident : Data Breach SAL5592855100325
Entity Name: Marriott International
Entity Type: Hospitality
Industry: Hotels
Location: Global (HQ: Bethesda, USA)
Size: Enterprise
Incident : Data Breach SAL5592855100325
Entity Name: McDonald's
Entity Type: Restaurant Chain
Industry: Food & Beverage
Location: Global (HQ: Chicago, USA)
Size: Enterprise
Incident : Data Breach SAL5592855100325
Entity Name: Walgreens Boots Alliance
Entity Type: Pharmacy Retailer
Industry: Healthcare/Retail
Location: Global (HQ: Deerfield, USA)
Size: Enterprise
Incident : Data Breach SAL5592855100325
Entity Name: Albertsons Companies
Entity Type: Grocery Retailer
Industry: Retail
Location: USA
Size: Enterprise
Incident : Data Breach SAL5592855100325
Entity Name: Saks Fifth Avenue
Entity Type: Luxury Retailer
Industry: Retail
Location: USA (HQ: New York)
Size: Large
Incident : Extortion SAL2102121100425
Entity Name: Salesforce
Entity Type: Corporation
Industry: Cloud Computing / CRM
Location: San Francisco, California, USA
Size: Large (Enterprise)
Customers Affected: ~40 companies (via Salesforce environments)
Incident : Extortion SAL2102121100425
Entity Name: Salesloft (Drift integration)
Entity Type: Corporation
Industry: Sales Engagement Software
Location: Atlanta, Georgia, USA
Customers Affected: Hundreds of organizations (via OAuth abuse)
Incident : Extortion SAL2102121100425
Entity Name: Multiple Unnamed Companies
Entity Type: Corporations, Organizations
Industry: Various
Location: Global
Incident : Extortion SAL4932949100625
Entity Name: Salesforce
Entity Type: Corporation
Industry: Cloud Computing / CRM
Location: San Francisco, California, USA
Size: Large (Enterprise)
Customers Affected: ~40 companies using Salesforce CRM (indirectly affecting ~1 billion customer records)
Incident : Extortion SAL4932949100625
Entity Name: Google
Entity Type: Corporation
Industry: Technology
Location: Mountain View, California, USA
Size: Large (Enterprise)
Customers Affected: Basic information of small and medium-sized businesses (resolved in June)
Incident : Extortion SAL4932949100625
Entity Name: 40 unnamed companies
Entity Type: Corporations, Businesses
Customers Affected: ~1 billion customer records collectively
Incident : Data Breach SAL0693606100625
Entity Name: Salesforce
Entity Type: Cloud-Based CRM Provider
Industry: Technology/Software
Location: San Francisco, California, USA
Size: Enterprise (150,000+ employees)
Customers Affected: 39 companies (targeted for ransom) + unspecified number of users
Incident : Data Breach SAL0693606100625
Entity Name: Adidas
Entity Type: Corporation
Industry: Retail/Apparel
Location: Global (HQ: Herzogenaurach, Germany)
Size: Enterprise
Incident : Data Breach SAL0693606100625
Entity Name: Cisco
Entity Type: Corporation
Industry: Technology/Networking
Location: Global (HQ: San Jose, California, USA)
Size: Enterprise
Incident : Data Breach SAL0693606100625
Entity Name: FedEx
Entity Type: Corporation
Industry: Logistics/Transportation
Location: Global (HQ: Memphis, Tennessee, USA)
Size: Enterprise
Incident : Data Breach SAL0693606100625
Entity Name: Disney
Entity Type: Corporation
Industry: Entertainment/Media
Location: Global (HQ: Burbank, California, USA)
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: Salesforce
Entity Type: Cloud Service Provider
Industry: Technology (CRM/SaaS)
Location: San Francisco, California, USA
Size: Enterprise
Customers Affected: 39+ (direct extortion targets), 760+ (SalesLoft campaign)
Incident : Data Breach SAL0962109100825
Entity Name: FedEx
Entity Type: Corporation
Industry: Logistics
Location: Memphis, Tennessee, USA
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: Disney/Hulu
Entity Type: Corporation
Industry: Entertainment
Location: Burbank, California, USA
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: Home Depot
Entity Type: Corporation
Industry: Retail
Location: Atlanta, Georgia, USA
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: Marriott
Entity Type: Corporation
Industry: Hospitality
Location: Bethesda, Maryland, USA
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: Google
Entity Type: Corporation
Industry: Technology
Location: Mountain View, California, USA
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: Cisco
Entity Type: Corporation
Industry: Technology
Location: San Jose, California, USA
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: Toyota
Entity Type: Corporation
Industry: Automotive
Location: Toyota City, Aichi, Japan
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: Gap
Entity Type: Corporation
Industry: Retail
Location: San Francisco, California, USA
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: Kering
Entity Type: Corporation
Industry: Luxury Goods
Location: Paris, France
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: McDonald's
Entity Type: Corporation
Industry: Food Service
Location: Chicago, Illinois, USA
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: Walgreens
Entity Type: Corporation
Industry: Pharmacy/Retail
Location: Deerfield, Illinois, USA
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: Instacart
Entity Type: Corporation
Industry: E-commerce
Location: San Francisco, California, USA
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: Cartier
Entity Type: Corporation
Industry: Luxury Goods
Location: Paris, France
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: Adidas
Entity Type: Corporation
Industry: Apparel
Location: Herzogenaurach, Germany
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: Saks Fifth Avenue
Entity Type: Corporation
Industry: Retail
Location: New York, New York, USA
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: Air France & KLM
Entity Type: Corporation
Industry: Aviation
Location: Paris, France / Amstelveen, Netherlands
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: TransUnion
Entity Type: Corporation
Industry: Credit Reporting
Location: Chicago, Illinois, USA
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: HBO Max
Entity Type: Corporation
Industry: Entertainment
Location: New York, New York, USA
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: UPS
Entity Type: Corporation
Industry: Logistics
Location: Atlanta, Georgia, USA
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: Chanel
Entity Type: Corporation
Industry: Luxury Goods
Location: Paris, France
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: IKEA
Entity Type: Corporation
Industry: Retail
Location: Delft, Netherlands
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: Qantas
Entity Type: Corporation
Industry: Aviation
Location: Sydney, Australia
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: Allianz Life
Entity Type: Corporation
Industry: Insurance
Location: Minneapolis, Minnesota, USA
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: Farmers Insurance
Entity Type: Corporation
Industry: Insurance
Location: Los Angeles, California, USA
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: Workday
Entity Type: Corporation
Industry: Technology (HR/Finance SaaS)
Location: Pleasanton, California, USA
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: LVMH (Dior, Louis Vuitton, Tiffany & Co.)
Entity Type: Corporation
Industry: Luxury Goods
Location: Paris, France
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: Cloudflare
Entity Type: Corporation
Industry: Technology (Cybersecurity)
Location: San Francisco, California, USA
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: Zscaler
Entity Type: Corporation
Industry: Technology (Cybersecurity)
Location: San Jose, California, USA
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: Tenable
Entity Type: Corporation
Industry: Technology (Cybersecurity)
Location: Columbia, Maryland, USA
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: CyberArk
Entity Type: Corporation
Industry: Technology (Cybersecurity)
Location: Petah Tikva, Israel
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: Elastic
Entity Type: Corporation
Industry: Technology (Search/Data Analytics)
Location: Mountain View, California, USA
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: BeyondTrust
Entity Type: Corporation
Industry: Technology (Cybersecurity)
Location: Phoenix, Arizona, USA
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: Proofpoint
Entity Type: Corporation
Industry: Technology (Cybersecurity)
Location: Sunnyvale, California, USA
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: JFrog
Entity Type: Corporation
Industry: Technology (DevOps)
Location: Sunnyvale, California, USA
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: Nutanix
Entity Type: Corporation
Industry: Technology (Cloud Computing)
Location: San Jose, California, USA
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: Qualys
Entity Type: Corporation
Industry: Technology (Cybersecurity)
Location: Foster City, California, USA
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: Rubrik
Entity Type: Corporation
Industry: Technology (Data Management)
Location: Palo Alto, California, USA
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: Cato Networks
Entity Type: Corporation
Industry: Technology (Network Security)
Location: Tel Aviv, Israel
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: Palo Alto Networks
Entity Type: Corporation
Industry: Technology (Cybersecurity)
Location: Santa Clara, California, USA
Size: Enterprise
Incident : Data Breach SAL0562205100825
Entity Name: Salesforce
Entity Type: CRM Platform
Industry: Enterprise Software
Location: USA (Global Operations)
Size: Large (Fortune 500)
Customers Affected: >1B Records (Across Dozens of Clients)
Incident : Data Breach SAL0562205100825
Entity Name: Google
Entity Type: Technology
Industry: Internet Services
Location: USA
Size: Large
Customers Affected: Corporate Salesforce Instance Compromised
Incident : Data Breach SAL0562205100825
Entity Name: Toyota
Entity Type: Corporation
Industry: Automotive
Location: Japan/Global
Size: Large
Customers Affected: Salesforce Data Stolen (Volume Undisclosed)
Incident : Data Breach SAL0562205100825
Entity Name: FedEx
Entity Type: Corporation
Industry: Logistics
Location: USA/Global
Size: Large
Customers Affected: Salesforce Data Stolen (Volume Undisclosed)
Incident : Data Breach SAL0562205100825
Entity Name: Disney/Hulu
Entity Type: Corporation
Industry: Entertainment
Location: USA
Size: Large
Customers Affected: Salesforce Data Stolen (Volume Undisclosed)
Incident : Data Breach SAL0562205100825
Entity Name: UPS
Entity Type: Corporation
Industry: Logistics
Location: USA/Global
Size: Large
Customers Affected: Salesforce Data Stolen (Volume Undisclosed)
Incident : Data Breach SAL0562205100825
Entity Name: Red Hat (IBM)
Entity Type: Subsidiary
Industry: Enterprise Software
Location: USA/Global
Size: Large
Customers Affected: 28,000+ Git Repos, 5,000+ Customer Engagement Reports
Incident : Data Breach SAL0562205100825
Entity Name: Discord
Entity Type: Corporation
Industry: Social Media/Communication
Location: USA
Size: Large
Customers Affected: Limited Number of Users (Support/Trust & Safety Interactions)
Incident : Data Breach SAL0562205100825
Entity Name: Oracle
Entity Type: Corporation
Industry: Enterprise Software
Location: USA/Global
Size: Large
Customers Affected: E-Business Suite Users (Via CVE-2025-61882)
Incident : Data Breach SAL0562205100825
Entity Name: Salesloft
Entity Type: Corporation
Industry: Sales Engagement
Location: USA
Size: Medium
Customers Affected: Authentication Tokens Stolen (Impacted Cloud Services: Snowflake, AWS)
Incident : Data Breach SAL3132231100825
Entity Name: Salesforce
Entity Type: CRM Provider
Industry: Cloud Computing / SaaS
Location: San Francisco, California, USA
Size: Enterprise (150,000+ employees)
Customers Affected: Unknown (Hundreds of organizations)
Incident : Data Breach SAL3132231100825
Entity Name: SalesLoft
Entity Type: Sales Engagement Platform
Industry: Sales Technology
Location: Atlanta, Georgia, USA
Size: Mid-Large (500+ employees)
Customers Affected: Unknown (Via Drift App)
Incident : Data Breach SAL3132231100825
Entity Name: Cloudflare
Entity Type: Web Infrastructure & Security
Industry: Cybersecurity
Location: San Francisco, California, USA
Size: Enterprise
Incident : Data Breach SAL3132231100825
Entity Name: Zscaler
Entity Type: Cloud Security
Industry: Cybersecurity
Location: San Jose, California, USA
Size: Enterprise
Incident : Data Breach SAL3132231100825
Entity Name: Palo Alto Networks
Entity Type: Cybersecurity
Industry: Network Security
Location: Santa Clara, California, USA
Size: Enterprise
Incident : Data Breach SAL3132231100825
Entity Name: CyberArk
Entity Type: Privileged Access Security
Industry: Cybersecurity
Location: Petah Tikva, Israel / Newton, Massachusetts, USA
Size: Enterprise
Incident : Data Breach SAL3132231100825
Entity Name: Rubrik
Entity Type: Data Management & Security
Industry: Cloud Data Protection
Location: Palo Alto, California, USA
Size: Mid-Large
Incident : Data Breach SAL3132231100825
Entity Name: Nutanix
Entity Type: Hybrid Cloud Computing
Industry: IT Infrastructure
Location: San Jose, California, USA
Size: Enterprise
Incident : Data Breach SAL3132231100825
Entity Name: Ericsson
Entity Type: Telecommunications
Industry: Networking & 5G
Location: Stockholm, Sweden
Size: Enterprise
Incident : Data Breach SAL3132231100825
Entity Name: JFrog
Entity Type: DevOps Platform
Industry: Software Development
Location: Sunnyvale, California, USA
Size: Mid-Large
Incident : Data Breach SAL5002150100925
Entity Name: Salesforce
Entity Type: Cloud CRM Provider
Industry: Technology
Location: San Francisco, California, USA
Size: Large Enterprise
Customers Affected: Dozens (including Toyota, FedEx, and 37 others)
Incident : Data Breach SAL5002150100925
Entity Name: Toyota
Entity Type: Automotive Manufacturer
Industry: Automotive
Location: Global
Size: Large Enterprise
Incident : Data Breach SAL5002150100925
Entity Name: FedEx
Entity Type: Logistics Company
Industry: Transportation/Logistics
Location: Global
Size: Large Enterprise
Incident : Law Enforcement Takedown SAL4232242101025
Entity Name: BreachForums
Entity Type: Hacking Forum / Data Extortion Site
Industry: Cybercrime
Location: Global (Seized by U.S. and France)
Incident : Law Enforcement Takedown SAL4232242101025
Entity Name: Salesforce (Indirectly Affected via Breach)
Entity Type: Cloud Computing / CRM
Industry: Technology
Location: Global
Size: Enterprise
Customers Affected: 1+ billion records (across multiple companies)
Incident : Law Enforcement Takedown SAL4232242101025
Entity Name: FedEx
Entity Type: Logistics
Industry: Transportation
Location: Global
Size: Enterprise
Incident : Law Enforcement Takedown SAL4232242101025
Entity Name: Disney/Hulu
Entity Type: Entertainment
Industry: Media
Location: Global
Size: Enterprise
Incident : Law Enforcement Takedown SAL4232242101025
Entity Name: Home Depot
Entity Type: Retail
Industry: Home Improvement
Location: Global
Size: Enterprise
Incident : Law Enforcement Takedown SAL4232242101025
Entity Name: Marriott
Entity Type: Hospitality
Industry: Travel
Location: Global
Size: Enterprise
Incident : Law Enforcement Takedown SAL4232242101025
Entity Name: Google
Entity Type: Technology
Industry: Internet Services
Location: Global
Size: Enterprise
Incident : Law Enforcement Takedown SAL4232242101025
Entity Name: Cisco
Entity Type: Technology
Industry: Networking
Location: Global
Size: Enterprise
Incident : Law Enforcement Takedown SAL4232242101025
Entity Name: Toyota
Entity Type: Automotive
Industry: Manufacturing
Location: Global
Size: Enterprise
Incident : Law Enforcement Takedown SAL4232242101025
Entity Name: Gap
Entity Type: Retail
Industry: Fashion
Location: Global
Size: Enterprise
Incident : Law Enforcement Takedown SAL4232242101025
Entity Name: McDonald's
Entity Type: Food Service
Industry: Restaurant
Location: Global
Size: Enterprise
Incident : Law Enforcement Takedown SAL4232242101025
Entity Name: Walgreens
Entity Type: Retail
Industry: Pharmacy
Location: Global
Size: Enterprise
Incident : Law Enforcement Takedown SAL4232242101025
Entity Name: Instacart
Entity Type: E-Commerce
Industry: Grocery Delivery
Location: Global
Size: Enterprise
Incident : Law Enforcement Takedown SAL4232242101025
Entity Name: Cartier
Entity Type: Luxury Goods
Industry: Retail
Location: Global
Size: Enterprise
Incident : Law Enforcement Takedown SAL4232242101025
Entity Name: Adidas
Entity Type: Retail
Industry: Sportswear
Location: Global
Size: Enterprise
Incident : Law Enforcement Takedown SAL4232242101025
Entity Name: Saks Fifth Avenue
Entity Type: Retail
Industry: Luxury Department Store
Location: Global
Size: Enterprise
Incident : Law Enforcement Takedown SAL4232242101025
Entity Name: Air France & KLM
Entity Type: Aviation
Industry: Travel
Location: Global
Size: Enterprise
Incident : Law Enforcement Takedown SAL4232242101025
Entity Name: TransUnion
Entity Type: Financial Services
Industry: Credit Reporting
Location: Global
Size: Enterprise
Incident : Law Enforcement Takedown SAL4232242101025
Entity Name: HBO Max
Entity Type: Entertainment
Industry: Streaming
Location: Global
Size: Enterprise
Incident : Law Enforcement Takedown SAL4232242101025
Entity Name: UPS
Entity Type: Logistics
Industry: Transportation
Location: Global
Size: Enterprise
Incident : Law Enforcement Takedown SAL4232242101025
Entity Name: Chanel
Entity Type: Luxury Goods
Industry: Retail
Location: Global
Size: Enterprise
Incident : Law Enforcement Takedown SAL4232242101025
Entity Name: IKEA
Entity Type: Retail
Industry: Furniture
Location: Global
Size: Enterprise
Incident : data breach SAL5602056101125
Entity Name: Salesforce
Entity Type: corporation
Industry: cloud computing / CRM
Location: San Francisco, California, USA
Size: large
Customers Affected: 39 (including Disney, Toyota, Adidas, McDonald's, IKEA, Home Depot)
Incident : data breach SAL5602056101125
Entity Name: Disney
Entity Type: corporation
Industry: entertainment
Location: Burbank, California, USA
Size: large
Incident : data breach SAL5602056101125
Entity Name: Toyota
Entity Type: corporation
Industry: automotive
Location: Toyota City, Aichi, Japan
Size: large
Incident : data breach SAL5602056101125
Entity Name: Adidas
Entity Type: corporation
Industry: sportswear
Location: Herzogenaurach, Germany
Size: large
Incident : data breach SAL5602056101125
Entity Name: McDonald's
Entity Type: corporation
Industry: fast food
Location: Chicago, Illinois, USA
Size: large
Incident : data breach SAL5602056101125
Entity Name: IKEA
Entity Type: corporation
Industry: retail / furniture
Location: Delft, Netherlands
Size: large
Incident : data breach SAL5602056101125
Entity Name: Home Depot
Entity Type: corporation
Industry: retail / home improvement
Location: Atlanta, Georgia, USA
Size: large
Incident : Forum Takedown SAL4432144101325
Entity Name: BreachForums
Entity Type: Hacking Forum
Industry: Cybercrime
Location: Global (Online)
Customers Affected: Cybercriminals and victims of data leaks/extortion
Incident : Forum Takedown SAL4432144101325
Entity Name: Salesforce
Entity Type: Corporation
Industry: Cloud Computing/SaaS
Location: USA
Size: Large
Incident : Forum Takedown SAL4432144101325
Entity Name: Google
Entity Type: Corporation
Industry: Technology
Location: USA
Size: Large
Incident : Forum Takedown SAL4432144101325
Entity Name: Palo Alto Networks
Entity Type: Corporation
Industry: Cybersecurity
Location: USA
Size: Large
Incident : Forum Takedown SAL4432144101325
Entity Name: Zscaler
Entity Type: Corporation
Industry: Cybersecurity
Location: USA
Size: Large
Incident : Forum Takedown SAL4432144101325
Entity Name: Cloudflare
Entity Type: Corporation
Industry: Web Infrastructure
Location: USA
Size: Large
Incident : Forum Takedown SAL4432144101325
Entity Name: Disney
Entity Type: Corporation
Industry: Entertainment
Location: USA
Size: Large
Incident : Forum Takedown SAL4432144101325
Entity Name: Qantas
Entity Type: Corporation
Industry: Aviation
Location: Australia
Size: Large
Incident : Forum Takedown SAL4432144101325
Entity Name: Air France-KLM
Entity Type: Corporation
Industry: Aviation
Location: France/Netherlands
Size: Large
Incident : Forum Takedown SAL4432144101325
Entity Name: Toyota
Entity Type: Corporation
Industry: Automotive
Location: Japan
Size: Large
Incident : Social Engineering SAL4493244102125
Entity Type: Multinational Corporations, Organizations Using Salesforce
Location: Global (Focus on English-Speaking Branches)
Incident : Cybercriminal Alliance Formation SAL5402554110625
Entity Name: Salesforce
Entity Type: SaaS Provider
Industry: Customer Relationship Management (CRM)
Location: Global (HQ: San Francisco, USA)
Size: Enterprise
Incident : Data Breach SAL5090350110725
Entity Name: Salesforce
Entity Type: SaaS CRM Vendor
Industry: Technology/Cloud Services
Location: Northern California, USA
Incident : Data Breach SAL5090350110725
Entity Name: Salesloft
Entity Type: Third-Party Vendor
Industry: Sales Engagement Platform
Incident : Data Breach SAL5090350110725
Entity Name: TransUnion
Entity Type: Customer of Salesforce
Industry: Consumer Credit Reporting
Customers Affected: 4.5 million individuals
Incident : Data Breach SAL5090350110725
Entity Name: Allianz Life Insurance
Entity Type: Customer of Salesforce
Industry: Insurance
Incident : Data Breach SAL5090350110725
Entity Name: Farmers Insurance
Entity Type: Customer of Salesforce
Industry: Insurance
Customers Affected: 1 million customers
Incident : Data Breach SAL5090350110725
Entity Name: Workday
Entity Type: Customer of Salesforce
Industry: HR/Enterprise Software
Incident : Data Breach SAL5090350110725
Entity Name: Pandora Jewelry
Entity Type: Customer of Salesforce
Industry: Retail/Jewelry
Response to the Incidents
What measures were taken in response to each incident ?
Incident : Cyber Attack SAL215719323
Containment Measures: Blocked access to affected instances
Remediation Measures: Blocked access to orgs with inadvertent permissions
Incident : Data Breach SAL729082725
Incident Response Plan Activated: True
Third Party Assistance: Google Threat Intelligence Group (Gtig), Mandiant, Astrix Security.
Containment Measures: Revoked all active access tokens for Drift app (August 20, 2025)Temporarily removed Drift from Salesforce AppExchange
Remediation Measures: Restricting Connected App scopesSearching for exposed secrets in Salesforce dataRotating compromised credentialsEnforcing IP restrictions
Communication Strategy: Advisories issued by GTIG/MandiantNotifications to affected organizationsPublic blog post by Astrix Security
Enhanced Monitoring: Checking for specific IP addresses/User-Agent strings linked to attackers
Incident : Social Engineering SAL815090225
Containment Measures: Web Application Firewall (WAF) with Rate-Limiting for API CallsSIEM Correlation of OAuth Events with API UsageUser and Entity Behavior Analytics (UEBA) DeploymentConditional Access Policies for OAuth Apps (IP/Device/Risk-Based)
Remediation Measures: Revoke Compromised OAuth TokensAudit and Restrict Connected Apps PermissionsImplement Hardware Security Modules (HSM) for API KeysEnforce Perfect Forward Secrecy (PFS) for Authentication TokensDeploy CAA Records and DANE for Domain Spoofing Prevention
Adaptive Behavioral WAF: ['Rate-Limiting for Bulk API Operations (e.g., /services/data/v58.0/jobs/query)']
Network Segmentation: ['Isolate CRM API Endpoints from Untrusted Networks']
Enhanced Monitoring: Real-Time API Call Anomaly DetectionGeofencing for OAuth Authorizations
Incident : Data Breach SAL5732257091825
Third Party Assistance: Google Mandiant (Threat Intelligence), Fbi (Advisory & Investigation).
Law Enforcement Notified: FBI,
Remediation Measures: Salesforce Recommendations: Enforce Multi-Factor Authentication (MFA)Apply Principle of Least PrivilegeClosely Manage Connected Applications
Communication Strategy: Salesforce Customer AdvisoriesFBI Public Advisory on UNC6040/6395
Incident : Data Breach SAL5403154092725
Incident Response Plan Activated: True
Containment Measures: Enforced Trusted URL Allow-Lists for Agentforce/Einstein AIRe-secured Expired Domain (my-salesforce-cms.com)
Remediation Measures: Patches to prevent AI agents from sending data to untrusted URLs
Communication Strategy: Public Statement to The RegisterBlog Post by Noma Security
Incident : Data Breach SAL5592855100325
Incident Response Plan Activated: Yes (Salesforce, Mandiant, and Affected Companies)
Third Party Assistance: Mandiant (Google’S Incident Response), Salesforce Security Team, Fbi Cyber Division.
Law Enforcement Notified: Yes (FBI Issued Advisory on 2023-09-12)
Containment Measures: Revoking Compromised OAuth TokensIsolating Affected Salesforce InstancesDisabling Salesloft Drift Integrations
Remediation Measures: Enforcing 2FA for OAuth AppsPatching Salesloft Drift VulnerabilitiesAudit of Third-Party Integrations
Recovery Measures: Data Backup Restoration (if applicable)Customer Notification PlansDark Web Monitoring for Leaked Data
Communication Strategy: Public Disclosure via Media (ISMG, BleepingComputer)Customer Advisories (Pending)Regulatory Notifications
Network Segmentation: Recommended (to Limit Lateral Movement)
Enhanced Monitoring: Salesforce Instance LogsCloud Platform (Google Workspace, Microsoft 365, Okta) Activity
Incident : Extortion SAL2102121100425
Incident Response Plan Activated: Yes (Salesforce engaged external experts and authorities)
Third Party Assistance: Mandiant (Google), External Cybersecurity Experts.
Law Enforcement Notified: Yes (US and UK authorities involved)
Remediation Measures: Customer notificationsInvestigation of OAuth abuse
Communication Strategy: Public security advisoryMedia statements
Incident : Extortion SAL4932949100625
Incident Response Plan Activated: True
Third Party Assistance: External Specialists, Authorities.
Containment Measures: Supporting potentially affected customersInvestigating claims
Communication Strategy: Public denial of platform hackAdvisories to customers
Incident : Data Breach SAL0693606100625
Incident Response Plan Activated: Yes (Salesforce disabled vulnerable Salesloft Drift integration on Aug 28, 2025)
Third Party Assistance: Google Threat Intelligence (Reported Attacks In June And August 2025).
Containment Measures: Disabled Salesloft Drift Integration (Aug 28–Sep 7, 2025)
Remediation Measures: Reinstated Integration with Security Fixes (Sep 7, 2025)
Communication Strategy: Public Security Alert IssuedDenial of Direct Platform Compromise
Incident : Data Breach SAL0962109100825
Incident Response Plan Activated: Yes (Salesforce notified customers)
Law Enforcement Notified: Likely (FBI may have seized extortion domain)
Remediation Measures: Refusal to pay ransomCustomer notifications
Communication Strategy: Public statements and customer emails
Incident : Data Breach SAL0562205100825
Incident Response Plan Activated: True
Third Party Assistance: Google Threat Intelligence Group (Gtig), Mandiant (Malware Analysis), Law Enforcement (Fbi, Uk Nca).
Containment Measures: Salesforce: Disabled Malicious OAuth AppsRed Hat: Isolated Compromised GitLab ServerDiscord: Terminated Third-Party Vendor AccessOracle: Emergency Patch for CVE-2025-61882
Remediation Measures: Salesforce: Forensic Analysis, Customer SupportRed Hat: Customer Notifications, Repository AuditsDiscord: Affected User Notifications, Password ResetsOracle: Urged Customers to Apply Patch
Recovery Measures: Salesforce: Refused to Pay Ransom, Focused on DefenseRed Hat: Restored GitLab from BackupsDiscord: Enhanced Vendor Security Controls
Communication Strategy: Salesforce: Customer Advisories (No Negotiation Policy)Red Hat: Public Disclosure (October 2, 2025)Discord: Direct Emails to Affected UsersOracle: Security Advisory for CVE-2025-61882
Enhanced Monitoring: Salesforce: Increased Logging for OAuth IntegrationsRed Hat: GitLab Access Audits
Incident : Data Breach SAL3132231100825
Incident Response Plan Activated: True
Third Party Assistance: Google Threat Intelligence Group (Warnings).
Containment Measures: Disabled Drift App IntegrationToken Renewal Mandate for Customers
Remediation Measures: Customer Support OutreachOAuth Token Rotation
Recovery Measures: Reactivated SalesLoft Integrations (Except Drift)
Communication Strategy: Internal Memo (Bloomberg-Leaked)Public Statement on Non-Payment of RansomCustomer Advisories
Enhanced Monitoring: Likely (Implied by Google Threat Intelligence Collaboration)
Incident : Data Breach SAL5002150100925
Incident Response Plan Activated: Likely (Salesforce refused ransom demand)
Third Party Assistance: Mandiant (Google-Owned Threat Intelligence).
Communication Strategy: Public refusal of ransom demand (email statement)
Incident : Law Enforcement Takedown SAL4232242101025
Incident Response Plan Activated: Yes (FBI and France's BL2C Unit)
Third Party Assistance: French Law Enforcement (Bl2C Unit).
Law Enforcement Notified: Yes (FBI-led operation)
Containment Measures: Domain SeizureBackend Server SeizureNameserver Redirection to FBI
Remediation Measures: Permanent Shutdown of BreachForumsPrevention of Data Leak (Salesforce Campaign Disrupted)
Communication Strategy: Public Announcement via BleepingComputerPGP-Signed Message from ShinyHunters on Telegram
Incident : Forum Takedown SAL4432144101325
Incident Response Plan Activated: Yes (FBI-led operation)
Third Party Assistance: Europol (In Prior Operations).
Law Enforcement Notified: Yes (FBI-led, with international coordination)
Containment Measures: Domain seizureDisruption of forum operations
Communication Strategy: Public announcement by FBIMedia coverage (e.g., ITPro)
Incident : Social Engineering SAL4493244102125
Third Party Assistance: Mandiant (Google).
Containment Measures: End unsolicited support calls without providing access/informationVerify callers via trusted, on-file contact informationRequire explicit verification from account managers before fulfilling requests
Remediation Measures: Defense-in-Depth Strategy for Caller VerificationEmployee Training on Social Engineering and PhishingRigorous Communication of Third-Party Request Verification Protocols
Communication Strategy: Mandiant Blog PostKnowBe4 Advisory
Enhanced Monitoring: Monitoring for Unauthorized SaaS Access
Incident : Data Breach SAL5090350110725
Incident Response Plan Activated: Yes (Salesforce offered support to affected customers)
Remediation Measures: Salesforce directed customers to its Trust page for protective steps; denied platform compromise
Communication Strategy: Public noticesMedia statementsTrust page updates
What is the company's incident response plan?
Incident Response Plan: The company's incident response plan is described as Yes (Salesforce, Mandiant, and Affected Companies), Yes (Salesforce engaged external experts and authorities), , Yes (Salesforce disabled vulnerable Salesloft Drift integration on Aug 28, 2025), Yes (Salesforce notified customers), , , Likely (Salesforce refused ransom demand), Yes (FBI and France's BL2C Unit), Yes (FBI-led operation), Yes (Salesforce offered support to affected customers).
How does the company involve third-party assistance in incident response ?
Third-Party Assistance: The company involves third-party assistance in incident response through Google Threat Intelligence Group (GTIG), Mandiant, Astrix Security, , Google Mandiant (Threat Intelligence), FBI (Advisory & Investigation), , Mandiant (Google’s Incident Response), Salesforce Security Team, FBI Cyber Division, , Mandiant (Google), External cybersecurity experts, , External specialists, Authorities, , Google Threat Intelligence (reported attacks in June and August 2025), , Google Threat Intelligence Group (GTIG), Mandiant (Malware Analysis), Law Enforcement (FBI, UK NCA), , Google Threat Intelligence Group (Warnings), , Mandiant (Google-owned threat intelligence), , French Law Enforcement (BL2C Unit), , Europol (in prior operations), , Mandiant (Google), .
Data Breach Information
What type of data was compromised in each breach ?
Incident : Data Breach SAL729082725
Type of Data Compromised: Customer account data, User data, Opportunities data, Credentials, Aws access keys, Snowflake tokens, High-value secrets
Sensitivity of Data: High (includes cloud infrastructure keys and authentication tokens)
Incident : Social Engineering SAL815090225
Type of Data Compromised: Crm data, Customer records, Business intelligence, Potentially pii
Sensitivity of Data: High (Includes Salesforce Object Data via SOQL)
Data Exfiltration: Automated via Bulk API EndpointsPython Scripts with Rate-Limiting to Evade Detection
Personally Identifiable Information: Likely (Dependent on CRM Data Structure)
Incident : Data Breach SAL5732257091825
Type of Data Compromised: Crm data (salesforce objects), Account records, Contact records (pii), Opportunity records, User records, Case records (support tickets), Aws keys, Snowflake tokens, Other credentials
Number of Records Exposed: 1.5 billion
Sensitivity of Data: High (PII, Business-Critical CRM Data, Credentials)
Data Exfiltration: Confirmed (Massive Scale)Evidence: Shared File Listing Salesloft’s Breached Source Code Folders
File Types Exposed: Salesforce Database RecordsSource Code (Salesloft GitHub)Configuration FilesAPI Keys/Secrets
Personally Identifiable Information: Contact Records (Names, Email Addresses, Phone Numbers, etc.)User Records (Employee/Client Data)
Incident : Data Breach SAL5403154092725
Type of Data Compromised: Customer lead information, Email addresses
Sensitivity of Data: Moderate (Business contact data, no financial/PII confirmed)
Personally Identifiable Information: Partial (Email addresses, potentially names/companies)
Incident : Data Breach SAL5592855100325
Type of Data Compromised: Pii, Customer support records, Chat transcripts, Marketing data, Shipping information, Flight details, Employment histories
Number of Records Exposed: 1,500,000,000 (claimed)
Sensitivity of Data: High (Includes Passport Numbers, Nationalities, Contact Details)
Data Exfiltration: Confirmed (Samples Validated by Researchers)
Data Encryption: No (Data Stolen in Plaintext)
File Types Exposed: Database DumpsCSV/Excel FilesJSON/Log FilesChat Transcripts
Personally Identifiable Information: Full NamesDates of BirthNationalitiesPassport NumbersEmail AddressesPhone NumbersPhysical AddressesEmployment Histories
Incident : Extortion SAL2102121100425
Type of Data Compromised: Customer data, Potentially pii (unconfirmed)
Number of Records Exposed: 1 billion (claimed; unverified)
Sensitivity of Data: Moderate to High (if PII included)
Data Exfiltration: Claimed by threat actors
Personally Identifiable Information: Potential (unconfirmed)
Incident : Extortion SAL4932949100625
Type of Data Compromised: Customer records, Sensitive customer information, Basic business information (for google breach)
Number of Records Exposed: ~1 billion (claimed)
Sensitivity of Data: High (customer data, potentially PII)
Incident : Data Breach SAL0693606100625
Type of Data Compromised: Customer records, Sensitive corporate data
Number of Records Exposed: Nearly 1 billion (claimed)
Sensitivity of Data: High (includes PII and potentially proprietary business data)
Data Exfiltration: Yes (samples published on dark web site 'Scattered Lapsus$ Hunters')
Personally Identifiable Information: Likely (based on context)
Incident : Data Breach SAL0962109100825
Type of Data Compromised: Customer records, Support tickets, Credentials, Api tokens, Authentication tokens
Number of Records Exposed: ~2.5 billion (1B in first campaign, 1.5B in second)
Sensitivity of Data: High (PII, credentials, business-sensitive data)
Data Exfiltration: Yes
File Types Exposed: DatabasesSupport LogsConfiguration Files
Personally Identifiable Information: Yes
Incident : Data Breach SAL0562205100825
Type of Data Compromised: Customer records (salesforce), User pii (discord: emails, ips, government ids), Source code (red hat git repos), Api tokens (red hat cers), Infrastructure details (red hat audits), Authentication tokens (salesloft)
Number of Records Exposed: >1B (Salesforce) + Undisclosed (Discord, Red Hat, Oracle)
Sensitivity of Data: High (PII, Government IDs, Source Code, API Tokens)
File Types Exposed: Salesforce Database ExportsGit Repositories (Red Hat)Customer Support Tickets (Discord)Oracle E-Business Suite Records
Personally Identifiable Information: Discord: Usernames, Emails, IPs, Government ID ImagesSalesforce: Customer Data (Varies by Client)Red Hat: Business Contact Information (Limited)
Incident : Data Breach SAL3132231100825
Type of Data Compromised: Customer contact details, It support information, Oauth tokens, It configurations, Crm data, Support cases
Number of Records Exposed: Unknown (Hundreds of organizations affected)
Sensitivity of Data: Moderate (Corporate IT and Customer Data)
Personally Identifiable Information: Limited (Primarily Corporate PII)
Incident : Data Breach SAL5002150100925
Number of Records Exposed: 989.45 million (~1 billion)
Data Exfiltration: Claimed by threat actor
Incident : Law Enforcement Takedown SAL4232242101025
Type of Data Compromised: Customer records, Corporate data, Escrow databases, Database backups
Number of Records Exposed: 1+ billion (Salesforce campaign)
Sensitivity of Data: High (Personally Identifiable Information)
Data Exfiltration: Yes (Stolen from Salesforce breaches)
Personally Identifiable Information: Yes
Incident : data breach SAL5602056101125
Number of Records Exposed: one billion (alleged)
Data Exfiltration: alleged
Incident : Forum Takedown SAL4432144101325
Type of Data Compromised: Corporate data, Stolen credentials, Sensitive information (varies by victim)
Sensitivity of Data: High
Data Exfiltration: Yes (via BreachForums)
Personally Identifiable Information: Likely (depends on leaked datasets)
Incident : Social Engineering SAL4493244102125
Type of Data Compromised: Salesforce data, Credentials
Sensitivity of Data: High (Potential PII, Corporate Data)
Data Exfiltration: Confirmed in Observed Cases
Personally Identifiable Information: Potential (If Credentials Include PII)
Incident : Cybercriminal Alliance Formation SAL5402554110625
Type of Data Compromised: Potentially pii, crm data, saas configuration details
Sensitivity of Data: High (Enterprise SaaS and cloud infrastructure)
Personally Identifiable Information: Likely (based on target profile)
Incident : Data Breach SAL5090350110725
Type of Data Compromised: Pii, Credentials (aws keys, passwords), Access tokens
Sensitivity of Data: High (PII, credentials)
Data Exfiltration: Yes (OAuth tokens and credentials stolen)
Personally Identifiable Information: Yes (names, financial data, etc.)
What measures does the company take to prevent data exfiltration ?
Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Blocked access to orgs with inadvertent permissions, , Restricting Connected App scopes, Searching for exposed secrets in Salesforce data, Rotating compromised credentials, Enforcing IP restrictions, , Revoke Compromised OAuth Tokens, Audit and Restrict Connected Apps Permissions, Implement Hardware Security Modules (HSM) for API Keys, Enforce Perfect Forward Secrecy (PFS) for Authentication Tokens, Deploy CAA Records and DANE for Domain Spoofing Prevention, , Salesforce Recommendations: Enforce Multi-Factor Authentication (MFA), Apply Principle of Least Privilege, Closely Manage Connected Applications, , Patches to prevent AI agents from sending data to untrusted URLs, , Enforcing 2FA for OAuth Apps, Patching Salesloft Drift Vulnerabilities, Audit of Third-Party Integrations, , Customer notifications, Investigation of OAuth abuse, , Reinstated Integration with Security Fixes (Sep 7, 2025), , Refusal to pay ransom, Customer notifications, , Salesforce: Forensic Analysis, Customer Support, Red Hat: Customer Notifications, Repository Audits, Discord: Affected User Notifications, Password Resets, Oracle: Urged Customers to Apply Patch, , Customer Support Outreach, OAuth Token Rotation, , Permanent Shutdown of BreachForums, Prevention of Data Leak (Salesforce Campaign Disrupted), , Defense-in-Depth Strategy for Caller Verification, Employee Training on Social Engineering and Phishing, Rigorous Communication of Third-Party Request Verification Protocols, , Salesforce directed customers to its Trust page for protective steps; denied platform compromise.
How does the company handle incidents involving personally identifiable information (PII) ?
Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by blocked access to affected instances, , revoked all active access tokens for drift app (august 20, 2025), temporarily removed drift from salesforce appexchange, , web application firewall (waf) with rate-limiting for api calls, siem correlation of oauth events with api usage, user and entity behavior analytics (ueba) deployment, conditional access policies for oauth apps (ip/device/risk-based), , enforced trusted url allow-lists for agentforce/einstein ai, re-secured expired domain (my-salesforce-cms.com), , revoking compromised oauth tokens, isolating affected salesforce instances, disabling salesloft drift integrations, , supporting potentially affected customers, investigating claims, , disabled salesloft drift integration (aug 28–sep 7, 2025), , salesforce: disabled malicious oauth apps, red hat: isolated compromised gitlab server, discord: terminated third-party vendor access, oracle: emergency patch for cve-2025-61882, , disabled drift app integration, token renewal mandate for customers, , domain seizure, backend server seizure, nameserver redirection to fbi, , domain seizure, disruption of forum operations, , end unsolicited support calls without providing access/information, verify callers via trusted, on-file contact information, require explicit verification from account managers before fulfilling requests and .
Ransomware Information
Was ransomware involved in any of the incidents ?
Incident : Data Breach SAL729082725
Data Exfiltration: True
Incident : Social Engineering SAL815090225
Data Exfiltration: ['Primary Focus (Extortion via Data Leak Threats)']
Incident : Data Breach SAL5732257091825
Ransom Demanded: ['Extortion Threats (No Specific Ransom Amount Disclosed)']
Data Exfiltration: ['Yes (Extortion-Based)']
Incident : Data Breach SAL5592855100325
Ransom Demanded: ['Separate Ransoms from Salesforce and Listed Victims', 'Extortion Threats via Dark Web Leak Site']
Data Encryption: No (Data Theft Without Encryption)
Data Exfiltration: Yes (1.5B Records Claimed)
Incident : Extortion SAL2102121100425
Ransom Demanded: $989.45 (for all data)
Ransom Paid: No (as of disclosure)
Data Exfiltration: Claimed
Incident : Data Breach SAL0693606100625
Ransom Demanded: Yes (amount unspecified; deadline: Oct 10, 2025)
Data Encryption: No (extortion-based, not encryption)
Data Exfiltration: Yes
Incident : Data Breach SAL0962109100825
Ransom Demanded: Unspecified (extortion demands to companies or Salesforce)
Ransom Paid: No (Salesforce refused to pay)
Data Encryption: No (data theft, not encryption)
Data Exfiltration: Yes
Incident : Data Breach SAL0562205100825
Ransom Demanded: Unspecified (Threatened Public Leak if Unpaid by October 10, 2025)
Data Exfiltration: True
Incident : Data Breach SAL5002150100925
Ransom Demanded: Unspecified (extortion demand to Salesforce)
Ransom Paid: No (Salesforce refused)
Data Exfiltration: Claimed (~1 billion records)
Incident : Law Enforcement Takedown SAL4232242101025
Ransom Demanded: Yes (Salesforce Campaign)
Ransom Paid: Unknown (Companies targeted for non-payment)
Data Exfiltration: Yes
Incident : data breach SAL5602056101125
Ransom Demanded: unspecified (threatened leak if unpaid by October 10, 2023, 11:59 p.m. EST)
Data Exfiltration: alleged
Incident : Forum Takedown SAL4432144101325
Data Exfiltration: Yes (as part of extortion schemes)
Incident : Cybercriminal Alliance Formation SAL5402554110625
Data Exfiltration: True
How does the company recover data encrypted by ransomware ?
Data Recovery from Ransomware: The company recovers data encrypted by ransomware through Data Backup Restoration (if applicable), Customer Notification Plans, Dark Web Monitoring for Leaked Data, , Salesforce: Refused to Pay Ransom, Focused on Defense, Red Hat: Restored GitLab from Backups, Discord: Enhanced Vendor Security Controls, , Reactivated SalesLoft Integrations (Except Drift), .
Regulatory Compliance
Were there any regulatory violations and fines imposed for each incident ?
Incident : Data Breach SAL729082725
Regulatory Notifications: Notifications sent to affected organizations (details undisclosed)
Incident : Data Breach SAL5592855100325
Regulations Violated: Potential GDPR (EU), CCPA (California), Sector-Specific Data Protection Laws,
Legal Actions: Pending (Potential Class-Action Lawsuits), Regulatory Investigations,
Regulatory Notifications: Likely Required (e.g., GDPR 72-Hour Rule)State Attorney General Notifications (USA)
Incident : Extortion SAL2102121100425
Legal Actions: Arrests of UK teens (Scattered Spider members), Ongoing investigations,
Incident : Data Breach SAL0693606100625
Legal Actions: 14 Lawsuits Filed by Affected Companies (September 2025),
Incident : Data Breach SAL0562205100825
Regulations Violated: Potential GDPR (EU Customer Data in Salesforce/Discord), Potential CCPA (California Residents), Industry-Specific Compliance (e.g., PCI DSS for Payment Data),
Legal Actions: UK Charges Against Scattered Spider Members (September 2025), US Charges Against Thalha Jubair (MGM, Caesars, Harrods Attacks), Extradition of Tyler Buchanan (Spain to US, April 2025), Noah Urban Sentencing (10 Years, August 2025),
Regulatory Notifications: Salesforce: Notified Customers (No Regulatory Filings Mentioned)Red Hat: Customer Notifications (October 2, 2025)Discord: Affected User Notifications (Ongoing)
Incident : Law Enforcement Takedown SAL4232242101025
Legal Actions: Arrests of BreachForums Admins (France), Charges Against Kai West ('IntelBroker') in U.S.,
Incident : Forum Takedown SAL4432144101325
Legal Actions: Domain seizures, Arrest of forum founder (Conor Brian Fitzpatrick in 2023),
Incident : Data Breach SAL5090350110725
Legal Actions: Class action lawsuits (e.g., Staci Johnson v. Salesforce),
How does the company ensure compliance with regulatory requirements ?
Ensuring Regulatory Compliance: The company ensures compliance with regulatory requirements through Pending (Potential Class-Action Lawsuits), Regulatory Investigations, , Arrests of UK teens (Scattered Spider members), Ongoing investigations, , 14 Lawsuits Filed by Affected Companies (September 2025), , UK Charges Against Scattered Spider Members (September 2025), US Charges Against Thalha Jubair (MGM, Caesars, Harrods Attacks), Extradition of Tyler Buchanan (Spain to US, April 2025), Noah Urban Sentencing (10 Years, August 2025), , Arrests of BreachForums Admins (France), Charges Against Kai West ('IntelBroker') in U.S., , Domain seizures, Arrest of forum founder (Conor Brian Fitzpatrick in 2023), , Class action lawsuits (e.g., Staci Johnson v. Salesforce), .
Lessons Learned and Recommendations
What lessons were learned from each incident ?
Incident : Data Breach SAL729082725
Lessons Learned: Non-human identities (NHIs) are persistent, high-privilege targets for attackers., OAuth token abuse can bypass MFA, highlighting the need for stricter access controls., Organizations often lack visibility into NHIs, increasing risk of exploitation., Proactive measures (e.g., IP restrictions, secret scanning) are critical to mitigate NHI-based attacks.
Incident : Social Engineering SAL815090225
Lessons Learned: OAuth 2.0 Connected Apps Require Stricter Permission Scoping and Monitoring, API Security Must Extend Beyond Authentication to Include Behavioral Analysis, VoIP/Tor-Based Vishing Attacks Bypass Traditional Phishing Defenses, Segmented C2 Infrastructure (Tor + VPN) Complicates Attribution and Takedown
Incident : Data Breach SAL5732257091825
Lessons Learned: OAuth tokens and connected applications are high-value targets for attackers., Social engineering and malicious OAuth apps can bypass traditional security controls., Exposed secrets in repositories (e.g., GitHub) enable supply chain attacks., Extortion groups increasingly target CRM data for its sensitivity and leverage in negotiations., Multi-factor authentication (MFA) and least privilege principles are critical for mitigating such breaches.
Incident : Data Breach SAL5403154092725
Lessons Learned: The incident highlights the need for: (1) Proactive AI security governance, (2) Strict input validation for AI prompts, (3) Domain lifecycle management to prevent expired domain exploitation, (4) Human oversight for AI-agent interactions, and (5) Defense-in-depth for AI-integrated business tools against prompt injection attacks.
Incident : Data Breach SAL5592855100325
Lessons Learned: Third-party integrations (e.g., Salesloft Drift) introduce significant supply-chain risks; rigorous vendor security assessments are critical., OAuth tokens and API keys must be protected with **2FA and strict access controls** to prevent abuse., Social engineering (vishing/phishing) remains a highly effective attack vector; **employee training and verification protocols** are essential., Lateral movement to cloud platforms (Google Workspace, Microsoft 365, Okta) underscores the need for **zero-trust architecture and segmentation**., Proactive threat hunting and **dark web monitoring** can help detect stolen data early., Incident response plans must include **third-party breach scenarios** with clear escalation paths.
Incident : Extortion SAL4932949100625
Lessons Learned: Financially motivated cyber groups can reemerge despite arrests or disbandment claims. Social engineering (e.g., vishing) remains a critical attack vector, bypassing technical safeguards by exploiting human trust. Organizations must enforce stricter access controls, including MFA, IP restrictions, and app permissions.
Incident : Data Breach SAL0693606100625
Lessons Learned: Social engineering and third-party app vulnerabilities can bypass platform-level security. Proactive monitoring of OAuth app installations and third-party integrations is critical. User education on phishing/vishing attacks is essential to mitigate human-error risks.
Incident : Data Breach SAL0562205100825
Lessons Learned: Vishing Remains Effective for OAuth Abuse (Salesforce), Third-Party Vendors Are Critical Attack Vectors (Discord, Salesloft), GitLab Server Hardening Needed (Red Hat), Zero-Day Patching Urgency (Oracle CVE-2025-61882), Extortion Groups Evolve Tactics (Victim-Shaming Blogs, Malware Threats), Cross-Group Collaboration (Scattered Spider + Lapsus$ + ShinyHunters)
Incident : Data Breach SAL3132231100825
Lessons Learned: Third-party app integrations introduce significant risk; rigorous vetting and monitoring are critical., OAuth token management requires stricter controls (e.g., rotation, least-privilege access)., GitHub account security is a high-value target for attackers; MFA and access logging are essential., Public refusal to pay ransom can deter attackers but may escalate data leak risks.
Incident : Law Enforcement Takedown SAL4232242101025
Lessons Learned: Cybercrime forums are vulnerable to law enforcement takedowns, especially with international cooperation., Data backups can be compromised if stored within seized infrastructure., High-profile data leak threats can accelerate law enforcement action., The 'era of forums' for cybercriminals may be ending due to increased scrutiny and takedowns.
Incident : Forum Takedown SAL4432144101325
Lessons Learned: Repeated takedowns erode trust in cybercriminal forums, making them less sustainable., Cybercriminals adapt by shifting to encrypted platforms (e.g., Telegram) for resilience., Coordinated international law enforcement actions can disrupt high-profile cybercrime hubs., The 'era of forums' may be ending, but extortion and data monetization tactics persist.
Incident : Social Engineering SAL4493244102125
Lessons Learned: Social engineering attacks bypass technical vulnerabilities by exploiting human trust., Voice phishing (vishing) is highly effective when attackers impersonate trusted entities (e.g., IT support, vendors)., Employees with elevated SaaS access are prime targets for credential theft., Verification protocols for third-party requests must be rigorously enforced., AI tools (e.g., ChatGPT) can enhance the sophistication of phishing content, increasing attack success rates.
Incident : Cybercriminal Alliance Formation SAL5402554110625
Lessons Learned: Cybercriminal consolidation enhances operational resilience and technical sophistication., Telegram’s role as both a coordination and performative marketing tool amplifies psychological impact., Exploit brokerage and zero-day vulnerabilities are critical force multipliers for modern threat actors., Extortion-as-a-Service (EaaS) models lower the barrier to entry for affiliate-driven attacks., Theatrical branding and narrative control are strategic assets equivalent to technical capabilities.
Incident : Data Breach SAL5090350110725
Lessons Learned: Third-party integrations (e.g., OAuth tokens) can be critical attack vectors; social engineering remains a potent threat; proactive customer support and transparency are essential during incidents.
What recommendations were made to prevent future incidents ?
Incident : Data Breach SAL729082725
Recommendations: Hardening access controls by restricting Connected App scopes in Salesforce., Conducting audits to identify and secure exposed secrets within Salesforce data., Rotating compromised credentials and enforcing least-privilege access for NHIs., Implementing IP restrictions to limit access to trusted locations., Monitoring for suspicious IP addresses/User-Agent strings associated with attackers., Creating an inventory of non-human identities (NHIs) to improve visibility and security.Hardening access controls by restricting Connected App scopes in Salesforce., Conducting audits to identify and secure exposed secrets within Salesforce data., Rotating compromised credentials and enforcing least-privilege access for NHIs., Implementing IP restrictions to limit access to trusted locations., Monitoring for suspicious IP addresses/User-Agent strings associated with attackers., Creating an inventory of non-human identities (NHIs) to improve visibility and security.Hardening access controls by restricting Connected App scopes in Salesforce., Conducting audits to identify and secure exposed secrets within Salesforce data., Rotating compromised credentials and enforcing least-privilege access for NHIs., Implementing IP restrictions to limit access to trusted locations., Monitoring for suspicious IP addresses/User-Agent strings associated with attackers., Creating an inventory of non-human identities (NHIs) to improve visibility and security.Hardening access controls by restricting Connected App scopes in Salesforce., Conducting audits to identify and secure exposed secrets within Salesforce data., Rotating compromised credentials and enforcing least-privilege access for NHIs., Implementing IP restrictions to limit access to trusted locations., Monitoring for suspicious IP addresses/User-Agent strings associated with attackers., Creating an inventory of non-human identities (NHIs) to improve visibility and security.Hardening access controls by restricting Connected App scopes in Salesforce., Conducting audits to identify and secure exposed secrets within Salesforce data., Rotating compromised credentials and enforcing least-privilege access for NHIs., Implementing IP restrictions to limit access to trusted locations., Monitoring for suspicious IP addresses/User-Agent strings associated with attackers., Creating an inventory of non-human identities (NHIs) to improve visibility and security.Hardening access controls by restricting Connected App scopes in Salesforce., Conducting audits to identify and secure exposed secrets within Salesforce data., Rotating compromised credentials and enforcing least-privilege access for NHIs., Implementing IP restrictions to limit access to trusted locations., Monitoring for suspicious IP addresses/User-Agent strings associated with attackers., Creating an inventory of non-human identities (NHIs) to improve visibility and security.
Incident : Social Engineering SAL815090225
Recommendations: Implement Zero Trust Principles for API Access (Least Privilege, Continuous Authentication), Deploy WAF Rules to Detect Bulk API Queries (e.g., SOQL via REST Endpoints), Enforce Multi-Factor Authentication (MFA) for OAuth App Authorizations, Monitor for Anomalous OAuth Token Usage (e.g., Geographically Inconsistent Access), Restrict Connected Apps to Pre-Approved IP Ranges/Device Postures, Conduct Regular Red Team Exercises Simulating Vishing + OAuth Abuse, Adopt Hardware-Backed Key Storage (HSM) for Critical API Credentials, Prepare Incident Response Playbooks for CRM-Specific Extortion ScenariosImplement Zero Trust Principles for API Access (Least Privilege, Continuous Authentication), Deploy WAF Rules to Detect Bulk API Queries (e.g., SOQL via REST Endpoints), Enforce Multi-Factor Authentication (MFA) for OAuth App Authorizations, Monitor for Anomalous OAuth Token Usage (e.g., Geographically Inconsistent Access), Restrict Connected Apps to Pre-Approved IP Ranges/Device Postures, Conduct Regular Red Team Exercises Simulating Vishing + OAuth Abuse, Adopt Hardware-Backed Key Storage (HSM) for Critical API Credentials, Prepare Incident Response Playbooks for CRM-Specific Extortion ScenariosImplement Zero Trust Principles for API Access (Least Privilege, Continuous Authentication), Deploy WAF Rules to Detect Bulk API Queries (e.g., SOQL via REST Endpoints), Enforce Multi-Factor Authentication (MFA) for OAuth App Authorizations, Monitor for Anomalous OAuth Token Usage (e.g., Geographically Inconsistent Access), Restrict Connected Apps to Pre-Approved IP Ranges/Device Postures, Conduct Regular Red Team Exercises Simulating Vishing + OAuth Abuse, Adopt Hardware-Backed Key Storage (HSM) for Critical API Credentials, Prepare Incident Response Playbooks for CRM-Specific Extortion ScenariosImplement Zero Trust Principles for API Access (Least Privilege, Continuous Authentication), Deploy WAF Rules to Detect Bulk API Queries (e.g., SOQL via REST Endpoints), Enforce Multi-Factor Authentication (MFA) for OAuth App Authorizations, Monitor for Anomalous OAuth Token Usage (e.g., Geographically Inconsistent Access), Restrict Connected Apps to Pre-Approved IP Ranges/Device Postures, Conduct Regular Red Team Exercises Simulating Vishing + OAuth Abuse, Adopt Hardware-Backed Key Storage (HSM) for Critical API Credentials, Prepare Incident Response Playbooks for CRM-Specific Extortion ScenariosImplement Zero Trust Principles for API Access (Least Privilege, Continuous Authentication), Deploy WAF Rules to Detect Bulk API Queries (e.g., SOQL via REST Endpoints), Enforce Multi-Factor Authentication (MFA) for OAuth App Authorizations, Monitor for Anomalous OAuth Token Usage (e.g., Geographically Inconsistent Access), Restrict Connected Apps to Pre-Approved IP Ranges/Device Postures, Conduct Regular Red Team Exercises Simulating Vishing + OAuth Abuse, Adopt Hardware-Backed Key Storage (HSM) for Critical API Credentials, Prepare Incident Response Playbooks for CRM-Specific Extortion ScenariosImplement Zero Trust Principles for API Access (Least Privilege, Continuous Authentication), Deploy WAF Rules to Detect Bulk API Queries (e.g., SOQL via REST Endpoints), Enforce Multi-Factor Authentication (MFA) for OAuth App Authorizations, Monitor for Anomalous OAuth Token Usage (e.g., Geographically Inconsistent Access), Restrict Connected Apps to Pre-Approved IP Ranges/Device Postures, Conduct Regular Red Team Exercises Simulating Vishing + OAuth Abuse, Adopt Hardware-Backed Key Storage (HSM) for Critical API Credentials, Prepare Incident Response Playbooks for CRM-Specific Extortion ScenariosImplement Zero Trust Principles for API Access (Least Privilege, Continuous Authentication), Deploy WAF Rules to Detect Bulk API Queries (e.g., SOQL via REST Endpoints), Enforce Multi-Factor Authentication (MFA) for OAuth App Authorizations, Monitor for Anomalous OAuth Token Usage (e.g., Geographically Inconsistent Access), Restrict Connected Apps to Pre-Approved IP Ranges/Device Postures, Conduct Regular Red Team Exercises Simulating Vishing + OAuth Abuse, Adopt Hardware-Backed Key Storage (HSM) for Critical API Credentials, Prepare Incident Response Playbooks for CRM-Specific Extortion ScenariosImplement Zero Trust Principles for API Access (Least Privilege, Continuous Authentication), Deploy WAF Rules to Detect Bulk API Queries (e.g., SOQL via REST Endpoints), Enforce Multi-Factor Authentication (MFA) for OAuth App Authorizations, Monitor for Anomalous OAuth Token Usage (e.g., Geographically Inconsistent Access), Restrict Connected Apps to Pre-Approved IP Ranges/Device Postures, Conduct Regular Red Team Exercises Simulating Vishing + OAuth Abuse, Adopt Hardware-Backed Key Storage (HSM) for Critical API Credentials, Prepare Incident Response Playbooks for CRM-Specific Extortion Scenarios
Incident : Data Breach SAL5732257091825
Recommendations: Enforce MFA for all user and service accounts, especially those with access to sensitive data., Audit and monitor OAuth applications and connected apps for suspicious activity., Implement the principle of least privilege to limit access to CRM data and APIs., Regularly scan repositories (e.g., GitHub) for exposed secrets using tools like TruffleHog., Monitor for unusual data access patterns, especially in Salesforce environments., Educate employees on social engineering tactics, particularly phishing and malicious OAuth app requests., Isolate high-value systems (e.g., CRM) from less secure environments to limit lateral movement., Develop and test incident response plans for extortion and data breach scenarios.Enforce MFA for all user and service accounts, especially those with access to sensitive data., Audit and monitor OAuth applications and connected apps for suspicious activity., Implement the principle of least privilege to limit access to CRM data and APIs., Regularly scan repositories (e.g., GitHub) for exposed secrets using tools like TruffleHog., Monitor for unusual data access patterns, especially in Salesforce environments., Educate employees on social engineering tactics, particularly phishing and malicious OAuth app requests., Isolate high-value systems (e.g., CRM) from less secure environments to limit lateral movement., Develop and test incident response plans for extortion and data breach scenarios.Enforce MFA for all user and service accounts, especially those with access to sensitive data., Audit and monitor OAuth applications and connected apps for suspicious activity., Implement the principle of least privilege to limit access to CRM data and APIs., Regularly scan repositories (e.g., GitHub) for exposed secrets using tools like TruffleHog., Monitor for unusual data access patterns, especially in Salesforce environments., Educate employees on social engineering tactics, particularly phishing and malicious OAuth app requests., Isolate high-value systems (e.g., CRM) from less secure environments to limit lateral movement., Develop and test incident response plans for extortion and data breach scenarios.Enforce MFA for all user and service accounts, especially those with access to sensitive data., Audit and monitor OAuth applications and connected apps for suspicious activity., Implement the principle of least privilege to limit access to CRM data and APIs., Regularly scan repositories (e.g., GitHub) for exposed secrets using tools like TruffleHog., Monitor for unusual data access patterns, especially in Salesforce environments., Educate employees on social engineering tactics, particularly phishing and malicious OAuth app requests., Isolate high-value systems (e.g., CRM) from less secure environments to limit lateral movement., Develop and test incident response plans for extortion and data breach scenarios.Enforce MFA for all user and service accounts, especially those with access to sensitive data., Audit and monitor OAuth applications and connected apps for suspicious activity., Implement the principle of least privilege to limit access to CRM data and APIs., Regularly scan repositories (e.g., GitHub) for exposed secrets using tools like TruffleHog., Monitor for unusual data access patterns, especially in Salesforce environments., Educate employees on social engineering tactics, particularly phishing and malicious OAuth app requests., Isolate high-value systems (e.g., CRM) from less secure environments to limit lateral movement., Develop and test incident response plans for extortion and data breach scenarios.Enforce MFA for all user and service accounts, especially those with access to sensitive data., Audit and monitor OAuth applications and connected apps for suspicious activity., Implement the principle of least privilege to limit access to CRM data and APIs., Regularly scan repositories (e.g., GitHub) for exposed secrets using tools like TruffleHog., Monitor for unusual data access patterns, especially in Salesforce environments., Educate employees on social engineering tactics, particularly phishing and malicious OAuth app requests., Isolate high-value systems (e.g., CRM) from less secure environments to limit lateral movement., Develop and test incident response plans for extortion and data breach scenarios.Enforce MFA for all user and service accounts, especially those with access to sensitive data., Audit and monitor OAuth applications and connected apps for suspicious activity., Implement the principle of least privilege to limit access to CRM data and APIs., Regularly scan repositories (e.g., GitHub) for exposed secrets using tools like TruffleHog., Monitor for unusual data access patterns, especially in Salesforce environments., Educate employees on social engineering tactics, particularly phishing and malicious OAuth app requests., Isolate high-value systems (e.g., CRM) from less secure environments to limit lateral movement., Develop and test incident response plans for extortion and data breach scenarios.Enforce MFA for all user and service accounts, especially those with access to sensitive data., Audit and monitor OAuth applications and connected apps for suspicious activity., Implement the principle of least privilege to limit access to CRM data and APIs., Regularly scan repositories (e.g., GitHub) for exposed secrets using tools like TruffleHog., Monitor for unusual data access patterns, especially in Salesforce environments., Educate employees on social engineering tactics, particularly phishing and malicious OAuth app requests., Isolate high-value systems (e.g., CRM) from less secure environments to limit lateral movement., Develop and test incident response plans for extortion and data breach scenarios.
Incident : Data Breach SAL5403154092725
Recommendations: Implement strict character limits and input sanitization for all AI prompt fields., Enforce allow-lists for all external URLs called by AI agents., Monitor domain registrations for expired trusted domains., Conduct regular red-team exercises for AI systems to test prompt injection resilience., Integrate AI-specific security controls into traditional SOC workflows., Educate developers on secure AI prompt design patterns.Implement strict character limits and input sanitization for all AI prompt fields., Enforce allow-lists for all external URLs called by AI agents., Monitor domain registrations for expired trusted domains., Conduct regular red-team exercises for AI systems to test prompt injection resilience., Integrate AI-specific security controls into traditional SOC workflows., Educate developers on secure AI prompt design patterns.Implement strict character limits and input sanitization for all AI prompt fields., Enforce allow-lists for all external URLs called by AI agents., Monitor domain registrations for expired trusted domains., Conduct regular red-team exercises for AI systems to test prompt injection resilience., Integrate AI-specific security controls into traditional SOC workflows., Educate developers on secure AI prompt design patterns.Implement strict character limits and input sanitization for all AI prompt fields., Enforce allow-lists for all external URLs called by AI agents., Monitor domain registrations for expired trusted domains., Conduct regular red-team exercises for AI systems to test prompt injection resilience., Integrate AI-specific security controls into traditional SOC workflows., Educate developers on secure AI prompt design patterns.Implement strict character limits and input sanitization for all AI prompt fields., Enforce allow-lists for all external URLs called by AI agents., Monitor domain registrations for expired trusted domains., Conduct regular red-team exercises for AI systems to test prompt injection resilience., Integrate AI-specific security controls into traditional SOC workflows., Educate developers on secure AI prompt design patterns.Implement strict character limits and input sanitization for all AI prompt fields., Enforce allow-lists for all external URLs called by AI agents., Monitor domain registrations for expired trusted domains., Conduct regular red-team exercises for AI systems to test prompt injection resilience., Integrate AI-specific security controls into traditional SOC workflows., Educate developers on secure AI prompt design patterns.
Incident : Data Breach SAL5592855100325
Recommendations: **For Salesforce/Salesloft Customers:**, - Immediately **revoke and rotate OAuth tokens** for all third-party integrations., - Enforce **multi-factor authentication (2FA) for all OAuth applications** and admin accounts., - Conduct a **full audit of third-party app permissions** in Salesforce and disable unused integrations., - Implement **network segmentation** to limit lateral movement between cloud platforms (e.g., Salesforce, Google Workspace, Okta)., - Deploy **behavioral analytics and anomaly detection** to identify suspicious access patterns., **For All Organizations:**, - **Assess third-party vendor security** with penetration testing and contractually enforce security standards., - **Train employees on social engineering tactics**, especially vishing and IT impersonation scams., - **Monitor dark web forums** for leaked credentials or mentions of your organization., - **Develop a third-party breach response plan** with legal, PR, and technical playbooks., - **Patch promptly**—unpatched software (e.g., Oracle E-Business Suite) is a common attack vector.**For Salesforce/Salesloft Customers:**, - Immediately **revoke and rotate OAuth tokens** for all third-party integrations., - Enforce **multi-factor authentication (2FA) for all OAuth applications** and admin accounts., - Conduct a **full audit of third-party app permissions** in Salesforce and disable unused integrations., - Implement **network segmentation** to limit lateral movement between cloud platforms (e.g., Salesforce, Google Workspace, Okta)., - Deploy **behavioral analytics and anomaly detection** to identify suspicious access patterns., **For All Organizations:**, - **Assess third-party vendor security** with penetration testing and contractually enforce security standards., - **Train employees on social engineering tactics**, especially vishing and IT impersonation scams., - **Monitor dark web forums** for leaked credentials or mentions of your organization., - **Develop a third-party breach response plan** with legal, PR, and technical playbooks., - **Patch promptly**—unpatched software (e.g., Oracle E-Business Suite) is a common attack vector.**For Salesforce/Salesloft Customers:**, - Immediately **revoke and rotate OAuth tokens** for all third-party integrations., - Enforce **multi-factor authentication (2FA) for all OAuth applications** and admin accounts., - Conduct a **full audit of third-party app permissions** in Salesforce and disable unused integrations., - Implement **network segmentation** to limit lateral movement between cloud platforms (e.g., Salesforce, Google Workspace, Okta)., - Deploy **behavioral analytics and anomaly detection** to identify suspicious access patterns., **For All Organizations:**, - **Assess third-party vendor security** with penetration testing and contractually enforce security standards., - **Train employees on social engineering tactics**, especially vishing and IT impersonation scams., - **Monitor dark web forums** for leaked credentials or mentions of your organization., - **Develop a third-party breach response plan** with legal, PR, and technical playbooks., - **Patch promptly**—unpatched software (e.g., Oracle E-Business Suite) is a common attack vector.**For Salesforce/Salesloft Customers:**, - Immediately **revoke and rotate OAuth tokens** for all third-party integrations., - Enforce **multi-factor authentication (2FA) for all OAuth applications** and admin accounts., - Conduct a **full audit of third-party app permissions** in Salesforce and disable unused integrations., - Implement **network segmentation** to limit lateral movement between cloud platforms (e.g., Salesforce, Google Workspace, Okta)., - Deploy **behavioral analytics and anomaly detection** to identify suspicious access patterns., **For All Organizations:**, - **Assess third-party vendor security** with penetration testing and contractually enforce security standards., - **Train employees on social engineering tactics**, especially vishing and IT impersonation scams., - **Monitor dark web forums** for leaked credentials or mentions of your organization., - **Develop a third-party breach response plan** with legal, PR, and technical playbooks., - **Patch promptly**—unpatched software (e.g., Oracle E-Business Suite) is a common attack vector.**For Salesforce/Salesloft Customers:**, - Immediately **revoke and rotate OAuth tokens** for all third-party integrations., - Enforce **multi-factor authentication (2FA) for all OAuth applications** and admin accounts., - Conduct a **full audit of third-party app permissions** in Salesforce and disable unused integrations., - Implement **network segmentation** to limit lateral movement between cloud platforms (e.g., Salesforce, Google Workspace, Okta)., - Deploy **behavioral analytics and anomaly detection** to identify suspicious access patterns., **For All Organizations:**, - **Assess third-party vendor security** with penetration testing and contractually enforce security standards., - **Train employees on social engineering tactics**, especially vishing and IT impersonation scams., - **Monitor dark web forums** for leaked credentials or mentions of your organization., - **Develop a third-party breach response plan** with legal, PR, and technical playbooks., - **Patch promptly**—unpatched software (e.g., Oracle E-Business Suite) is a common attack vector.**For Salesforce/Salesloft Customers:**, - Immediately **revoke and rotate OAuth tokens** for all third-party integrations., - Enforce **multi-factor authentication (2FA) for all OAuth applications** and admin accounts., - Conduct a **full audit of third-party app permissions** in Salesforce and disable unused integrations., - Implement **network segmentation** to limit lateral movement between cloud platforms (e.g., Salesforce, Google Workspace, Okta)., - Deploy **behavioral analytics and anomaly detection** to identify suspicious access patterns., **For All Organizations:**, - **Assess third-party vendor security** with penetration testing and contractually enforce security standards., - **Train employees on social engineering tactics**, especially vishing and IT impersonation scams., - **Monitor dark web forums** for leaked credentials or mentions of your organization., - **Develop a third-party breach response plan** with legal, PR, and technical playbooks., - **Patch promptly**—unpatched software (e.g., Oracle E-Business Suite) is a common attack vector.**For Salesforce/Salesloft Customers:**, - Immediately **revoke and rotate OAuth tokens** for all third-party integrations., - Enforce **multi-factor authentication (2FA) for all OAuth applications** and admin accounts., - Conduct a **full audit of third-party app permissions** in Salesforce and disable unused integrations., - Implement **network segmentation** to limit lateral movement between cloud platforms (e.g., Salesforce, Google Workspace, Okta)., - Deploy **behavioral analytics and anomaly detection** to identify suspicious access patterns., **For All Organizations:**, - **Assess third-party vendor security** with penetration testing and contractually enforce security standards., - **Train employees on social engineering tactics**, especially vishing and IT impersonation scams., - **Monitor dark web forums** for leaked credentials or mentions of your organization., - **Develop a third-party breach response plan** with legal, PR, and technical playbooks., - **Patch promptly**—unpatched software (e.g., Oracle E-Business Suite) is a common attack vector.**For Salesforce/Salesloft Customers:**, - Immediately **revoke and rotate OAuth tokens** for all third-party integrations., - Enforce **multi-factor authentication (2FA) for all OAuth applications** and admin accounts., - Conduct a **full audit of third-party app permissions** in Salesforce and disable unused integrations., - Implement **network segmentation** to limit lateral movement between cloud platforms (e.g., Salesforce, Google Workspace, Okta)., - Deploy **behavioral analytics and anomaly detection** to identify suspicious access patterns., **For All Organizations:**, - **Assess third-party vendor security** with penetration testing and contractually enforce security standards., - **Train employees on social engineering tactics**, especially vishing and IT impersonation scams., - **Monitor dark web forums** for leaked credentials or mentions of your organization., - **Develop a third-party breach response plan** with legal, PR, and technical playbooks., - **Patch promptly**—unpatched software (e.g., Oracle E-Business Suite) is a common attack vector.**For Salesforce/Salesloft Customers:**, - Immediately **revoke and rotate OAuth tokens** for all third-party integrations., - Enforce **multi-factor authentication (2FA) for all OAuth applications** and admin accounts., - Conduct a **full audit of third-party app permissions** in Salesforce and disable unused integrations., - Implement **network segmentation** to limit lateral movement between cloud platforms (e.g., Salesforce, Google Workspace, Okta)., - Deploy **behavioral analytics and anomaly detection** to identify suspicious access patterns., **For All Organizations:**, - **Assess third-party vendor security** with penetration testing and contractually enforce security standards., - **Train employees on social engineering tactics**, especially vishing and IT impersonation scams., - **Monitor dark web forums** for leaked credentials or mentions of your organization., - **Develop a third-party breach response plan** with legal, PR, and technical playbooks., - **Patch promptly**—unpatched software (e.g., Oracle E-Business Suite) is a common attack vector.**For Salesforce/Salesloft Customers:**, - Immediately **revoke and rotate OAuth tokens** for all third-party integrations., - Enforce **multi-factor authentication (2FA) for all OAuth applications** and admin accounts., - Conduct a **full audit of third-party app permissions** in Salesforce and disable unused integrations., - Implement **network segmentation** to limit lateral movement between cloud platforms (e.g., Salesforce, Google Workspace, Okta)., - Deploy **behavioral analytics and anomaly detection** to identify suspicious access patterns., **For All Organizations:**, - **Assess third-party vendor security** with penetration testing and contractually enforce security standards., - **Train employees on social engineering tactics**, especially vishing and IT impersonation scams., - **Monitor dark web forums** for leaked credentials or mentions of your organization., - **Develop a third-party breach response plan** with legal, PR, and technical playbooks., - **Patch promptly**—unpatched software (e.g., Oracle E-Business Suite) is a common attack vector.**For Salesforce/Salesloft Customers:**, - Immediately **revoke and rotate OAuth tokens** for all third-party integrations., - Enforce **multi-factor authentication (2FA) for all OAuth applications** and admin accounts., - Conduct a **full audit of third-party app permissions** in Salesforce and disable unused integrations., - Implement **network segmentation** to limit lateral movement between cloud platforms (e.g., Salesforce, Google Workspace, Okta)., - Deploy **behavioral analytics and anomaly detection** to identify suspicious access patterns., **For All Organizations:**, - **Assess third-party vendor security** with penetration testing and contractually enforce security standards., - **Train employees on social engineering tactics**, especially vishing and IT impersonation scams., - **Monitor dark web forums** for leaked credentials or mentions of your organization., - **Develop a third-party breach response plan** with legal, PR, and technical playbooks., - **Patch promptly**—unpatched software (e.g., Oracle E-Business Suite) is a common attack vector.**For Salesforce/Salesloft Customers:**, - Immediately **revoke and rotate OAuth tokens** for all third-party integrations., - Enforce **multi-factor authentication (2FA) for all OAuth applications** and admin accounts., - Conduct a **full audit of third-party app permissions** in Salesforce and disable unused integrations., - Implement **network segmentation** to limit lateral movement between cloud platforms (e.g., Salesforce, Google Workspace, Okta)., - Deploy **behavioral analytics and anomaly detection** to identify suspicious access patterns., **For All Organizations:**, - **Assess third-party vendor security** with penetration testing and contractually enforce security standards., - **Train employees on social engineering tactics**, especially vishing and IT impersonation scams., - **Monitor dark web forums** for leaked credentials or mentions of your organization., - **Develop a third-party breach response plan** with legal, PR, and technical playbooks., - **Patch promptly**—unpatched software (e.g., Oracle E-Business Suite) is a common attack vector.
Incident : Extortion SAL4932949100625
Recommendations: Limit rights for Data Loader use, Enforce strict control of connected apps in Salesforce, Implement IP-based access restrictions, Mandate multi-factor authentication (MFA), Educate employees on social engineering tactics (e.g., vishing), Monitor for unauthorized API access or data exports, Restrict permissions for third-party applicationsLimit rights for Data Loader use, Enforce strict control of connected apps in Salesforce, Implement IP-based access restrictions, Mandate multi-factor authentication (MFA), Educate employees on social engineering tactics (e.g., vishing), Monitor for unauthorized API access or data exports, Restrict permissions for third-party applicationsLimit rights for Data Loader use, Enforce strict control of connected apps in Salesforce, Implement IP-based access restrictions, Mandate multi-factor authentication (MFA), Educate employees on social engineering tactics (e.g., vishing), Monitor for unauthorized API access or data exports, Restrict permissions for third-party applicationsLimit rights for Data Loader use, Enforce strict control of connected apps in Salesforce, Implement IP-based access restrictions, Mandate multi-factor authentication (MFA), Educate employees on social engineering tactics (e.g., vishing), Monitor for unauthorized API access or data exports, Restrict permissions for third-party applicationsLimit rights for Data Loader use, Enforce strict control of connected apps in Salesforce, Implement IP-based access restrictions, Mandate multi-factor authentication (MFA), Educate employees on social engineering tactics (e.g., vishing), Monitor for unauthorized API access or data exports, Restrict permissions for third-party applicationsLimit rights for Data Loader use, Enforce strict control of connected apps in Salesforce, Implement IP-based access restrictions, Mandate multi-factor authentication (MFA), Educate employees on social engineering tactics (e.g., vishing), Monitor for unauthorized API access or data exports, Restrict permissions for third-party applicationsLimit rights for Data Loader use, Enforce strict control of connected apps in Salesforce, Implement IP-based access restrictions, Mandate multi-factor authentication (MFA), Educate employees on social engineering tactics (e.g., vishing), Monitor for unauthorized API access or data exports, Restrict permissions for third-party applications
Incident : Data Breach SAL0693606100625
Recommendations: Enhance OAuth App Vetting Processes, Implement Multi-Factor Authentication (MFA) for Third-Party Integrations, Conduct Regular Security Audits of Partner Apps, Improve User Training on Social Engineering Tactics, Establish Clearer Incident Communication ProtocolsEnhance OAuth App Vetting Processes, Implement Multi-Factor Authentication (MFA) for Third-Party Integrations, Conduct Regular Security Audits of Partner Apps, Improve User Training on Social Engineering Tactics, Establish Clearer Incident Communication ProtocolsEnhance OAuth App Vetting Processes, Implement Multi-Factor Authentication (MFA) for Third-Party Integrations, Conduct Regular Security Audits of Partner Apps, Improve User Training on Social Engineering Tactics, Establish Clearer Incident Communication ProtocolsEnhance OAuth App Vetting Processes, Implement Multi-Factor Authentication (MFA) for Third-Party Integrations, Conduct Regular Security Audits of Partner Apps, Improve User Training on Social Engineering Tactics, Establish Clearer Incident Communication ProtocolsEnhance OAuth App Vetting Processes, Implement Multi-Factor Authentication (MFA) for Third-Party Integrations, Conduct Regular Security Audits of Partner Apps, Improve User Training on Social Engineering Tactics, Establish Clearer Incident Communication Protocols
Incident : Data Breach SAL0962109100825
Recommendations: Enhance OAuth application security and monitoring, Implement stricter access controls for third-party integrations, Conduct regular security awareness training for social engineering risks, Monitor for unauthorized data exfiltration in CRM environments, Review supply chain security for third-party SaaS providersEnhance OAuth application security and monitoring, Implement stricter access controls for third-party integrations, Conduct regular security awareness training for social engineering risks, Monitor for unauthorized data exfiltration in CRM environments, Review supply chain security for third-party SaaS providersEnhance OAuth application security and monitoring, Implement stricter access controls for third-party integrations, Conduct regular security awareness training for social engineering risks, Monitor for unauthorized data exfiltration in CRM environments, Review supply chain security for third-party SaaS providersEnhance OAuth application security and monitoring, Implement stricter access controls for third-party integrations, Conduct regular security awareness training for social engineering risks, Monitor for unauthorized data exfiltration in CRM environments, Review supply chain security for third-party SaaS providersEnhance OAuth application security and monitoring, Implement stricter access controls for third-party integrations, Conduct regular security awareness training for social engineering risks, Monitor for unauthorized data exfiltration in CRM environments, Review supply chain security for third-party SaaS providers
Incident : Data Breach SAL0562205100825
Recommendations: Implement MFA for OAuth Integrations (Salesforce), Audit Third-Party Vendor Security (Discord, Salesloft), Isolate GitLab/Sensitive Repos (Red Hat), Monitor Dark Web for Stolen Data (All Victims), Enhance Employee Training on Vishing (Salesforce Customers), Apply Zero-Day Patches Immediately (Oracle), Coordinate with Law Enforcement (FBI, INTERPOL for Cross-Border Cases)Implement MFA for OAuth Integrations (Salesforce), Audit Third-Party Vendor Security (Discord, Salesloft), Isolate GitLab/Sensitive Repos (Red Hat), Monitor Dark Web for Stolen Data (All Victims), Enhance Employee Training on Vishing (Salesforce Customers), Apply Zero-Day Patches Immediately (Oracle), Coordinate with Law Enforcement (FBI, INTERPOL for Cross-Border Cases)Implement MFA for OAuth Integrations (Salesforce), Audit Third-Party Vendor Security (Discord, Salesloft), Isolate GitLab/Sensitive Repos (Red Hat), Monitor Dark Web for Stolen Data (All Victims), Enhance Employee Training on Vishing (Salesforce Customers), Apply Zero-Day Patches Immediately (Oracle), Coordinate with Law Enforcement (FBI, INTERPOL for Cross-Border Cases)Implement MFA for OAuth Integrations (Salesforce), Audit Third-Party Vendor Security (Discord, Salesloft), Isolate GitLab/Sensitive Repos (Red Hat), Monitor Dark Web for Stolen Data (All Victims), Enhance Employee Training on Vishing (Salesforce Customers), Apply Zero-Day Patches Immediately (Oracle), Coordinate with Law Enforcement (FBI, INTERPOL for Cross-Border Cases)Implement MFA for OAuth Integrations (Salesforce), Audit Third-Party Vendor Security (Discord, Salesloft), Isolate GitLab/Sensitive Repos (Red Hat), Monitor Dark Web for Stolen Data (All Victims), Enhance Employee Training on Vishing (Salesforce Customers), Apply Zero-Day Patches Immediately (Oracle), Coordinate with Law Enforcement (FBI, INTERPOL for Cross-Border Cases)Implement MFA for OAuth Integrations (Salesforce), Audit Third-Party Vendor Security (Discord, Salesloft), Isolate GitLab/Sensitive Repos (Red Hat), Monitor Dark Web for Stolen Data (All Victims), Enhance Employee Training on Vishing (Salesforce Customers), Apply Zero-Day Patches Immediately (Oracle), Coordinate with Law Enforcement (FBI, INTERPOL for Cross-Border Cases)Implement MFA for OAuth Integrations (Salesforce), Audit Third-Party Vendor Security (Discord, Salesloft), Isolate GitLab/Sensitive Repos (Red Hat), Monitor Dark Web for Stolen Data (All Victims), Enhance Employee Training on Vishing (Salesforce Customers), Apply Zero-Day Patches Immediately (Oracle), Coordinate with Law Enforcement (FBI, INTERPOL for Cross-Border Cases)
Incident : Data Breach SAL3132231100825
Recommendations: Conduct third-party security audits for all integrated apps, especially those with OAuth access., Implement automated token rotation and anomaly detection for cloud environments., Enhance GitHub security with mandatory MFA, IP restrictions, and regular access reviews., Develop a unified incident response plan for supply chain attacks involving multiple vendors., Proactively communicate with customers about breach scope and mitigation steps to maintain trust.Conduct third-party security audits for all integrated apps, especially those with OAuth access., Implement automated token rotation and anomaly detection for cloud environments., Enhance GitHub security with mandatory MFA, IP restrictions, and regular access reviews., Develop a unified incident response plan for supply chain attacks involving multiple vendors., Proactively communicate with customers about breach scope and mitigation steps to maintain trust.Conduct third-party security audits for all integrated apps, especially those with OAuth access., Implement automated token rotation and anomaly detection for cloud environments., Enhance GitHub security with mandatory MFA, IP restrictions, and regular access reviews., Develop a unified incident response plan for supply chain attacks involving multiple vendors., Proactively communicate with customers about breach scope and mitigation steps to maintain trust.Conduct third-party security audits for all integrated apps, especially those with OAuth access., Implement automated token rotation and anomaly detection for cloud environments., Enhance GitHub security with mandatory MFA, IP restrictions, and regular access reviews., Develop a unified incident response plan for supply chain attacks involving multiple vendors., Proactively communicate with customers about breach scope and mitigation steps to maintain trust.Conduct third-party security audits for all integrated apps, especially those with OAuth access., Implement automated token rotation and anomaly detection for cloud environments., Enhance GitHub security with mandatory MFA, IP restrictions, and regular access reviews., Develop a unified incident response plan for supply chain attacks involving multiple vendors., Proactively communicate with customers about breach scope and mitigation steps to maintain trust.
Incident : Law Enforcement Takedown SAL4232242101025
Recommendations: Companies should proactively monitor dark web leak sites for exposed data., Enhance third-party risk management to mitigate supply chain attacks (e.g., Salesforce breaches)., Law enforcement should continue targeting cybercrime infrastructure to disrupt operations., Organizations should prepare for potential data leaks even after ransomware attacks are 'resolved.'Companies should proactively monitor dark web leak sites for exposed data., Enhance third-party risk management to mitigate supply chain attacks (e.g., Salesforce breaches)., Law enforcement should continue targeting cybercrime infrastructure to disrupt operations., Organizations should prepare for potential data leaks even after ransomware attacks are 'resolved.'Companies should proactively monitor dark web leak sites for exposed data., Enhance third-party risk management to mitigate supply chain attacks (e.g., Salesforce breaches)., Law enforcement should continue targeting cybercrime infrastructure to disrupt operations., Organizations should prepare for potential data leaks even after ransomware attacks are 'resolved.'Companies should proactively monitor dark web leak sites for exposed data., Enhance third-party risk management to mitigate supply chain attacks (e.g., Salesforce breaches)., Law enforcement should continue targeting cybercrime infrastructure to disrupt operations., Organizations should prepare for potential data leaks even after ransomware attacks are 'resolved.'
Incident : Forum Takedown SAL4432144101325
Recommendations: Monitor dark web/Telegram channels for leaked data or extortion attempts., Enhance SaaS and enterprise tenant security to prevent unauthorized access., Collaborate with law enforcement to disrupt cybercriminal infrastructure proactively., Educate employees on phishing and credential theft risks to mitigate initial access brokers.Monitor dark web/Telegram channels for leaked data or extortion attempts., Enhance SaaS and enterprise tenant security to prevent unauthorized access., Collaborate with law enforcement to disrupt cybercriminal infrastructure proactively., Educate employees on phishing and credential theft risks to mitigate initial access brokers.Monitor dark web/Telegram channels for leaked data or extortion attempts., Enhance SaaS and enterprise tenant security to prevent unauthorized access., Collaborate with law enforcement to disrupt cybercriminal infrastructure proactively., Educate employees on phishing and credential theft risks to mitigate initial access brokers.Monitor dark web/Telegram channels for leaked data or extortion attempts., Enhance SaaS and enterprise tenant security to prevent unauthorized access., Collaborate with law enforcement to disrupt cybercriminal infrastructure proactively., Educate employees on phishing and credential theft risks to mitigate initial access brokers.
Incident : Social Engineering SAL4493244102125
Recommendations: Implement defense-in-depth strategies for caller verification (e.g., callback procedures using trusted contacts)., Train employees to recognize and report unsolicited access requests, especially via phone or email., Restrict elevated SaaS access to minimal necessary personnel and enforce multi-factor authentication (MFA)., Monitor for anomalous access patterns in SaaS applications (e.g., unexpected logins from new locations)., Conduct regular phishing simulations, including vishing scenarios, to test employee awareness., Integrate AI-driven threat detection to identify phishing content generated with AI tools., Educate HR and recruiting teams on red flags for fake identities (e.g., AI-generated profiles, inconsistent resumes).Implement defense-in-depth strategies for caller verification (e.g., callback procedures using trusted contacts)., Train employees to recognize and report unsolicited access requests, especially via phone or email., Restrict elevated SaaS access to minimal necessary personnel and enforce multi-factor authentication (MFA)., Monitor for anomalous access patterns in SaaS applications (e.g., unexpected logins from new locations)., Conduct regular phishing simulations, including vishing scenarios, to test employee awareness., Integrate AI-driven threat detection to identify phishing content generated with AI tools., Educate HR and recruiting teams on red flags for fake identities (e.g., AI-generated profiles, inconsistent resumes).Implement defense-in-depth strategies for caller verification (e.g., callback procedures using trusted contacts)., Train employees to recognize and report unsolicited access requests, especially via phone or email., Restrict elevated SaaS access to minimal necessary personnel and enforce multi-factor authentication (MFA)., Monitor for anomalous access patterns in SaaS applications (e.g., unexpected logins from new locations)., Conduct regular phishing simulations, including vishing scenarios, to test employee awareness., Integrate AI-driven threat detection to identify phishing content generated with AI tools., Educate HR and recruiting teams on red flags for fake identities (e.g., AI-generated profiles, inconsistent resumes).Implement defense-in-depth strategies for caller verification (e.g., callback procedures using trusted contacts)., Train employees to recognize and report unsolicited access requests, especially via phone or email., Restrict elevated SaaS access to minimal necessary personnel and enforce multi-factor authentication (MFA)., Monitor for anomalous access patterns in SaaS applications (e.g., unexpected logins from new locations)., Conduct regular phishing simulations, including vishing scenarios, to test employee awareness., Integrate AI-driven threat detection to identify phishing content generated with AI tools., Educate HR and recruiting teams on red flags for fake identities (e.g., AI-generated profiles, inconsistent resumes).Implement defense-in-depth strategies for caller verification (e.g., callback procedures using trusted contacts)., Train employees to recognize and report unsolicited access requests, especially via phone or email., Restrict elevated SaaS access to minimal necessary personnel and enforce multi-factor authentication (MFA)., Monitor for anomalous access patterns in SaaS applications (e.g., unexpected logins from new locations)., Conduct regular phishing simulations, including vishing scenarios, to test employee awareness., Integrate AI-driven threat detection to identify phishing content generated with AI tools., Educate HR and recruiting teams on red flags for fake identities (e.g., AI-generated profiles, inconsistent resumes).Implement defense-in-depth strategies for caller verification (e.g., callback procedures using trusted contacts)., Train employees to recognize and report unsolicited access requests, especially via phone or email., Restrict elevated SaaS access to minimal necessary personnel and enforce multi-factor authentication (MFA)., Monitor for anomalous access patterns in SaaS applications (e.g., unexpected logins from new locations)., Conduct regular phishing simulations, including vishing scenarios, to test employee awareness., Integrate AI-driven threat detection to identify phishing content generated with AI tools., Educate HR and recruiting teams on red flags for fake identities (e.g., AI-generated profiles, inconsistent resumes).Implement defense-in-depth strategies for caller verification (e.g., callback procedures using trusted contacts)., Train employees to recognize and report unsolicited access requests, especially via phone or email., Restrict elevated SaaS access to minimal necessary personnel and enforce multi-factor authentication (MFA)., Monitor for anomalous access patterns in SaaS applications (e.g., unexpected logins from new locations)., Conduct regular phishing simulations, including vishing scenarios, to test employee awareness., Integrate AI-driven threat detection to identify phishing content generated with AI tools., Educate HR and recruiting teams on red flags for fake identities (e.g., AI-generated profiles, inconsistent resumes).
Incident : Cybercriminal Alliance Formation SAL5402554110625
Recommendations: Monitor dark web/Telegram channels for SLH activity and zero-day exploit discussions., Enhance AI-driven phishing/vishing detection for credential harvesting campaigns., Implement zero-trust architectures to mitigate lateral movement risks in cloud/SaaS environments., Collaborate with vulnerability brokerage programs to preempt exploit proliferation., Develop counter-narrative strategies to disrupt threat actor branding and psychological operations.Monitor dark web/Telegram channels for SLH activity and zero-day exploit discussions., Enhance AI-driven phishing/vishing detection for credential harvesting campaigns., Implement zero-trust architectures to mitigate lateral movement risks in cloud/SaaS environments., Collaborate with vulnerability brokerage programs to preempt exploit proliferation., Develop counter-narrative strategies to disrupt threat actor branding and psychological operations.Monitor dark web/Telegram channels for SLH activity and zero-day exploit discussions., Enhance AI-driven phishing/vishing detection for credential harvesting campaigns., Implement zero-trust architectures to mitigate lateral movement risks in cloud/SaaS environments., Collaborate with vulnerability brokerage programs to preempt exploit proliferation., Develop counter-narrative strategies to disrupt threat actor branding and psychological operations.Monitor dark web/Telegram channels for SLH activity and zero-day exploit discussions., Enhance AI-driven phishing/vishing detection for credential harvesting campaigns., Implement zero-trust architectures to mitigate lateral movement risks in cloud/SaaS environments., Collaborate with vulnerability brokerage programs to preempt exploit proliferation., Develop counter-narrative strategies to disrupt threat actor branding and psychological operations.Monitor dark web/Telegram channels for SLH activity and zero-day exploit discussions., Enhance AI-driven phishing/vishing detection for credential harvesting campaigns., Implement zero-trust architectures to mitigate lateral movement risks in cloud/SaaS environments., Collaborate with vulnerability brokerage programs to preempt exploit proliferation., Develop counter-narrative strategies to disrupt threat actor branding and psychological operations.
Incident : Data Breach SAL5090350110725
Recommendations: Enhance third-party vendor security assessments, Implement multi-factor authentication (MFA) for OAuth token access, Conduct regular social engineering awareness training, Monitor dark web for stolen credentials/tokens, Improve incident communication to affected customersEnhance third-party vendor security assessments, Implement multi-factor authentication (MFA) for OAuth token access, Conduct regular social engineering awareness training, Monitor dark web for stolen credentials/tokens, Improve incident communication to affected customersEnhance third-party vendor security assessments, Implement multi-factor authentication (MFA) for OAuth token access, Conduct regular social engineering awareness training, Monitor dark web for stolen credentials/tokens, Improve incident communication to affected customersEnhance third-party vendor security assessments, Implement multi-factor authentication (MFA) for OAuth token access, Conduct regular social engineering awareness training, Monitor dark web for stolen credentials/tokens, Improve incident communication to affected customersEnhance third-party vendor security assessments, Implement multi-factor authentication (MFA) for OAuth token access, Conduct regular social engineering awareness training, Monitor dark web for stolen credentials/tokens, Improve incident communication to affected customers
What are the key lessons learned from past incidents ?
Key Lessons Learned: The key lessons learned from past incidents are Non-human identities (NHIs) are persistent, high-privilege targets for attackers.,OAuth token abuse can bypass MFA, highlighting the need for stricter access controls.,Organizations often lack visibility into NHIs, increasing risk of exploitation.,Proactive measures (e.g., IP restrictions, secret scanning) are critical to mitigate NHI-based attacks.OAuth 2.0 Connected Apps Require Stricter Permission Scoping and Monitoring,API Security Must Extend Beyond Authentication to Include Behavioral Analysis,VoIP/Tor-Based Vishing Attacks Bypass Traditional Phishing Defenses,Segmented C2 Infrastructure (Tor + VPN) Complicates Attribution and TakedownOAuth tokens and connected applications are high-value targets for attackers.,Social engineering and malicious OAuth apps can bypass traditional security controls.,Exposed secrets in repositories (e.g., GitHub) enable supply chain attacks.,Extortion groups increasingly target CRM data for its sensitivity and leverage in negotiations.,Multi-factor authentication (MFA) and least privilege principles are critical for mitigating such breaches.The incident highlights the need for: (1) Proactive AI security governance, (2) Strict input validation for AI prompts, (3) Domain lifecycle management to prevent expired domain exploitation, (4) Human oversight for AI-agent interactions, and (5) Defense-in-depth for AI-integrated business tools against prompt injection attacks.Third-party integrations (e.g., Salesloft Drift) introduce significant supply-chain risks; rigorous vendor security assessments are critical.,OAuth tokens and API keys must be protected with **2FA and strict access controls** to prevent abuse.,Social engineering (vishing/phishing) remains a highly effective attack vector; **employee training and verification protocols** are essential.,Lateral movement to cloud platforms (Google Workspace, Microsoft 365, Okta) underscores the need for **zero-trust architecture and segmentation**.,Proactive threat hunting and **dark web monitoring** can help detect stolen data early.,Incident response plans must include **third-party breach scenarios** with clear escalation paths.Financially motivated cyber groups can reemerge despite arrests or disbandment claims. Social engineering (e.g., vishing) remains a critical attack vector, bypassing technical safeguards by exploiting human trust. Organizations must enforce stricter access controls, including MFA, IP restrictions, and app permissions.Social engineering and third-party app vulnerabilities can bypass platform-level security. Proactive monitoring of OAuth app installations and third-party integrations is critical. User education on phishing/vishing attacks is essential to mitigate human-error risks.Vishing Remains Effective for OAuth Abuse (Salesforce),Third-Party Vendors Are Critical Attack Vectors (Discord, Salesloft),GitLab Server Hardening Needed (Red Hat),Zero-Day Patching Urgency (Oracle CVE-2025-61882),Extortion Groups Evolve Tactics (Victim-Shaming Blogs, Malware Threats),Cross-Group Collaboration (Scattered Spider + Lapsus$ + ShinyHunters)Third-party app integrations introduce significant risk; rigorous vetting and monitoring are critical.,OAuth token management requires stricter controls (e.g., rotation, least-privilege access).,GitHub account security is a high-value target for attackers; MFA and access logging are essential.,Public refusal to pay ransom can deter attackers but may escalate data leak risks.Cybercrime forums are vulnerable to law enforcement takedowns, especially with international cooperation.,Data backups can be compromised if stored within seized infrastructure.,High-profile data leak threats can accelerate law enforcement action.,The 'era of forums' for cybercriminals may be ending due to increased scrutiny and takedowns.Repeated takedowns erode trust in cybercriminal forums, making them less sustainable.,Cybercriminals adapt by shifting to encrypted platforms (e.g., Telegram) for resilience.,Coordinated international law enforcement actions can disrupt high-profile cybercrime hubs.,The 'era of forums' may be ending, but extortion and data monetization tactics persist.Social engineering attacks bypass technical vulnerabilities by exploiting human trust.,Voice phishing (vishing) is highly effective when attackers impersonate trusted entities (e.g., IT support, vendors).,Employees with elevated SaaS access are prime targets for credential theft.,Verification protocols for third-party requests must be rigorously enforced.,AI tools (e.g., ChatGPT) can enhance the sophistication of phishing content, increasing attack success rates.Cybercriminal consolidation enhances operational resilience and technical sophistication.,Telegram’s role as both a coordination and performative marketing tool amplifies psychological impact.,Exploit brokerage and zero-day vulnerabilities are critical force multipliers for modern threat actors.,Extortion-as-a-Service (EaaS) models lower the barrier to entry for affiliate-driven attacks.,Theatrical branding and narrative control are strategic assets equivalent to technical capabilities.Third-party integrations (e.g., OAuth tokens) can be critical attack vectors; social engineering remains a potent threat; proactive customer support and transparency are essential during incidents.
References
Where can I find more information about each incident ?
Incident : Vishing SAL633060625
Source: Google Threat Intelligence Group (GTIG)
Incident : Data Breach SAL729082725
Source: Google Threat Intelligence Group (GTIG) and Mandiant Advisory
Date Accessed: 2025-08-20
Incident : Data Breach SAL729082725
Source: Hackread.com (Jonathan Sander interview)
URL: https://hackread.com
Date Accessed: 2025-08-20
Incident : Social Engineering SAL815090225
Source: Article on UNC6040 Vishing Campaigns
Incident : Data Breach SAL5732257091825
Source: Google Mandiant Threat Intelligence Report on UNC6040/UNC6395
Incident : Data Breach SAL5732257091825
Source: FBI Advisory on ShinyHunters/Scattered Spider Campaigns
Incident : Data Breach SAL5732257091825
Source: Salesforce Customer Advisory on Mitigation Measures
Incident : Data Breach SAL5732257091825
Source: ShinyHunters Telegram/Leak Site (Evidence of Breach)
Incident : Data Breach SAL5732257091825
Source: Media Reports on Breach (e.g., BleepingComputer, KrebsOnSecurity)
Incident : Data Breach SAL5403154092725
Source: The Register
URL: https://www.theregister.com/2023/09/08/salesforce_agentforce_prompt_injection/
Date Accessed: 2023-09-08
Incident : Data Breach SAL5592855100325
Source: Information Security Media Group (ISMG)
URL: https://www.ismg.com
Date Accessed: 2023-09-15
Incident : Data Breach SAL5592855100325
Source: FBI Cyber Division Advisory (UNC6040)
URL: https://www.fbi.gov
Date Accessed: 2023-09-12
Incident : Data Breach SAL5592855100325
Source: Google Mandiant Defensive Framework
Date Accessed: 2023-09-12
Incident : Data Breach SAL5592855100325
Source: Resecurity Report on 'The Com' Cybercrime Collective
URL: https://www.resecurity.com
Date Accessed: 2023-09-10
Incident : Extortion SAL2102121100425
Source: The Register
URL: https://www.theregister.com/2024/09/27/salesforce_extortion_scattered_lapsus_hunters/
Date Accessed: 2024-09-27
Incident : Extortion SAL2102121100425
Source: Google Threat Intelligence Group
Date Accessed: 2024-08-08
Incident : Extortion SAL4932949100625
Source: The Register
Incident : Extortion SAL4932949100625
Source: Google Threat Intelligence Group (GTIG)
Incident : Data Breach SAL0693606100625
Source: Google Threat Intelligence Report (June 2025)
Incident : Data Breach SAL0693606100625
Source: Google Threat Intelligence Report (August 2025)
Incident : Data Breach SAL0693606100625
Source: Salesforce Security Alert (2025)
Incident : Data Breach SAL0693606100625
Source: LinkedIn/Reddit Observations (2025)
Incident : Data Breach SAL0962109100825
Source: BleepingComputer
URL: https://www.bleepingcomputer.com
Date Accessed: 2025-09-17T00:00:00Z
Incident : Data Breach SAL0962109100825
Source: Bloomberg
URL: https://www.bloomberg.com
Date Accessed: 2025-09-17T00:00:00Z
Incident : Data Breach SAL0562205100825
Source: KrebsOnSecurity
URL: https://krebsonsecurity.com
Date Accessed: 2025-10
Incident : Data Breach SAL0562205100825
Source: Google Threat Intelligence Group (GTIG)
URL: https://blog.google/threat-analysis-group/
Date Accessed: 2025-06
Incident : Data Breach SAL0562205100825
Source: Mandiant (Charles Carmichael LinkedIn)
URL: https://www.linkedin.com/in/charles-carmichael-mandiant
Date Accessed: 2025-10-05
Incident : Data Breach SAL0562205100825
Source: Red Hat Security Advisory
URL: https://access.redhat.com/security
Date Accessed: 2025-10-02
Incident : Data Breach SAL0562205100825
Source: US Department of Justice (Noah Urban Sentencing)
Date Accessed: 2025-08
Incident : Data Breach SAL0562205100825
Source: UK National Crime Agency (Scattered Spider Charges)
URL: https://www.nationalcrimeagency.gov.uk/news
Date Accessed: 2025-09
Incident : Data Breach SAL3132231100825
Source: Bloomberg
Incident : Data Breach SAL3132231100825
Source: Google Threat Intelligence Group
Date Accessed: August 2024
Incident : Law Enforcement Takedown SAL4232242101025
Source: BleepingComputer
URL: https://www.bleepingcomputer.com
Date Accessed: 2025-10-09
Incident : data breach SAL5602056101125
Source: BreachForums extortion site
Incident : Forum Takedown SAL4432144101325
Source: FBI Press Release (hypothetical)
Incident : Social Engineering SAL4493244102125
Source: Mandiant (Google) Blog Post
URL: https://blog.knowbe4.com/protect-yourself-from-voice-phishing-attacks-targeting-salesforce-instances
Date Accessed: 2025-10-21
Incident : Social Engineering SAL4493244102125
Source: CyberheistNews Vol 15 #42
Date Accessed: 2025-10-21
Incident : Social Engineering SAL4493244102125
Source: OpenAI Report on AI-Assisted Phishing
URL: https://openai.com/global-affairs/disrupting-malicious-uses-of-ai-october-2025/
Date Accessed: 2025-10-21
Incident : Cybercriminal Alliance Formation SAL5402554110625
Source: GBHackers (GBH)
Incident : Cybercriminal Alliance Formation SAL5402554110625
Source: SLH Telegram Channels (e.g., 'scattered LAPSUS$ hunters 7.0')
Incident : Cybercriminal Alliance Formation SAL5402554110625
Source: GitHub Repository (Yukari/Cvsp - BlackLotus/Medusa)
Incident : Data Breach SAL5090350110725
Source: The Register
Incident : Data Breach SAL5090350110725
Source: Staci Johnson v. Salesforce (Class Action Complaint)
Incident : Data Breach SAL5090350110725
Source: Google Threat Intelligence Group Analysis
Incident : Data Breach SAL5090350110725
Source: Salesforce Trust Page
Where can stakeholders find additional resources on cybersecurity best practices ?
Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: Google Threat Intelligence Group (GTIG), and Source: Google Threat Intelligence Group (GTIG) and Mandiant AdvisoryDate Accessed: 2025-08-20, and Source: Astrix Security Blog PostDate Accessed: 2025-08-20, and Source: Hackread.com (Jonathan Sander interview)Url: https://hackread.comDate Accessed: 2025-08-20, and Source: Article on UNC6040 Vishing Campaigns, and Source: Google Mandiant Threat Intelligence Report on UNC6040/UNC6395, and Source: FBI Advisory on ShinyHunters/Scattered Spider Campaigns, and Source: Salesforce Customer Advisory on Mitigation Measures, and Source: ShinyHunters Telegram/Leak Site (Evidence of Breach), and Source: Media Reports on Breach (e.g., BleepingComputer, KrebsOnSecurity), and Source: The RegisterUrl: https://www.theregister.com/2023/09/08/salesforce_agentforce_prompt_injection/Date Accessed: 2023-09-08, and Source: Noma Security BlogDate Accessed: 2023-09-07, and Source: Information Security Media Group (ISMG)Url: https://www.ismg.comDate Accessed: 2023-09-15, and Source: BleepingComputerUrl: https://www.bleepingcomputer.com/news/security/shinyhunters-ransomware-group-leaks-salesforce-customer-data/Date Accessed: 2023-09-15, and Source: FBI Cyber Division Advisory (UNC6040)Url: https://www.fbi.govDate Accessed: 2023-09-12, and Source: Google Mandiant Defensive FrameworkUrl: https://www.mandiant.comDate Accessed: 2023-09-12, and Source: Resecurity Report on 'The Com' Cybercrime CollectiveUrl: https://www.resecurity.comDate Accessed: 2023-09-10, and Source: The RegisterUrl: https://www.theregister.com/2024/09/27/salesforce_extortion_scattered_lapsus_hunters/Date Accessed: 2024-09-27, and Source: Salesforce Security AdvisoryDate Accessed: 2024-09-26, and Source: Google Threat Intelligence GroupDate Accessed: 2024-08-08, and Source: Cloudflare (OAuth Abuse Report)Date Accessed: 2024-08, and Source: The Register, and Source: Google Threat Intelligence Group (GTIG), and Source: Google Threat Intelligence Report (June 2025), and Source: Google Threat Intelligence Report (August 2025), and Source: Salesforce Security Alert (2025), and Source: LinkedIn/Reddit Observations (2025), and Source: BleepingComputerUrl: https://www.bleepingcomputer.comDate Accessed: 2025-09-17T00:00:00Z, and Source: BloombergUrl: https://www.bloomberg.comDate Accessed: 2025-09-17T00:00:00Z, and Source: KrebsOnSecurityUrl: https://krebsonsecurity.comDate Accessed: 2025-10, and Source: Google Threat Intelligence Group (GTIG)Url: https://blog.google/threat-analysis-group/Date Accessed: 2025-06, and Source: BleepingComputerUrl: https://www.bleepingcomputer.com/news/security/oracle-rushes-patch-for-zero-day-exploited-by-clop-ransomware/Date Accessed: 2025-10, and Source: Mandiant (Charles Carmichael LinkedIn)Url: https://www.linkedin.com/in/charles-carmichael-mandiantDate Accessed: 2025-10-05, and Source: Red Hat Security AdvisoryUrl: https://access.redhat.com/securityDate Accessed: 2025-10-02, and Source: US Department of Justice (Noah Urban Sentencing)Url: https://www.justice.gov/opa/pr/florida-man-sentenced-10-years-prison-his-role-international-cybercrime-groupDate Accessed: 2025-08, and Source: UK National Crime Agency (Scattered Spider Charges)Url: https://www.nationalcrimeagency.gov.uk/newsDate Accessed: 2025-09, and Source: Bloomberg, and Source: Google Threat Intelligence GroupDate Accessed: August 2024, and Source: Mandiant (Google-owned)Date Accessed: 2024-06-01, and Source: Salesforce Public StatementDate Accessed: 2024-07-10, and Source: BleepingComputerUrl: https://www.bleepingcomputer.comDate Accessed: 2025-10-09, and Source: BreachForums extortion site, and Source: ITProUrl: https://www.itpro.com/, and Source: FBI Press Release (hypothetical), and Source: Mandiant (Google) Blog PostUrl: https://blog.knowbe4.com/protect-yourself-from-voice-phishing-attacks-targeting-salesforce-instancesDate Accessed: 2025-10-21, and Source: CyberheistNews Vol 15 #42Url: https://blog.knowbe4.com/cyberheistnews-vol-15-42-heads-up-fake-support-calls-used-to-breach-your-salesforce-accountsDate Accessed: 2025-10-21, and Source: OpenAI Report on AI-Assisted PhishingUrl: https://openai.com/global-affairs/disrupting-malicious-uses-of-ai-october-2025/Date Accessed: 2025-10-21, and Source: GBHackers (GBH), and Source: SLH Telegram Channels (e.g., 'scattered LAPSUS$ hunters 7.0'), and Source: GitHub Repository (Yukari/Cvsp - BlackLotus/Medusa), and Source: The Register, and Source: Staci Johnson v. Salesforce (Class Action Complaint), and Source: Google Threat Intelligence Group Analysis, and Source: Salesforce Trust PageUrl: https://trust.salesforce.com.
Investigation Status
What is the current status of the investigation for each incident ?
Incident : Data Breach SAL729082725
Investigation Status: Ongoing (as of August 20, 2025)
Incident : Social Engineering SAL815090225
Investigation Status: Ongoing (Threat Actor Infrastructure Still Active)
Incident : Data Breach SAL5732257091825
Investigation Status: Ongoing (FBI and Private Sector Investigations)
Incident : Data Breach SAL5403154092725
Investigation Status: Resolved (Vulnerability patched; no evidence of malicious exploitation)
Incident : Data Breach SAL5592855100325
Investigation Status: Ongoing (FBI, Mandiant, Salesforce, and Affected Companies)
Incident : Extortion SAL2102121100425
Investigation Status: Ongoing (Salesforce, Mandiant, law enforcement)
Incident : Extortion SAL4932949100625
Investigation Status: Ongoing (Salesforce working with external specialists and authorities)
Incident : Data Breach SAL0693606100625
Investigation Status: Ongoing (as of October 2025)
Incident : Data Breach SAL0962109100825
Investigation Status: Ongoing (domain seizure suggests active law enforcement involvement)
Incident : Data Breach SAL0562205100825
Investigation Status: Ongoing (Law Enforcement, Forensic Analysis by Victim Companies)
Incident : Data Breach SAL3132231100825
Investigation Status: Ongoing (SalesLoft has not publicly responded; Salesforce supporting customers)
Incident : Data Breach SAL5002150100925
Investigation Status: Ongoing (Mandiant tracking as UNC6040)
Incident : Law Enforcement Takedown SAL4232242101025
Investigation Status: Ongoing (FBI and French authorities)
Incident : data breach SAL5602056101125
Investigation Status: ongoing (allegations not confirmed by Salesforce or affected companies as of report)
Incident : Forum Takedown SAL4432144101325
Investigation Status: Ongoing (FBI-led, with potential follow-up actions)
Incident : Social Engineering SAL4493244102125
Investigation Status: Ongoing (Mandiant Active Guidance)
Incident : Cybercriminal Alliance Formation SAL5402554110625
Investigation Status: Ongoing (as of 2025-2026)
Incident : Data Breach SAL5090350110725
Investigation Status: Ongoing (lawsuits pending; Salesforce denies platform compromise)
How does the company communicate the status of incident investigations to stakeholders ?
Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Advisories Issued By Gtig/Mandiant, Notifications To Affected Organizations, Public Blog Post By Astrix Security, Salesforce Customer Advisories, Fbi Public Advisory On Unc6040/6395, Public Statement To The Register, Blog Post By Noma Security, Public Disclosure Via Media (Ismg, Bleepingcomputer), Customer Advisories (Pending), Regulatory Notifications, Public Security Advisory, Media Statements, Public Denial Of Platform Hack, Advisories To Customers, Public Security Alert Issued, Denial Of Direct Platform Compromise, Public statements and customer emails, Salesforce: Customer Advisories (No Negotiation Policy), Red Hat: Public Disclosure (October 2, 2025), Discord: Direct Emails To Affected Users, Oracle: Security Advisory For Cve-2025-61882, Internal Memo (Bloomberg-Leaked), Public Statement On Non-Payment Of Ransom, Customer Advisories, Public refusal of ransom demand (email statement), Public Announcement Via Bleepingcomputer, Pgp-Signed Message From Shinyhunters On Telegram, Public Announcement By Fbi, Media Coverage (E.G., Itpro), Mandiant Blog Post, Knowbe4 Advisory, Public Notices, Media Statements and Trust Page Updates.
Stakeholder and Customer Advisories
Were there any advisories issued to stakeholders or customers for each incident ?
Incident : Data Breach SAL729082725
Stakeholder Advisories: Gtig/Mandiant Advisory, Salesforce/Salesloft Notifications To Affected Organizations.
Customer Advisories: Recommendations for credential rotation and access control hardening
Incident : Social Engineering SAL815090225
Customer Advisories: Warn Users About Unsolicited IT Support Calls Requesting OAuth Approvals
Incident : Data Breach SAL5732257091825
Stakeholder Advisories: Salesforce Urgent Security Advisory, Fbi Private Industry Notification (Pin).
Customer Advisories: Salesforce Recommendations for Customers to Secure Environments
Incident : Data Breach SAL5403154092725
Stakeholder Advisories: Salesforce notified customers via public statement and enforced security controls.
Customer Advisories: Customers advised to review AI agent configurations and trusted URL settings.
Incident : Data Breach SAL5592855100325
Stakeholder Advisories: Salesforce Security Bulletin (Pending), Vendor Notifications To Affected Customers, Regulatory Disclosures (E.G., Sec Filings For Public Companies).
Customer Advisories: Recommended: Password Resets for Affected AccountsCredit Monitoring for Exposed PIIPhishing Awareness Alerts
Incident : Extortion SAL2102121100425
Stakeholder Advisories: Salesforce security advisory (2024-09-26)
Customer Advisories: Notifications sent to affected organizations (via Salesforce and Google)
Incident : Extortion SAL4932949100625
Stakeholder Advisories: Salesforce Denies Platform Hack; Claims Are Based On Previous/Unconfirmed Incidents, Google Confirmed A Resolved Breach In June Affecting Basic Smb Data.
Customer Advisories: Salesforce is supporting potentially affected customersOrganizations urged to tighten Salesforce security settings
Incident : Data Breach SAL0693606100625
Stakeholder Advisories: Salesforce issued alerts to customers and disabled vulnerable integrations.
Customer Advisories: Customers advised to review OAuth app permissions and monitor for suspicious activity.
Incident : Data Breach SAL0962109100825
Stakeholder Advisories: Salesforce emailed customers on 2025-09-17 to warn about extortion threats and refusal to pay ransom.
Customer Advisories: Customers advised of potential data leaks and encouraged to monitor for unauthorized access.
Incident : Data Breach SAL0562205100825
Stakeholder Advisories: Salesforce: 'Will Not Negotiate Or Pay Extortion' (October 2025), Red Hat: 'Notify Affected Customers' (October 2, 2025), Discord: 'Limited User Impact, Password Resets Advised' (September 2025).
Customer Advisories: Salesforce: Monitor for Phishing, Enable MFADiscord: Reset Passwords, Watch for Identity TheftRed Hat: Audit GitLab Access, Rotate Compromised Tokens
Incident : Data Breach SAL3132231100825
Stakeholder Advisories: Salesforce Internal Memo (Leaked To Bloomberg), Customer Notifications For Token Renewal.
Customer Advisories: Token renewal instructionsSupport channels for affected organizations
Incident : Law Enforcement Takedown SAL4232242101025
Customer Advisories: Companies affected by the Salesforce campaign (e.g., FedEx, Disney, Google) may need to notify customers of potential data exposure.
Incident : Forum Takedown SAL4432144101325
Stakeholder Advisories: Fbi Warnings To Potential Victims, Cybersecurity Community Alerts.
Customer Advisories: Companies targeted (e.g., Salesforce, Google) likely issued internal advisories
Incident : Social Engineering SAL4493244102125
Stakeholder Advisories: Verify All Third-Party Support Calls Via Trusted Channels., Report Suspicious Calls To It/Security Teams Immediately., Avoid Clicking Links Or Sharing Credentials In Unsolicited Communications..
Customer Advisories: Customers of affected organizations should monitor for unauthorized access to their data.Reset passwords if potentially exposed to phishing attempts.
Incident : Data Breach SAL5090350110725
Stakeholder Advisories: Salesforce advised customers to review security practices via its Trust page.
Customer Advisories: Customers (e.g., TransUnion, Farmers Insurance) notified their affected users separately.
What advisories does the company provide to stakeholders and customers following an incident ?
Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Gtig/Mandiant Advisory, Salesforce/Salesloft Notifications To Affected Organizations, Recommendations For Credential Rotation And Access Control Hardening, , Warn Users About Unsolicited It Support Calls Requesting Oauth Approvals, , Salesforce Urgent Security Advisory, Fbi Private Industry Notification (Pin), Salesforce Recommendations For Customers To Secure Environments, , Salesforce notified customers via public statement and enforced security controls., Customers advised to review AI agent configurations and trusted URL settings., Salesforce Security Bulletin (Pending), Vendor Notifications To Affected Customers, Regulatory Disclosures (E.G., Sec Filings For Public Companies), Recommended: Password Resets For Affected Accounts, Credit Monitoring For Exposed Pii, Phishing Awareness Alerts, , Salesforce security advisory (2024-09-26), Notifications sent to affected organizations (via Salesforce and Google), Salesforce Denies Platform Hack; Claims Are Based On Previous/Unconfirmed Incidents, Google Confirmed A Resolved Breach In June Affecting Basic Smb Data, Salesforce Is Supporting Potentially Affected Customers, Organizations Urged To Tighten Salesforce Security Settings, , Salesforce issued alerts to customers and disabled vulnerable integrations., Customers advised to review OAuth app permissions and monitor for suspicious activity., Salesforce emailed customers on 2025-09-17 to warn about extortion threats and refusal to pay ransom., Customers advised of potential data leaks and encouraged to monitor for unauthorized access., Salesforce: 'Will Not Negotiate Or Pay Extortion' (October 2025), Red Hat: 'Notify Affected Customers' (October 2, 2025), Discord: 'Limited User Impact, Password Resets Advised' (September 2025), Salesforce: Monitor For Phishing, Enable Mfa, Discord: Reset Passwords, Watch For Identity Theft, Red Hat: Audit Gitlab Access, Rotate Compromised Tokens, , Salesforce Internal Memo (Leaked To Bloomberg), Customer Notifications For Token Renewal, Token Renewal Instructions, Support Channels For Affected Organizations, , Companies Affected By The Salesforce Campaign (E.G., Fedex, Disney, Google) May Need To Notify Customers Of Potential Data Exposure., , Fbi Warnings To Potential Victims, Cybersecurity Community Alerts, Companies Targeted (E.G., Salesforce, Google) Likely Issued Internal Advisories, , Verify All Third-Party Support Calls Via Trusted Channels., Report Suspicious Calls To It/Security Teams Immediately., Avoid Clicking Links Or Sharing Credentials In Unsolicited Communications., Customers Of Affected Organizations Should Monitor For Unauthorized Access To Their Data., Reset Passwords If Potentially Exposed To Phishing Attempts., , Salesforce advised customers to review security practices via its Trust page., Customers (e.g., TransUnion and Farmers Insurance) notified their affected users separately..
Initial Access Broker
How did the initial access broker gain entry for each incident ?
Incident : Vishing SAL633060625
Entry Point: Telephone-based social engineering
Incident : Data Breach SAL729082725
Entry Point: Compromised OAuth tokens from Salesloft Drift application
Reconnaissance Period: Likely conducted prior to August 8, 2025 (exact duration undisclosed)
High Value Targets: Aws Access Keys, Snowflake Tokens, Customer/Opportunity Data,
Data Sold on Dark Web: Aws Access Keys, Snowflake Tokens, Customer/Opportunity Data,
Incident : Social Engineering SAL815090225
Entry Point: Vishing Calls Spoofing It Support, Sip Spoofing Via Voip/Tor,
Reconnaissance Period: ['Likely Extended (Targeted CRM Platform Mapping)']
Backdoors Established: ['Persistent API Access via Malicious Connected Apps']
High Value Targets: Salesforce Crm Data, Customer Relationship Records,
Data Sold on Dark Web: Salesforce Crm Data, Customer Relationship Records,
Incident : Data Breach SAL5732257091825
Entry Point: Compromised Salesloft Github Repository (Secrets Exposure), Malicious Oauth Applications (Drift/Salesforce Integration),
Reconnaissance Period: ['At Least 1 Year (Ongoing Campaigns)']
High Value Targets: Salesforce Crm Data, Aws/Snowflake Credentials In Case Records, Source Code Repositories,
Data Sold on Dark Web: Salesforce Crm Data, Aws/Snowflake Credentials In Case Records, Source Code Repositories,
Incident : Data Breach SAL5403154092725
Entry Point: Web-to-Lead Form (Description Field)
High Value Targets: Crm Lead Data, Customer Email Addresses,
Data Sold on Dark Web: Crm Lead Data, Customer Email Addresses,
Incident : Data Breach SAL5592855100325
Entry Point: Salesloft GitHub Repository (Stolen OAuth Tokens)
Reconnaissance Period: 2023-08-08 to 2023-08-18 (Per Google’s Threat Intelligence)
Backdoors Established: ['Persistent Access via Compromised OAuth Tokens', 'Lateral Movement to Google Workspace/Microsoft 365']
High Value Targets: Salesforce Crm Data, Customer Pii, Corporate Support Case Records,
Data Sold on Dark Web: Salesforce Crm Data, Customer Pii, Corporate Support Case Records,
Incident : Extortion SAL2102121100425
Entry Point: OAuth tokens via Salesloft's Drift integration
High Value Targets: Salesforce Customer Data, Crm Environments,
Data Sold on Dark Web: Salesforce Customer Data, Crm Environments,
Incident : Extortion SAL4932949100625
Entry Point: Telephone social engineering (vishing) to trick users into authorizing malicious Salesforce apps
High Value Targets: Salesforce Crm Data, Customer Records,
Data Sold on Dark Web: Salesforce Crm Data, Customer Records,
Incident : Data Breach SAL0693606100625
Entry Point: Voice Phishing (Vishing) Calls, Malicious Oauth Apps, Exploited Third-Party Integrations (E.G., Salesloft Drift),
Reconnaissance Period: Several months (attacks reported since June 2025)
High Value Targets: Salesforce User Credentials, Corporate Data From 39 Targeted Companies,
Data Sold on Dark Web: Salesforce User Credentials, Corporate Data From 39 Targeted Companies,
Incident : Data Breach SAL0962109100825
Entry Point: Malicious Oauth Applications, Stolen Salesloft Drift Oauth Tokens,
Reconnaissance Period: Late 2024 (first campaign), Early August 2025 (second campaign)
High Value Targets: Crm Databases, Support Tickets, Credentials/Tokens,
Data Sold on Dark Web: Crm Databases, Support Tickets, Credentials/Tokens,
Incident : Data Breach SAL0562205100825
Entry Point: Voice Phishing Calls (Salesforce), Compromised Third-Party Vendor (Discord), Exploited Gitlab Misconfiguration (Red Hat), Zero-Day Exploit (Oracle Cve-2025-61882), Malicious Oauth App (Salesforce),
Reconnaissance Period: Months (Salesforce Campaign Planned Since Early 2025)
Backdoors Established: ['ASYNCRAT Trojan (Targeted Security Researchers)', 'Persistent GitLab Access (Red Hat)']
High Value Targets: Fortune 500 Salesforce Data, Red Hat Customer Engagement Reports (Cers), Oracle E-Business Suite Servers, Discord Government Id Images,
Data Sold on Dark Web: Fortune 500 Salesforce Data, Red Hat Customer Engagement Reports (Cers), Oracle E-Business Suite Servers, Discord Government Id Images,
Incident : Data Breach SAL3132231100825
Entry Point: SalesLoft GitHub Account (Compromised March–June 2024)
Reconnaissance Period: Likely conducted prior to March 2024 (exact duration unknown)
Backdoors Established: ['Stolen OAuth Tokens (Persistent Access)']
High Value Targets: Salesforce Integrations, Drift App Aws Environment, Customer Crm Data,
Data Sold on Dark Web: Salesforce Integrations, Drift App Aws Environment, Customer Crm Data,
Incident : Data Breach SAL5002150100925
Entry Point: Voice Phishing (Vishing) Calls
Reconnaissance Period: Likely conducted prior to May 2024
Backdoors Established: Attacker-controlled app integrated into Salesforce portals
High Value Targets: Salesforce Customer Data,
Data Sold on Dark Web: Salesforce Customer Data,
Incident : Law Enforcement Takedown SAL4232242101025
High Value Targets: Salesforce Customer Data, Corporate Databases,
Data Sold on Dark Web: Salesforce Customer Data, Corporate Databases,
Incident : data breach SAL5602056101125
High Value Targets: Salesforce Customer Data (39 Large Corporations),
Data Sold on Dark Web: Salesforce Customer Data (39 Large Corporations),
Incident : Forum Takedown SAL4432144101325
Entry Point: Breachforums (For Data Trading), Compromised Saas/Enterprise Accounts (For Extortion),
High Value Targets: Saas Platforms (E.G., Salesforce), Enterprise Tenants (E.G., Google, Disney),
Data Sold on Dark Web: Saas Platforms (E.G., Salesforce), Enterprise Tenants (E.G., Google, Disney),
Incident : Social Engineering SAL4493244102125
Entry Point: Voice Phishing (Vishing) Calls, Malicious Links,
High Value Targets: Employees With Elevated Saas Access,
Data Sold on Dark Web: Employees With Elevated Saas Access,
Incident : Cybercriminal Alliance Formation SAL5402554110625
Entry Point: Ai-Automated Vishing, Spearphishing, Credential Harvesting,
High Value Targets: Salesforce, Saas Providers, Cloud Infrastructure, Database Systems,
Data Sold on Dark Web: Salesforce, Saas Providers, Cloud Infrastructure, Database Systems,
Incident : Data Breach SAL5090350110725
Entry Point: Salesloft Drift GitHub repository (compromised in March 2025)
High Value Targets: Aws Access Keys, Snowflake Tokens, Salesforce Oauth Tokens,
Data Sold on Dark Web: Aws Access Keys, Snowflake Tokens, Salesforce Oauth Tokens,
Post-Incident Analysis
What were the root causes and corrective actions taken for each incident ?
Incident : Cyber Attack SAL215719323
Root Causes: Inadvertent Permissions,
Corrective Actions: Blocked Access To Orgs With Inadvertent Permissions,
Incident : Data Breach SAL729082725
Root Causes: Overprivileged Non-Human Identities (Nhis) With Persistent Access., Lack Of Visibility/Management Of Oauth Tokens And Connected Apps., Insufficient Restrictions On Connected App Scopes In Salesforce.,
Corrective Actions: Revoke And Rotate Compromised Oauth Tokens., Enforce Ip Restrictions And User-Agent Monitoring., Audit And Secure Exposed Secrets In Salesforce Environments., Implement Inventory And Governance For Nhis.,
Incident : Social Engineering SAL815090225
Root Causes: Over-Permissive Oauth Scopes For Connected Apps, Lack Of Api-Specific Anomaly Detection (E.G., Bulk Soql Queries), Insufficient User Training On Vishing + Oauth Risks, Gaps In Conditional Access Policies For High-Risk Auth Flows,
Corrective Actions: Redesign Oauth App Permission Model (Least Privilege By Default), Deploy Dedicated Api Security Gateways With Behavioral Analysis, Mandate Mfa For All Oauth App Authorizations, Integrate Threat Intelligence Feeds For Tor/Vpn-Based Call Origins, Establish Cross-Functional Incident Response For Crm Compromises,
Incident : Data Breach SAL5732257091825
Root Causes: Weak Oauth Token Management In Drift/Salesloft Integrations, Lack Of Mfa For High-Risk Accounts/Applications, Excessive Privileges Granted To Connected Apps, Exposed Secrets In Public/Private Repositories (Github), Inadequate Monitoring For Anomalous Oauth App Activity,
Corrective Actions: Salesforce: Enforced Mfa And Least Privilege Guidelines For Customers, Drift/Salesloft: Revoked Compromised Oauth Tokens And Audited Integrations, Affected Companies: Initiated Credential Rotation And Access Reviews, Fbi: Shared Indicators Of Compromise (Iocs) For Detection,
Incident : Data Breach SAL5403154092725
Root Causes: Dns Misconfiguration Allowing Expired Domain (My-Salesforce-Cms.Com) To Be Purchased By Attackers., Lack Of Input Validation For Ai Prompt Fields (E.G., 42,000-Character Description Field)., Over-Trust In Ai Agent Interactions With External Data Sources., Insufficient Url Allow-Listing For Ai-Generated Outputs.,
Corrective Actions: Enforced Trusted Url Allow-Lists For Agentforce And Einstein Ai Agents., Re-Secured Expired Domain And Implemented Domain Monitoring., Released Patches To Block Data Exfiltration Via Untrusted Urls., Public Disclosure To Raise Awareness Of Ai Prompt Injection Risks.,
Incident : Data Breach SAL5592855100325
Root Causes: 1. **Weak Oauth Security**: Salesloft’S Github Repository Lacked Protection For Oauth Tokens, Enabling Initial Access., 2. **Third-Party Risk**: Salesloft Drift Integration Was Not Adequately Vetted For Security Vulnerabilities., 3. **Social Engineering Gaps**: Support Staff Were Tricked Into Granting Access Via Vishing/Phishing (Unc6040 Tactics)., 4. **Lack Of 2Fa**: Oauth Applications And Admin Accounts Did Not Enforce Multi-Factor Authentication., 5. **Lateral Movement Opportunities**: Poor Segmentation Allowed Attackers To Pivot To Google Workspace, Microsoft 365, And Okta.,
Corrective Actions: **Immediate:**, - Revoke All Compromised Oauth Tokens And Enforce 2Fa For New Tokens., - Isolate And Audit All Third-Party Integrations With Salesforce., - Reset Credentials For Affected Employees/Customers., **Short-Term:**, - Deploy **Behavioral Analytics** To Detect Anomalous Access Patterns., - Conduct **Phishing/Vishing Simulations** To Test Employee Awareness., - Implement **Network Segmentation** Between Cloud Platforms., **Long-Term:**, - Establish A **Third-Party Risk Management Program** With Regular Vendor Audits., - Adopt A **Zero-Trust Architecture** To Limit Lateral Movement., - Develop A **Supply-Chain Breach Playbook** For Future Incidents.,
Incident : Extortion SAL2102121100425
Root Causes: Oauth Token Misuse, Third-Party Integration Vulnerabilities (Drift), Potential Insider Threats Or Credential Theft,
Incident : Extortion SAL4932949100625
Root Causes: Successful Vishing Attacks Exploiting Human Trust, Lack Of Strict Controls On Salesforce App Authorizations, Insufficient Employee Awareness Of Social Engineering Tactics,
Corrective Actions: Enhanced Mfa And Access Controls For Salesforce, Stricter Monitoring Of Api Data Exports, Employee Training On Vishing And Social Engineering,
Incident : Data Breach SAL0693606100625
Root Causes: Successful Social Engineering (Vishing/Oauth App Tricks), Inadequate Security For Third-Party Integrations, Lack Of Real-Time Monitoring For Unauthorized Data Access,
Corrective Actions: Disabled Vulnerable Integrations Temporarily, Public Awareness Campaigns On Phishing Risks, Legal Defense Against Lawsuits,
Incident : Data Breach SAL0962109100825
Root Causes: Insufficient Oauth Application Security, Lack Of Monitoring For Anomalous Data Access, Supply Chain Vulnerability (Salesloft Drift Tokens), Successful Social Engineering Attacks,
Incident : Data Breach SAL0562205100825
Root Causes: Lack Of Mfa On Salesforce Oauth Integrations, Insufficient Third-Party Vendor Security (Discord), Gitlab Server Misconfiguration (Red Hat), Delayed Patching (Oracle Cve-2025-61882), Social Engineering Susceptibility (Vishing Success),
Corrective Actions: Salesforce: Stricter Oauth App Review Process, Discord: Vendor Security Audits, Red Hat: Gitlab Hardening, Token Rotation, Oracle: Emergency Patch Deployment, Cross-Industry: Shared Threat Intelligence On Shinyhunters Tactics,
Incident : Data Breach SAL3132231100825
Root Causes: Inadequate Security Controls For Salesloft’S Github Account (E.G., Lack Of Mfa, Monitoring)., Overprivileged Oauth Tokens With Prolonged Validity., Lack Of Segmentation Between Drift App And Salesforce Customer Environments., Delayed Detection Of Github Account Compromise (March–June 2024).,
Corrective Actions: Salesforce Disabled Drift App And Mandated Token Renewal., Salesloft Likely Reviewing Github Security And Token Management (Unconfirmed)., Affected Customers Advised To Rotate Credentials And Audit Integrations.,
Incident : Data Breach SAL5002150100925
Root Causes: Human Error (Compliance With Fraudulent Calls), Lack Of Multi-Factor Authentication For App Integrations,
Incident : Law Enforcement Takedown SAL4232242101025
Root Causes: Centralized Infrastructure (Breachforums) Created A Single Point Of Failure For Cybercriminal Operations., Underestimation Of Law Enforcement'S Ability To Seize Backups And Escrow Databases., Over-Reliance On Forum-Based Models For Data Extortion Campaigns.,
Corrective Actions: Shinyhunters Declared No Further Reboots Of Breachforums, Suggesting A Shift To Decentralized Or Darker Web-Only Operations., Increased Caution Among Cybercriminals Regarding Forum-Based Activities (Perceived As 'Honeypots')., Potential Migration Of Data Leak Operations To More Secure, Less Detectable Platforms.,
Incident : Forum Takedown SAL4432144101325
Root Causes: Lack Of Sustainable Infrastructure For Cybercriminal Forums Under Law Enforcement Pressure., Over-Reliance On Centralized Platforms (E.G., Breachforums) Vulnerable To Seizures., High Monetization Incentives Driving Persistent Cybercriminal Activity.,
Corrective Actions: Law Enforcement: Continue Disruptive Operations Against Successor Forums., Companies: Strengthen Access Controls And Monitoring For Saas/Enterprise Environments., Cybersecurity Community: Share Threat Intelligence On Emerging Extortion Tactics.,
Incident : Social Engineering SAL4493244102125
Root Causes: Lack Of Robust Verification For Unsolicited Support Calls., Over-Reliance On Employee Trust In Voice Communications., Insufficient Training On Social Engineering Tactics (E.G., Vishing)., Ai-Assisted Phishing Content Increasing Attack Credibility.,
Corrective Actions: Implement Mandatory Verification Steps For All Support/Vendor Calls., Deploy Ai-Driven Phishing Detection For Email And Voice Channels., Expand Security Awareness Training To Include Vishing Simulations., Enforce Mfa For All Saas Applications, Especially Salesforce., Audit Third-Party Vendor Access And Communication Protocols.,
Incident : Cybercriminal Alliance Formation SAL5402554110625
Root Causes: Exploitation Of Zero-Day Vulnerabilities (E.G., Cve-2025-61882)., Lack Of Adaptive Defenses Against Ai-Driven Social Engineering., Fragmented Cybercriminal Ecosystems Enabling Consolidation (E.G., Post-Breachforums Vacuum)., Over-Reliance On Traditional Perimeter Security In Cloud/Saas Environments.,
Corrective Actions: Proactive Zero-Day Patch Management And Exploit Mitigation., Behavioral Analytics For Credential-Based Attacks., Dark Web Monitoring For Emerging Threat Actor Alliances., Cross-Sector Collaboration To Disrupt Eaas Models.,
Incident : Data Breach SAL5090350110725
Root Causes: Social Engineering (It Support Impersonation), Inadequate Protection Of Third-Party Oauth Tokens (Salesloft Drift), Lack Of Mfa Or Token Rotation Policies,
What is the company's process for conducting post-incident analysis ?
Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Google Threat Intelligence Group (Gtig), Mandiant, Astrix Security, , Checking For Specific Ip Addresses/User-Agent Strings Linked To Attackers, , Real-Time Api Call Anomaly Detection, Geofencing For Oauth Authorizations, , Google Mandiant (Threat Intelligence), Fbi (Advisory & Investigation), , Mandiant (Google’S Incident Response), Salesforce Security Team, Fbi Cyber Division, , Salesforce Instance Logs, Cloud Platform (Google Workspace, Microsoft 365, Okta) Activity, , Mandiant (Google), External Cybersecurity Experts, , External Specialists, Authorities, , Google Threat Intelligence (Reported Attacks In June And August 2025), , Google Threat Intelligence Group (Gtig), Mandiant (Malware Analysis), Law Enforcement (Fbi, Uk Nca), , Salesforce: Increased Logging For Oauth Integrations, Red Hat: Gitlab Access Audits, , Google Threat Intelligence Group (Warnings), , Likely (Implied By Google Threat Intelligence Collaboration), , Mandiant (Google-Owned Threat Intelligence), , French Law Enforcement (Bl2C Unit), , Europol (In Prior Operations), , Mandiant (Google), , Monitoring For Unauthorized Saas Access, .
What corrective actions has the company taken based on post-incident analysis ?
Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Blocked Access To Orgs With Inadvertent Permissions, , Revoke And Rotate Compromised Oauth Tokens., Enforce Ip Restrictions And User-Agent Monitoring., Audit And Secure Exposed Secrets In Salesforce Environments., Implement Inventory And Governance For Nhis., , Redesign Oauth App Permission Model (Least Privilege By Default), Deploy Dedicated Api Security Gateways With Behavioral Analysis, Mandate Mfa For All Oauth App Authorizations, Integrate Threat Intelligence Feeds For Tor/Vpn-Based Call Origins, Establish Cross-Functional Incident Response For Crm Compromises, , Salesforce: Enforced Mfa And Least Privilege Guidelines For Customers, Drift/Salesloft: Revoked Compromised Oauth Tokens And Audited Integrations, Affected Companies: Initiated Credential Rotation And Access Reviews, Fbi: Shared Indicators Of Compromise (Iocs) For Detection, , Enforced Trusted Url Allow-Lists For Agentforce And Einstein Ai Agents., Re-Secured Expired Domain And Implemented Domain Monitoring., Released Patches To Block Data Exfiltration Via Untrusted Urls., Public Disclosure To Raise Awareness Of Ai Prompt Injection Risks., , **Immediate:**, - Revoke All Compromised Oauth Tokens And Enforce 2Fa For New Tokens., - Isolate And Audit All Third-Party Integrations With Salesforce., - Reset Credentials For Affected Employees/Customers., **Short-Term:**, - Deploy **Behavioral Analytics** To Detect Anomalous Access Patterns., - Conduct **Phishing/Vishing Simulations** To Test Employee Awareness., - Implement **Network Segmentation** Between Cloud Platforms., **Long-Term:**, - Establish A **Third-Party Risk Management Program** With Regular Vendor Audits., - Adopt A **Zero-Trust Architecture** To Limit Lateral Movement., - Develop A **Supply-Chain Breach Playbook** For Future Incidents., , Enhanced Mfa And Access Controls For Salesforce, Stricter Monitoring Of Api Data Exports, Employee Training On Vishing And Social Engineering, , Disabled Vulnerable Integrations Temporarily, Public Awareness Campaigns On Phishing Risks, Legal Defense Against Lawsuits, , Salesforce: Stricter Oauth App Review Process, Discord: Vendor Security Audits, Red Hat: Gitlab Hardening, Token Rotation, Oracle: Emergency Patch Deployment, Cross-Industry: Shared Threat Intelligence On Shinyhunters Tactics, , Salesforce Disabled Drift App And Mandated Token Renewal., Salesloft Likely Reviewing Github Security And Token Management (Unconfirmed)., Affected Customers Advised To Rotate Credentials And Audit Integrations., , Shinyhunters Declared No Further Reboots Of Breachforums, Suggesting A Shift To Decentralized Or Darker Web-Only Operations., Increased Caution Among Cybercriminals Regarding Forum-Based Activities (Perceived As 'Honeypots')., Potential Migration Of Data Leak Operations To More Secure, Less Detectable Platforms., , Law Enforcement: Continue Disruptive Operations Against Successor Forums., Companies: Strengthen Access Controls And Monitoring For Saas/Enterprise Environments., Cybersecurity Community: Share Threat Intelligence On Emerging Extortion Tactics., , Implement Mandatory Verification Steps For All Support/Vendor Calls., Deploy Ai-Driven Phishing Detection For Email And Voice Channels., Expand Security Awareness Training To Include Vishing Simulations., Enforce Mfa For All Saas Applications, Especially Salesforce., Audit Third-Party Vendor Access And Communication Protocols., , Proactive Zero-Day Patch Management And Exploit Mitigation., Behavioral Analytics For Credential-Based Attacks., Dark Web Monitoring For Emerging Threat Actor Alliances., Cross-Sector Collaboration To Disrupt Eaas Models., .
Additional Questions
General Information
Has the company ever paid ransoms ?
Ransom Payment History: The company has Paid ransoms in the past.
What was the amount of the last ransom demanded ?
Last Ransom Demanded: The amount of the last ransom demanded was ['Extortion Threats (No Specific Ransom Amount Disclosed)'].
Who was the attacking group in the last incident ?
Last Attacking Group: The attacking group in the last incident were an UNC6040, UNC6395, UNC6040UNC6240 (associated extortion specialists), ShinyHuntersScattered SpiderLapsus$UNC6040 (Google Mandiant)UNC6395 (Google Mandiant)Scattered Lapsus$ Hunters, Security Researchers (Noma Security), Scattered Lapsus$ Hunters (aka ShinyHunters)UNC6040The Com (English-speaking cybercrime collective), Scattered LAPSUS$ Hunters (SLH)Scattered SpiderShinyHuntersLapsus$, Scattered LAPSUS$ HuntersUNC6040UNC6240, Shiny Hunters, Scattered Lapsus$ HuntersShinyHunters, Name: ShinyHunters (UNC6040)Aliases: Scattered LAPSUS$ Hunters, Aliases: UNC6240, Aliases: UNC6395, Affiliation: Scattered Spider, Affiliation: Lapsus$, Affiliation: The Com (Cybercriminal Community), Nationality: English-speaking (Multinational)Name: Crimson CollectiveRole: Claimed Responsibility for Red Hat BreachName: Clop Ransomware GangRole: Exploited CVE-2025-61882 Prior to Public Disclosure, ShinyHunters, Scattered LAPSUS$ HuntersUNC6040 (Mandiant designation), ShinyHuntersScattered Lapsus$ Hunters, ShinyHuntersScattered SpiderLAPSUS$Scattered Lapsus$ Hunters, BaphometIntelBrokerShinyHuntersScattered Lapsus$ Hunters, UNC6040 (Organized Criminal Gang), Name: Scattered LAPSUS$ Hunters (SLH)Aliases: SLH, Aliases: scattered LAPSUS$ hunters 7.0, Affiliated Groups: Scattered Spider, Affiliated Groups: ShinyHunters, Affiliated Groups: LAPSUS$, Affiliated Groups: The Com, Alias: shinycorp, Handles: ['@sp1d3rhunters', '@shinyc0rp'], Role: Principal Orchestrator, Alias: yuka, Handles: None, Role: Exploit Developer, Associated Malware: ['BlackLotus UEFI bootkit', 'Medusa rootkit'], Alias: Alg0d, Handles: None, Role: Auxiliary Operator, Alias: UNC5537, Handles: None, Role: Auxiliary Operator, Operational Model: Extortion-as-a-Service (EaaS), Operational Model: Crowdsourced Extortion, Operational Model: Vulnerability Brokerage and .
Incident Details
What was the most recent incident detected ?
Most Recent Incident Detected: The most recent incident detected was on 2025-08-18.
What was the most recent incident publicly disclosed ?
Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2025-07.
What was the most recent incident resolved ?
Most Recent Incident Resolved: The most recent incident resolved was on 2025-08-20.
Impact of the Incidents
What was the most significant data compromised in an incident ?
Most Significant Data Compromised: The most significant data compromised in an incident were Customer account data, User data, Opportunities data, AWS access keys, Snowflake tokens, High-value secrets, , CRM Data (Salesforce), Customer Records, Sensitive Business Information, Salesforce Account: 250 million records, Salesforce Contact: 579 million records, Salesforce Opportunity: 171 million records, Salesforce User: 60 million records, Salesforce Case: 459 million records, Total: 1.5 billion records, , Salesforce Account: 250 million records, Salesforce Contact: 579 million records, Salesforce Opportunity: 171 million records, Salesforce User: 60 million records, Salesforce Case: 459 million records, Total: 1.5 billion records, , Customer Lead Data, Email Addresses, Potentially Other CRM Records, , Personally Identifiable Information (PII), Shipping Information, Marketing Lead Data, Customer Support Case Records, Chat Transcripts, Flight Details, Car Ownership Records, Employment Histories, Passport Numbers, Full Contact Information, , 1 billion records (claimed by threat actors), Customer records (~1 billion), Sensitive customer information, , Nearly 1 billion records (claimed), Customer Data, Support Tickets, Credentials, API Tokens, Authentication Tokens, , Salesforce Customer Records (>1B), Discord User Data (Usernames, Emails, IP Addresses, Payment Card Last 4 Digits, Government IDs), Red Hat GitLab Repositories (28,000+ Repos, 5,000+ Customer Engagement Reports, API Tokens, Infrastructure Details), Oracle E-Business Suite Data (Via CVE-2025-61882), Salesloft Authentication Tokens (Cloud Services: Snowflake, AWS), , Customer Contact Details, IT Support Information, Access Tokens, IT Configurations, CRM Fields, Support Cases, Integration Data, , ~1 billion records, Corporate Data, Customer Records (1+ billion), Escrow Databases, Database Backups (since 2023), , one billion records (alleged), Hacked/Stolen Data (Traded on BreachForums), Leaked Corporate Data (e.g., Salesforce, Google, Disney, etc.), , Salesforce Data, Sensitive Credentials, , Potential CRM/SaaS/Database Records (Salesforce and other high-value enterprises), , Personally Identifiable Information (PII), AWS access keys, Passwords, Snowflake-related access tokens and .
What was the most significant system affected in an incident ?
Most Significant System Affected: The most significant system affected in an incident were Customer Instances and Salesforce corporate accountsSalesloft Drift application and Salesforce CRM PlatformsConnected Apps InfrastructureVoIP/Tor Communication Channels and Salesforce CRMDrift AI Chat/Email ServicesSalesloft PlatformGitHub Repository (Salesloft)Connected Applications (AWS, Snowflake, etc.) and Salesforce AgentforceEinstein Generative AI AgentsWeb-to-Lead Feature and Salesforce CRM InstancesSalesloft Drift AI ChatbotGoogle WorkspaceMicrosoft 365Okta PlatformsGitHub Repository (Salesloft) and Salesforce environments of ~40 companiesCustomer data via OAuth abuse and Salesforce CRM environments of ~40 companies and Salesforce User AccountsThird-Party Integrations (e.g., Salesloft Drift) and Salesforce CRM InstancesSalesLoft Drift Environments and Salesforce Instances (Multiple Fortune 500 Companies)Discord Third-Party Customer Service ProviderRed Hat GitLab ServerOracle E-Business Suite ServersSalesloft AI Chatbot Platform and SalesLoft Drift AppSalesforce IntegrationsDrift’s AWS EnvironmentGitHub Account (SalesLoft) and Salesforce Customer Portals and BreachForums DomainsBackend ServersDatabase Backups and BreachForums Domain Infrastructure and Salesforce InstancesSaaS Applications and Cloud InfrastructureSaaS Platforms (e.g., Salesforce)Database Systems and Salesforce CRM (via third-party integration)Salesloft DriftGitHub repositories.
Response to the Incidents
What third-party assistance was involved in the most recent incident ?
Third-Party Assistance in Most Recent Incident: The third-party assistance involved in the most recent incident was google threat intelligence group (gtig), mandiant, astrix security, , google mandiant (threat intelligence), fbi (advisory & investigation), , mandiant (google’s incident response), salesforce security team, fbi cyber division, , mandiant (google), external cybersecurity experts, , external specialists, authorities, , google threat intelligence (reported attacks in june and august 2025), , google threat intelligence group (gtig), mandiant (malware analysis), law enforcement (fbi, uk nca), , google threat intelligence group (warnings), , mandiant (google-owned threat intelligence), , french law enforcement (bl2c unit), , europol (in prior operations), , mandiant (google), .
What containment measures were taken in the most recent incident ?
Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident were Blocked access to affected instances, Revoked all active access tokens for Drift app (August 20, 2025)Temporarily removed Drift from Salesforce AppExchange, Web Application Firewall (WAF) with Rate-Limiting for API CallsSIEM Correlation of OAuth Events with API UsageUser and Entity Behavior Analytics (UEBA) DeploymentConditional Access Policies for OAuth Apps (IP/Device/Risk-Based), Enforced Trusted URL Allow-Lists for Agentforce/Einstein AIRe-secured Expired Domain (my-salesforce-cms.com), Revoking Compromised OAuth TokensIsolating Affected Salesforce InstancesDisabling Salesloft Drift Integrations, Supporting potentially affected customersInvestigating claims, Disabled Salesloft Drift Integration (Aug 28–Sep 7, 2025), Salesforce: Disabled Malicious OAuth AppsRed Hat: Isolated Compromised GitLab ServerDiscord: Terminated Third-Party Vendor AccessOracle: Emergency Patch for CVE-2025-61882, Disabled Drift App IntegrationToken Renewal Mandate for Customers, Domain SeizureBackend Server SeizureNameserver Redirection to FBI, Domain seizureDisruption of forum operations, End unsolicited support calls without providing access/informationVerify callers via trusted and on-file contact informationRequire explicit verification from account managers before fulfilling requests.
Data Breach Information
What was the most sensitive data compromised in a breach ?
Most Sensitive Data Compromised: The most sensitive data compromised in a breach were Oracle E-Business Suite Data (Via CVE-2025-61882), Database Backups (since 2023), Nearly 1 billion records (claimed), Chat Transcripts, Shipping Information, Integration Data, 1 billion records (claimed by threat actors), User data, High-value secrets, Hacked/Stolen Data (Traded on BreachForums), Customer account data, Red Hat GitLab Repositories (28,000+ Repos, 5,000+ Customer Engagement Reports, API Tokens, Infrastructure Details), Sensitive Business Information, Passport Numbers, Potentially Other CRM Records, Email Addresses, Marketing Lead Data, Car Ownership Records, Credentials, ~1 billion records, Customer Records, Leaked Corporate Data (e.g., Salesforce, Google, Disney, etc.), CRM Fields, Sensitive Credentials, CRM Data (Salesforce), Snowflake tokens, Customer Lead Data, Discord User Data (Usernames, Emails, IP Addresses, Payment Card Last 4 Digits, Government IDs), Support Cases, Escrow Databases, Salesforce Data, Potential CRM/SaaS/Database Records (Salesforce and other high-value enterprises), Flight Details, Sensitive customer information, Personally Identifiable Information (PII), Customer Data, AWS access keys, Customer Contact Details, Access Tokens, Customer Records (1+ billion), Passwords, Opportunities data, IT Support Information, Customer Support Case Records, Full Contact Information, Customer records (~1 billion), IT Configurations, Salesloft Authentication Tokens (Cloud Services: Snowflake, AWS), Corporate Data, one billion records (alleged), Snowflake-related access tokens, Employment Histories, Authentication Tokens, Support Tickets, API Tokens and Salesforce Customer Records (>1B).
What was the number of records exposed in the most significant breach ?
Number of Records Exposed in Most Significant Breach: The number of records exposed in the most significant breach was 10.5B.
Ransomware Information
What was the highest ransom demanded in a ransomware incident ?
Highest Ransom Demanded: The highest ransom demanded in a ransomware incident was $989 million.
Regulatory Compliance
What was the most significant legal action taken for a regulatory violation ?
Most Significant Legal Action: The most significant legal action taken for a regulatory violation was Pending (Potential Class-Action Lawsuits), Regulatory Investigations, , Arrests of UK teens (Scattered Spider members), Ongoing investigations, , 14 Lawsuits Filed by Affected Companies (September 2025), , UK Charges Against Scattered Spider Members (September 2025), US Charges Against Thalha Jubair (MGM, Caesars, Harrods Attacks), Extradition of Tyler Buchanan (Spain to US, April 2025), Noah Urban Sentencing (10 Years, August 2025), , Arrests of BreachForums Admins (France), Charges Against Kai West ('IntelBroker') in U.S., , Domain seizures, Arrest of forum founder (Conor Brian Fitzpatrick in 2023), , Class action lawsuits (e.g., Staci Johnson v. Salesforce), .
Lessons Learned and Recommendations
What was the most significant lesson learned from past incidents ?
Most Significant Lesson Learned: The most significant lesson learned from past incidents was Theatrical branding and narrative control are strategic assets equivalent to technical capabilities., Third-party integrations (e.g., OAuth tokens) can be critical attack vectors; social engineering remains a potent threat; proactive customer support and transparency are essential during incidents.
What was the most significant recommendation implemented to improve cybersecurity ?
Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Conduct regular security awareness training for social engineering risks, Monitor dark web/Telegram channels for leaked data or extortion attempts., Apply Zero-Day Patches Immediately (Oracle), - Deploy **behavioral analytics and anomaly detection** to identify suspicious access patterns., - **Assess third-party vendor security** with penetration testing and contractually enforce security standards., Enforce allow-lists for all external URLs called by AI agents., Monitor domain registrations for expired trusted domains., Enhance AI-driven phishing/vishing detection for credential harvesting campaigns., Conduct Regular Red Team Exercises Simulating Vishing + OAuth Abuse, Monitor for unusual data access patterns, especially in Salesforce environments., Companies should proactively monitor dark web leak sites for exposed data., Hardening access controls by restricting Connected App scopes in Salesforce., Enhance third-party vendor security assessments, Implement multi-factor authentication (MFA) for OAuth token access, Conduct third-party security audits for all integrated apps, especially those with OAuth access., Educate HR and recruiting teams on red flags for fake identities (e.g., AI-generated profiles, inconsistent resumes)., Implement defense-in-depth strategies for caller verification (e.g., callback procedures using trusted contacts)., Implementing IP restrictions to limit access to trusted locations., Implement the principle of least privilege to limit access to CRM data and APIs., Integrate AI-driven threat detection to identify phishing content generated with AI tools., Mandate multi-factor authentication (MFA), - Immediately **revoke and rotate OAuth tokens** for all third-party integrations., Creating an inventory of non-human identities (NHIs) to improve visibility and security., Monitor for unauthorized data exfiltration in CRM environments, Proactively communicate with customers about breach scope and mitigation steps to maintain trust., Isolate high-value systems (e.g., CRM) from less secure environments to limit lateral movement., Conduct regular phishing simulations, including vishing scenarios, to test employee awareness., Implement stricter access controls for third-party integrations, Monitor dark web for stolen credentials/tokens, Organizations should prepare for potential data leaks even after ransomware attacks are 'resolved.', Develop and test incident response plans for extortion and data breach scenarios., - **Train employees on social engineering tactics**, especially vishing and IT impersonation scams., Rotating compromised credentials and enforcing least-privilege access for NHIs., Monitor dark web/Telegram channels for SLH activity and zero-day exploit discussions., Law enforcement should continue targeting cybercrime infrastructure to disrupt operations., Restrict permissions for third-party applications, Educate developers on secure AI prompt design patterns., Conduct Regular Security Audits of Partner Apps, Improve incident communication to affected customers, Train employees to recognize and report unsolicited access requests, especially via phone or email., Develop counter-narrative strategies to disrupt threat actor branding and psychological operations., Enforce MFA for all user and service accounts, especially those with access to sensitive data., **For All Organizations:**, Isolate GitLab/Sensitive Repos (Red Hat), Regularly scan repositories (e.g., GitHub) for exposed secrets using tools like TruffleHog., Integrate AI-specific security controls into traditional SOC workflows., Implement zero-trust architectures to mitigate lateral movement risks in cloud/SaaS environments., Improve User Training on Social Engineering Tactics, Monitor Dark Web for Stolen Data (All Victims), Enforce Multi-Factor Authentication (MFA) for OAuth App Authorizations, Develop a unified incident response plan for supply chain attacks involving multiple vendors., Adopt Hardware-Backed Key Storage (HSM) for Critical API Credentials, Restrict elevated SaaS access to minimal necessary personnel and enforce multi-factor authentication (MFA)., Enhance SaaS and enterprise tenant security to prevent unauthorized access., - **Patch promptly**—unpatched software (e.g., Oracle E-Business Suite) is a common attack vector., Coordinate with Law Enforcement (FBI, INTERPOL for Cross-Border Cases), Educate employees on phishing and credential theft risks to mitigate initial access brokers., Restrict Connected Apps to Pre-Approved IP Ranges/Device Postures, Implement strict character limits and input sanitization for all AI prompt fields., Conduct regular social engineering awareness training, Audit Third-Party Vendor Security (Discord, Salesloft), - Conduct a **full audit of third-party app permissions** in Salesforce and disable unused integrations., Limit rights for Data Loader use, - Implement **network segmentation** to limit lateral movement between cloud platforms (e.g., Salesforce, Google Workspace, Okta)., Implement Zero Trust Principles for API Access (Least Privilege, Continuous Authentication), Enforce strict control of connected apps in Salesforce, Enhance third-party risk management to mitigate supply chain attacks (e.g., Salesforce breaches)., Deploy WAF Rules to Detect Bulk API Queries (e.g., SOQL via REST Endpoints), Implement Multi-Factor Authentication (MFA) for Third-Party Integrations, - Enforce **multi-factor authentication (2FA) for all OAuth applications** and admin accounts., Enhance OAuth App Vetting Processes, Implement MFA for OAuth Integrations (Salesforce), Implement automated token rotation and anomaly detection for cloud environments., Monitor for anomalous access patterns in SaaS applications (e.g., unexpected logins from new locations)., Collaborate with vulnerability brokerage programs to preempt exploit proliferation., Collaborate with law enforcement to disrupt cybercriminal infrastructure proactively., - **Monitor dark web forums** for leaked credentials or mentions of your organization., Conducting audits to identify and secure exposed secrets within Salesforce data., Implement IP-based access restrictions, Establish Clearer Incident Communication Protocols, Conduct regular red-team exercises for AI systems to test prompt injection resilience., **For Salesforce/Salesloft Customers:**, - **Develop a third-party breach response plan** with legal, PR, and technical playbooks., Enhance Employee Training on Vishing (Salesforce Customers), Monitoring for suspicious IP addresses/User-Agent strings associated with attackers., Enhance GitHub security with mandatory MFA, IP restrictions, and regular access reviews., Monitor for Anomalous OAuth Token Usage (e.g., Geographically Inconsistent Access), Review supply chain security for third-party SaaS providers, Monitor for unauthorized API access or data exports, Educate employees on social engineering tactics (e.g., vishing), Educate employees on social engineering tactics, particularly phishing and malicious OAuth app requests., Enhance OAuth application security and monitoring, Prepare Incident Response Playbooks for CRM-Specific Extortion Scenarios and Audit and monitor OAuth applications and connected apps for suspicious activity..
References
What is the most recent source of information about an incident ?
Most Recent Source: The most recent source of information about an incident are Information Security Media Group (ISMG), LinkedIn/Reddit Observations (2025), CyberheistNews Vol 15 #42, GitHub Repository (Yukari/Cvsp - BlackLotus/Medusa), Google Threat Intelligence Report (June 2025), Salesforce Security Alert (2025), Resecurity Report on 'The Com' Cybercrime Collective, Mandiant (Google) Blog Post, US Department of Justice (Noah Urban Sentencing), Google Threat Intelligence Report (August 2025), Google Threat Intelligence Group, Salesforce Trust Page, Article on UNC6040 Vishing Campaigns, Cloudflare (OAuth Abuse Report), The Register, GBHackers (GBH), Staci Johnson v. Salesforce (Class Action Complaint), Google Threat Intelligence Group (GTIG) and Mandiant Advisory, Hackread.com (Jonathan Sander interview), Google Mandiant Threat Intelligence Report on UNC6040/UNC6395, Salesforce Public Statement, Google Threat Intelligence Group Analysis, Red Hat Security Advisory, Astrix Security Blog Post, Mandiant (Google-owned), ShinyHunters Telegram/Leak Site (Evidence of Breach), KrebsOnSecurity, Google Threat Intelligence Group (GTIG), Bloomberg, Google Mandiant Defensive Framework, UK National Crime Agency (Scattered Spider Charges), BreachForums extortion site, FBI Cyber Division Advisory (UNC6040), OpenAI Report on AI-Assisted Phishing, Noma Security Blog, Mandiant (Charles Carmichael LinkedIn), Media Reports on Breach (e.g., BleepingComputer, KrebsOnSecurity), ITPro, FBI Advisory on ShinyHunters/Scattered Spider Campaigns, Salesforce Customer Advisory on Mitigation Measures, SLH Telegram Channels (e.g., 'scattered LAPSUS$ hunters 7.0'), BleepingComputer, Salesforce Security Advisory and FBI Press Release (hypothetical).
What is the most recent URL for additional resources on cybersecurity best practices ?
Most Recent URL for Additional Resources: The most recent URL for additional resources on cybersecurity best practices is https://hackread.com, https://www.theregister.com/2023/09/08/salesforce_agentforce_prompt_injection/, https://www.ismg.com, https://www.bleepingcomputer.com/news/security/shinyhunters-ransomware-group-leaks-salesforce-customer-data/, https://www.fbi.gov, https://www.mandiant.com, https://www.resecurity.com, https://www.theregister.com/2024/09/27/salesforce_extortion_scattered_lapsus_hunters/, https://www.bleepingcomputer.com, https://www.bloomberg.com, https://krebsonsecurity.com, https://blog.google/threat-analysis-group/, https://www.bleepingcomputer.com/news/security/oracle-rushes-patch-for-zero-day-exploited-by-clop-ransomware/, https://www.linkedin.com/in/charles-carmichael-mandiant, https://access.redhat.com/security, https://www.justice.gov/opa/pr/florida-man-sentenced-10-years-prison-his-role-international-cybercrime-group, https://www.nationalcrimeagency.gov.uk/news, https://www.bleepingcomputer.com, https://www.itpro.com/, https://blog.knowbe4.com/protect-yourself-from-voice-phishing-attacks-targeting-salesforce-instances, https://blog.knowbe4.com/cyberheistnews-vol-15-42-heads-up-fake-support-calls-used-to-breach-your-salesforce-accounts, https://openai.com/global-affairs/disrupting-malicious-uses-of-ai-october-2025/, https://trust.salesforce.com .
Investigation Status
What is the current status of the most recent investigation ?
Current Status of Most Recent Investigation: The current status of the most recent investigation is Ongoing (as of August 20, 2025).
Stakeholder and Customer Advisories
What was the most recent stakeholder advisory issued ?
Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was GTIG/Mandiant advisory, Salesforce/Salesloft notifications to affected organizations, Salesforce Urgent Security Advisory, FBI Private Industry Notification (PIN), Salesforce notified customers via public statement and enforced security controls., Salesforce Security Bulletin (Pending), Vendor Notifications to Affected Customers, Regulatory Disclosures (e.g., SEC Filings for Public Companies), Salesforce security advisory (2024-09-26), Salesforce denies platform hack; claims are based on previous/unconfirmed incidents, Google confirmed a resolved breach in June affecting basic SMB data, Salesforce issued alerts to customers and disabled vulnerable integrations., Salesforce emailed customers on 2025-09-17 to warn about extortion threats and refusal to pay ransom., Salesforce: 'Will Not Negotiate or Pay Extortion' (October 2025), Red Hat: 'Notify Affected Customers' (October 2, 2025), Discord: 'Limited User Impact, Password Resets Advised' (September 2025), Salesforce internal memo (leaked to Bloomberg), Customer notifications for token renewal, FBI warnings to potential victims, Cybersecurity community alerts, Verify all third-party support calls via trusted channels., Report suspicious calls to IT/security teams immediately., Avoid clicking links or sharing credentials in unsolicited communications., Salesforce advised customers to review security practices via its Trust page., .
What was the most recent customer advisory issued ?
Most Recent Customer Advisory: The most recent customer advisory issued were an Recommendations for credential rotation and access control hardening, Warn Users About Unsolicited IT Support Calls Requesting OAuth Approvals, Salesforce Recommendations for Customers to Secure Environments, Customers advised to review AI agent configurations and trusted URL settings., Recommended: Password Resets for Affected AccountsCredit Monitoring for Exposed PIIPhishing Awareness Alerts, Notifications sent to affected organizations (via Salesforce and Google), Salesforce is supporting potentially affected customersOrganizations urged to tighten Salesforce security settings, Customers advised to review OAuth app permissions and monitor for suspicious activity., Customers advised of potential data leaks and encouraged to monitor for unauthorized access., Salesforce: Monitor for Phishing, Enable MFADiscord: Reset Passwords, Watch for Identity TheftRed Hat: Audit GitLab Access, Rotate Compromised Tokens, Token renewal instructionsSupport channels for affected organizations, Companies affected by the Salesforce campaign (e.g., FedEx, Disney, Google) may need to notify customers of potential data exposure., Companies targeted (e.g., Salesforce, Google) likely issued internal advisories, Customers of affected organizations should monitor for unauthorized access to their data.Reset passwords if potentially exposed to phishing attempts., Customers (e.g., TransUnion and Farmers Insurance) notified their affected users separately.
Initial Access Broker
What was the most recent entry point used by an initial access broker ?
Most Recent Entry Point: The most recent entry point used by an initial access broker were an SalesLoft GitHub Account (Compromised March–June 2024), Telephone-based social engineering, Compromised OAuth tokens from Salesloft Drift application, Web-to-Lead Form (Description Field), Salesloft GitHub Repository (Stolen OAuth Tokens), Salesloft Drift GitHub repository (compromised in March 2025), Voice Phishing (Vishing) Calls, Telephone social engineering (vishing) to trick users into authorizing malicious Salesforce apps and OAuth tokens via Salesloft's Drift integration.
What was the most recent reconnaissance period for an incident ?
Most Recent Reconnaissance Period: The most recent reconnaissance period for an incident was Likely conducted prior to August 8, 2025 (exact duration undisclosed), Likely Extended (Targeted CRM Platform Mapping), At Least 1 Year (Ongoing Campaigns), 2023-08-08 to 2023-08-18 (Per Google’s Threat Intelligence), Several months (attacks reported since June 2025), Late 2024 (first campaign), Early August 2025 (second campaign), Months (Salesforce Campaign Planned Since Early 2025), Likely conducted prior to March 2024 (exact duration unknown), Likely conducted prior to May 2024.
Post-Incident Analysis
What was the most significant root cause identified in post-incident analysis ?
Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Inadvertent Permissions, Overprivileged non-human identities (NHIs) with persistent access.Lack of visibility/management of OAuth tokens and connected apps.Insufficient restrictions on Connected App scopes in Salesforce., Over-Permissive OAuth Scopes for Connected AppsLack of API-Specific Anomaly Detection (e.g., Bulk SOQL Queries)Insufficient User Training on Vishing + OAuth RisksGaps in Conditional Access Policies for High-Risk Auth Flows, Weak OAuth Token Management in Drift/Salesloft IntegrationsLack of MFA for High-Risk Accounts/ApplicationsExcessive Privileges Granted to Connected AppsExposed Secrets in Public/Private Repositories (GitHub)Inadequate Monitoring for Anomalous OAuth App Activity, DNS misconfiguration allowing expired domain (my-salesforce-cms.com) to be purchased by attackers.Lack of input validation for AI prompt fields (e.g., 42,000-character description field).Over-trust in AI agent interactions with external data sources.Insufficient URL allow-listing for AI-generated outputs., 1. **Weak OAuth Security**: Salesloft’s GitHub repository lacked protection for OAuth tokens, enabling initial access.2. **Third-Party Risk**: Salesloft Drift integration was not adequately vetted for security vulnerabilities.3. **Social Engineering Gaps**: Support staff were tricked into granting access via vishing/phishing (UNC6040 tactics).4. **Lack of 2FA**: OAuth applications and admin accounts did not enforce multi-factor authentication.5. **Lateral Movement Opportunities**: Poor segmentation allowed attackers to pivot to Google Workspace, Microsoft 365, and Okta., OAuth token misuseThird-party integration vulnerabilities (Drift)Potential insider threats or credential theft, Successful vishing attacks exploiting human trustLack of strict controls on Salesforce app authorizationsInsufficient employee awareness of social engineering tactics, Successful Social Engineering (Vishing/OAuth App Tricks)Inadequate Security for Third-Party IntegrationsLack of Real-Time Monitoring for Unauthorized Data Access, Insufficient OAuth application securityLack of monitoring for anomalous data accessSupply chain vulnerability (SalesLoft Drift tokens)Successful social engineering attacks, Lack of MFA on Salesforce OAuth IntegrationsInsufficient Third-Party Vendor Security (Discord)GitLab Server Misconfiguration (Red Hat)Delayed Patching (Oracle CVE-2025-61882)Social Engineering Susceptibility (Vishing Success), Inadequate security controls for SalesLoft’s GitHub account (e.g., lack of MFA, monitoring).Overprivileged OAuth tokens with prolonged validity.Lack of segmentation between Drift app and Salesforce customer environments.Delayed detection of GitHub account compromise (March–June 2024)., Human Error (Compliance with Fraudulent Calls)Lack of Multi-Factor Authentication for App Integrations, Centralized infrastructure (BreachForums) created a single point of failure for cybercriminal operations.Underestimation of law enforcement's ability to seize backups and escrow databases.Over-reliance on forum-based models for data extortion campaigns., Lack of sustainable infrastructure for cybercriminal forums under law enforcement pressure.Over-reliance on centralized platforms (e.g., BreachForums) vulnerable to seizures.High monetization incentives driving persistent cybercriminal activity., Lack of robust verification for unsolicited support calls.Over-reliance on employee trust in voice communications.Insufficient training on social engineering tactics (e.g., vishing).AI-assisted phishing content increasing attack credibility., Exploitation of zero-day vulnerabilities (e.g., CVE-2025-61882).Lack of adaptive defenses against AI-driven social engineering.Fragmented cybercriminal ecosystems enabling consolidation (e.g., post-BreachForums vacuum).Over-reliance on traditional perimeter security in cloud/SaaS environments., Social engineering (IT support impersonation)Inadequate protection of third-party OAuth tokens (Salesloft Drift)Lack of MFA or token rotation policies.
What was the most significant corrective action taken based on post-incident analysis ?
Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was Blocked access to orgs with inadvertent permissions, Revoke and rotate compromised OAuth tokens.Enforce IP restrictions and User-Agent monitoring.Audit and secure exposed secrets in Salesforce environments.Implement inventory and governance for NHIs., Redesign OAuth App Permission Model (Least Privilege by Default)Deploy Dedicated API Security Gateways with Behavioral AnalysisMandate MFA for All OAuth App AuthorizationsIntegrate Threat Intelligence Feeds for Tor/VPN-Based Call OriginsEstablish Cross-Functional Incident Response for CRM Compromises, Salesforce: Enforced MFA and Least Privilege Guidelines for CustomersDrift/Salesloft: Revoked Compromised OAuth Tokens and Audited IntegrationsAffected Companies: Initiated Credential Rotation and Access ReviewsFBI: Shared Indicators of Compromise (IOCs) for Detection, Enforced trusted URL allow-lists for Agentforce and Einstein AI agents.Re-secured expired domain and implemented domain monitoring.Released patches to block data exfiltration via untrusted URLs.Public disclosure to raise awareness of AI prompt injection risks., **Immediate:**- Revoke all compromised OAuth tokens and enforce 2FA for new tokens.- Isolate and audit all third-party integrations with Salesforce.- Reset credentials for affected employees/customers.**Short-Term:**- Deploy **behavioral analytics** to detect anomalous access patterns.- Conduct **phishing/vishing simulations** to test employee awareness.- Implement **network segmentation** between cloud platforms.**Long-Term:**- Establish a **third-party risk management program** with regular vendor audits.- Adopt a **zero-trust architecture** to limit lateral movement.- Develop a **supply-chain breach playbook** for future incidents., Enhanced MFA and access controls for SalesforceStricter monitoring of API data exportsEmployee training on vishing and social engineering, Disabled Vulnerable Integrations TemporarilyPublic Awareness Campaigns on Phishing RisksLegal Defense Against Lawsuits, Salesforce: Stricter OAuth App Review ProcessDiscord: Vendor Security AuditsRed Hat: GitLab Hardening, Token RotationOracle: Emergency Patch DeploymentCross-Industry: Shared Threat Intelligence on ShinyHunters Tactics, Salesforce disabled Drift app and mandated token renewal.SalesLoft likely reviewing GitHub security and token management (unconfirmed).Affected customers advised to rotate credentials and audit integrations., ShinyHunters declared no further reboots of BreachForums, suggesting a shift to decentralized or darker web-only operations.Increased caution among cybercriminals regarding forum-based activities (perceived as 'honeypots').Potential migration of data leak operations to more secure, less detectable platforms., Law enforcement: Continue disruptive operations against successor forums.Companies: Strengthen access controls and monitoring for SaaS/enterprise environments.Cybersecurity community: Share threat intelligence on emerging extortion tactics., Implement mandatory verification steps for all support/vendor calls.Deploy AI-driven phishing detection for email and voice channels.Expand security awareness training to include vishing simulations.Enforce MFA for all SaaS applications, especially Salesforce.Audit third-party vendor access and communication protocols., Proactive zero-day patch management and exploit mitigation.Behavioral analytics for credential-based attacks.Dark web monitoring for emerging threat actor alliances.Cross-sector collaboration to disrupt EaaS models..
.png)
Latest Global CVEs (Not Company-Specific)
Description
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.16, 20.3.14, and 21.0.1, there is a XSRF token leakage via protocol-relative URLs in angular HTTP clients. The vulnerability is a Credential Leak by App Logic that leads to the unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token to an attacker-controlled domain. Angular's HttpClient has a built-in XSRF protection mechanism that works by checking if a request URL starts with a protocol (http:// or https://) to determine if it is cross-origin. If the URL starts with protocol-relative URL (//), it is incorrectly treated as a same-origin request, and the XSRF token is automatically added to the X-XSRF-TOKEN header. This issue has been patched in versions 19.2.16, 20.3.14, and 21.0.1. A workaround for this issue involves avoiding using protocol-relative URLs (URLs starting with //) in HttpClient requests. All backend communication URLs should be hardcoded as relative paths (starting with a single /) or fully qualified, trusted absolute URLs.
Risk Information
cvss4
Base: 7.7
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
References
- https://github.com/angular/angular/commit/0276479e7d0e280e0f8d26fa567d3b7aa97a516f
- https://github.com/angular/angular/commit/05fe6686a97fa0bcd3cf157805b3612033f975bc
- https://github.com/angular/angular/commit/3240d856d942727372a705252f7c8c115394a41e
- https://github.com/angular/angular/releases/tag/19.2.16
- https://github.com/angular/angular/releases/tag/20.3.14
- https://github.com/angular/angular/releases/tag/21.0.1
- https://github.com/angular/angular/security/advisories/GHSA-58c5-g7wp-6w37
Description
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Uncontrolled Recursion vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded recursive parsing. This leads to a Denial-of-Service (DoS) via stack exhaustion when parsing untrusted DER inputs. This issue has been patched in version 1.3.2.
Risk Information
cvss4
Base: 8.7
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Integer Overflow vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures containing OIDs with oversized arcs. These arcs may be decoded as smaller, trusted OIDs due to 32-bit bitwise truncation, enabling the bypass of downstream OID-based security decisions. This issue has been patched in version 1.3.2.
Risk Information
cvss4
Base: 6.3
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Prior to versions 7.0.13 and 8.0.2, working with large buffers in Lua scripts can lead to a stack overflow. Users of Lua rules and output scripts may be affected when working with large buffers. This includes a rule passing a large buffer to a Lua script. This issue has been patched in versions 7.0.13 and 8.0.2. A workaround for this issue involves disabling Lua rules and output scripts, or making sure limits, such as stream.depth.reassembly and HTTP response body limits (response-body-limit), are set to less than half the stack size.
Risk Information
cvss3
Base: 7.5
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Description
Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. In versions from 8.0.0 to before 8.0.2, a NULL dereference can occur when the entropy keyword is used in conjunction with base64_data. This issue has been patched in version 8.0.2. A workaround involves disabling rules that use entropy in conjunction with base64_data.
Risk Information
cvss3
Base: 7.5
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Access Data Using Our API
Get company history
curl -i -X GET 'https://api.rankiteo.com/underwriter-getcompany-history?linkedin_id=salesforce' -H 'apikey: YOUR_API_KEY_HERE'
RapidWhat Do We Measure ?
Incident
Finding
Grade
Digital Assets
Every week, Rankiteo analyzes billions of signals to give organizations a sharper, faster view of emerging risks. With deeper, more actionable intelligence at their fingertips, security teams can outpace threat actors, respond instantly to Zero-Day attacks, and dramatically shrink their risk exposure window.
These are some of the factors we use to calculate the overall score:
Network Security
Identify exposed access points, detect misconfigured SSL certificates, and uncover vulnerabilities across the network infrastructure.
SBOM (Software Bill of Materials)
Gain visibility into the software components used within an organization to detect vulnerabilities, manage risk, and ensure supply chain security.
CMDB (Configuration Management Database)
Monitor and manage all IT assets and their configurations to ensure accurate, real-time visibility across the company's technology environment.
Threat Intelligence
Leverage real-time insights on active threats, malware campaigns, and emerging vulnerabilities to proactively defend against evolving cyberattacks.
Rankiteo is a unified scoring and risk platform that analyzes billions of signals weekly to help organizations gain faster, more actionable insights into emerging threats. Empowering teams to outpace adversaries and reduce exposure.
