Slack
Company Details
Linkedin ID:
tiny-spec-inc
Website:
Employees number:
2,848
Number of followers:
1,684,661
NAICS:
513
Industry Type:
Homepage:
slack.com
IP Addresses:
0
Company ID:
SLA_4234581
Scan Status:
In-progress
Slack Company CyberSecurity Posture
slack.com
Slack is on a mission to make people's working lives simpler, more pleasant and more productive. It is the productivity platform for customer companies that improves performance by empowering everyone with no-code automation, making search and knowledge sharing seamless, and keeping teams connected and engaged as they move work forward together. As part of Salesforce, Slack is deeply integrated into the Salesforce Customer 360, supercharging productivity across sales, service and marketing teams. To learn more and get started with Slack for free, visit slack.com or connect with us @SlackHQ. Ensuring a diverse and inclusive workplace where we learn from each other is core to Slack’s values. We welcome people of different backgrounds, experiences, abilities and perspectives. We are an equal opportunity employer and a pleasant and supportive place to work. Come do the best work of your life here at Slack.
Slack A.I CyberSecurity Scoring
Slack Risk Score (AI oriented)Between 750 and 799
Slack
Updated:
- Powered by our proprietary A.I cyber incident model
- Insurance preferes TPRM score to calculate premium
Slack Global Score (TPRM)XXXX
Slack
- Instant access to detailed risk factors
- Benchmark vs. industry & size peers
- Vulnerabilities
- Findings
Slack Company CyberSecurity News & History
Past Incidents
22
Attack Types
4
Salesforce
Breach
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: Salesforce is facing multiple lawsuits following a cyberattack that exposed customer data due to a breach involving third-party integrations (Salesloft Drift). Attackers stole OAuth tokens from Salesloft’s GitHub in March 2025, later exploiting them to access Salesforce systems in July 2025. The breach led to the theft of personally identifiable information (PII), putting victims at risk of identity theft and fraud. Lawsuits, including a class action led by Staci Johnson, allege Salesforce failed to implement adequate security measures, forcing affected individuals to monitor financial accounts and credit reports. While Salesforce denies platform compromise, the attack impacted major clients like TransUnion (4.5M individuals) and Farmers Insurance (1M customers). Google’s analysis confirmed the attack relied on social engineering, impersonating IT support to trick employees into sharing credentials—no inherent Salesforce vulnerability was exploited. The incident highlights risks in third-party integrations and credential theft.
Salesforce
Breach
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: Salesforce experienced a data breach originating from a third-party provider, **SalesLoft**, specifically via its **Drift app**—an integration used for automated customer communications. The breach was executed by the hacker group **ShinyHunters**, who exploited compromised **GitHub credentials** at SalesLoft between **March and June**, stealing tokens linking Drift to Salesforce environments. This allowed attackers to infiltrate **Drift’s AWS environment**, obtaining **OAuth tokens** from multiple customer organizations, including **Cloudflare, Zscaler, Palo Alto Networks, and others**.The stolen data primarily included **customer contact details, basic IT support information, access tokens, and IT configuration details**. While Salesforce confirmed no direct vulnerability in its own systems, the breach exposed **CRM fields, support cases, and integration data** across **hundreds of affected organizations**. Salesforce refused to pay ransom demands, emphasizing a **no-negotiation stance** against extortion. The **Drift app remains disabled**, and affected customers were advised to **renew access tokens** to mitigate further risks. The full scope of impacted customers and long-term consequences remain undisclosed.
Salesforce
Breach
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: A widespread data breach in **Salesforce** was uncovered by Google’s Threat Intelligence Group (GTIG) and Mandiant, orchestrated by the threat actor **UNC6395** between **August 8–18, 2025**. The attackers exploited **stolen OAuth tokens** from the **Salesloft Drift** third-party application, bypassing **Multi-Factor Authentication (MFA)** by abusing non-human identities (NHIs). This allowed them to **systematically exfiltrate large volumes of data** from corporate Salesforce accounts, focusing on **customer accounts, user details, and high-value secrets**—including **AWS access keys, Snowflake tokens, and other credentials**. The breach targeted **sensitive customer data**, with attackers deleting query logs to obscure their activity. While **Google Cloud customers were unaffected**, Salesforce and Salesloft responded by **revoking all Drift app tokens** and temporarily removing the app from the **AppExchange** during investigations. The incident highlights a growing trend of **NHI-based attacks**, where persistent, high-privilege non-human identities are exploited to **steal credentials and escalate access**. Organizations were urged to **harden access controls, rotate compromised keys, and enforce IP restrictions** to mitigate future risks. The breach underscores critical gaps in **identity governance**, as many firms lack even basic inventories of NHIs, leaving them vulnerable to such **covert, high-impact exfiltration campaigns**.
Salesforce
Breach
Rankiteo Explanation
Attack with significant impact with internal employee data leaks
Description: A financially motivated threat actor group, UNC6040, has been targeting Salesforce customers through voice phishing (Vishing). The group impersonates IT support personnel to trick employees into granting sensitive access or sharing credentials. This campaign has resulted in the compromise of organizational data and subsequent extortion attempts, posing a significant threat to the company's security and reputation.
Salesforce
Cyber Attack
Rankiteo Explanation
Attack threatening the organization's existence
Description: Salesforce's North American and European customers endured a 15-hour outage after a cyber attack. The incident came after the salesforce technology team blocked access to certain instances that contain customers affected by a database script deployment that inadvertently gave users broader data access than intended. To protect the customers, the company blocked access to all instances that contain affected customers until they could block access to orgs with the inadvertent permissions. As a result, customers who were not affected may also experienced service disruption.
Salesforce (via targeted customers)
Cyber Attack
Rankiteo Explanation
Attack limited on finance or reputation
Description: Google’s Mandiant reported an ongoing social engineering campaign by the criminal gang **UNC6040**, which impersonates IT support personnel via **voice phishing (vishing)** to trick employees—particularly those in English-speaking branches of multinational corporations—into granting access to **Salesforce instances**. The attackers manipulate end-users (often with elevated SaaS access) into clicking malicious links or sharing credentials, leading to **unauthorized data exfiltration from Salesforce environments**. No inherent Salesforce vulnerabilities were exploited; the breach relied entirely on human deception. Mandiant emphasized the need for **defense-in-depth strategies**, including caller verification and strict validation of third-party requests. The attack highlights the persistent risk of **credential theft via social engineering**, with potential exposure of sensitive customer or corporate data stored in Salesforce.
Salesforce (via targeted CRM platforms)
Cyber Attack
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: UNC6040 executed a highly sophisticated **vishing (voice phishing) campaign** targeting enterprise **Customer Relationship Management (CRM) platforms**, particularly **Salesforce**, to perform **large-scale data exfiltration**. The attack leveraged **OAuth 2.0 exploitation**, tricking victims into granting malicious apps **elevated API permissions** (including `api`, `refresh_token`, and full scopes) via spoofed IT support calls. Using **SIP spoofing, VoIP routing via Tor/Mullvad VPN**, and modified **Data Loader applications with custom Python scripts**, the threat actors automated **bulk data extraction** via **SOQL queries and REST API calls**, bypassing detection through rate-limiting. The compromised data likely included **customer records, financial details, and sensitive corporate information**, enabling **persistent access for extortion**. The group’s infrastructure—segmented across **Tor hidden services, commercial VPNs, and bulletproof hosting**—hinted at preparations for a **Data Leak Site (DLS)**, escalating from private ransom demands to **public pressure tactics**. Partnerships with **UNC6240 (ransomware/extortion specialists)** suggest potential **follow-on ransomware or data auction threats**.
Salesforce
Cyber Attack
Rankiteo Explanation
Attack threatening the organization’s existence
Description: The FBI's seizure of **BreachForums**, a hacking forum used by cybercriminal groups like **Scattered Lapsus$ Hunters** (including Baphomet, IntelBroker, and ShinyHunters), has exposed Salesforce as a key target in a series of high-profile attacks. These actors exploited vulnerabilities to breach Salesforce environments, compromising customer data of major corporations such as **Google, Palo Alto Networks, Zscaler, Cloudflare, Disney, Qantas, Air France-KLM, and Toyota**. The stolen data was leaked on BreachForums, where attackers also conducted extortion campaigns, threatening to expose or sell sensitive information unless ransoms were paid. The breach highlights systemic risks in Salesforce’s ecosystem, where third-party integrations and misconfigured access controls enabled attackers to infiltrate high-value SaaS platforms. While the FBI’s takedown disrupted the forum’s operations, the attackers have pivoted to encrypted channels like **Telegram**, continuing their monetization efforts through ransomware, data resale, and targeted extortion. The incident underscores the broader threat to enterprise tenants, where compromised Salesforce instances serve as gateways to wider corporate networks, financial records, and proprietary customer databases. The cumulative impact includes reputational damage, financial losses from extortion, and erosion of trust in cloud-based CRM security.
Salesforce
Cyber Attack
Rankiteo Explanation
Attack threatening the organization’s existence
Description: Salesforce was targeted by the newly formed **Scattered LAPSUS$ Hunters (SLH)**, a federated cybercriminal collective merging the capabilities of **Scattered Spider, ShinyHunters, and LAPSUS$**. The attack involved **AI-driven vishing, spearphishing, and zero-day exploitations** (e.g., **CVE-2025-61882** in Oracle E-Business Suite) to compromise Salesforce’s cloud infrastructure. SLH leveraged **credential harvesting, lateral movement, and privilege escalation** to exfiltrate sensitive data, likely including **customer and enterprise SaaS records**. The group announced the breach on their **Telegram-based data-leak site (DLS)**, using psychological tactics to maximize reputational damage. Given SLH’s **Extortion-as-a-Service (EaaS) model** and history of targeting high-value enterprises, the attack likely resulted in **financial fraud, operational disruption, and erosion of customer trust**. The involvement of actors like **‘yuka’ (linked to BlackLotus UEFI bootkit)** suggests advanced persistence mechanisms, increasing the risk of **long-term data exposure or ransomware deployment**. The breach aligns with SLH’s strategy of **high-impact, brand-damaging extortion**, posing existential threats to Salesforce’s market position and regulatory compliance.
Salesforce
Cyber Attack
Rankiteo Explanation
Attack threatening the organization’s existence
Description: Salesforce is facing a major extortion attempt by a crime syndicate known as **Scattered LAPSUS$ Hunters** (tracked as **UNC6040** by Mandiant), which claims to have stolen approximately **1 billion records** from **dozens of Salesforce customers**, including high-profile companies like **Toyota and FedEx**. The attack began in **May 2024**, with the threat actors using **voice phishing (vishing)** to trick employees into connecting a malicious app to their Salesforce portals. The group created a **dedicated leak site**, demanding a ransom from Salesforce itself—threatening to **publicly dump all stolen customer data** if payment was not made by a specified deadline. Salesforce has **refused to negotiate**, risking potential exposure of sensitive customer records. The stolen data reportedly includes **personal, financial, and corporate information** from affected organizations, posing severe reputational, financial, and operational risks. The scale of the breach—nearly **1 billion records**—suggests a **systemic compromise** with far-reaching consequences for Salesforce’s client base, including potential **fraud, identity theft, and regulatory penalties**.
Salesforce
Cyber Attack
Rankiteo Explanation
Attack threatening the organization’s existence
Description: Salesforce suffered a **massive data breach** via two distinct campaigns in 2025, orchestrated by threat actors **Scattered Lapsus$ Hunters** and **ShinyHunters**. The first wave (late 2024) involved **social engineering attacks** impersonating IT support to trick employees into linking malicious OAuth apps to Salesforce instances, enabling the theft of databases. The second wave (August 2025) exploited **stolen SalesLoft Drift OAuth tokens** to pivot into customer CRM environments, exfiltrating **support ticket data, credentials, API tokens, and authentication details**. The attackers claimed to have stolen **~1 billion records** in the first campaign and **1.5 billion records across 760+ companies** in the second, targeting high-profile victims like **Google, Cisco, Disney, FedEx, and Marriott**. A **data leak site** was launched to extort victims, threatening public release if ransoms were unpaid. Salesforce **refused to negotiate or pay**, and the leak site was later **shut down** (potentially via FBI seizure). The breach exposed **sensitive customer and corporate data**, including **authentication tokens, API keys, and support logs**, risking downstream attacks on affected companies. The scale and sophistication of the operation—leveraging **supply-chain and OAuth abuses**—highlighted critical vulnerabilities in Salesforce’s ecosystem, with **prolonged unauthorized access** and **large-scale data exfiltration** as core impacts.
Salesforce
Cyber Attack
Rankiteo Explanation
Attack threatening the organization's existence
Description: The cybercriminal group **Scattered LAPSUS$ Hunters** (a collaboration of Scattered Spider, ShinyHunters, and Lapsus$) has resurfaced, claiming to have stolen **1 billion customer records** from **40 companies’ Salesforce environments**. The gang is demanding **$989.45** to prevent the data from being leaked online, setting an **October 10 deadline** for negotiation. While Salesforce denies a direct platform breach, the attack appears linked to a prior **OAuth token abuse campaign** via **Salesloft’s Drift integration**, which compromised hundreds of organizations in August 2024. Google and Mandiant confirmed the intrusions, attributing them to **UNC6040 (Salesforce-related breaches)**. The group had previously announced retirement but reemerged following arrests of UK teens tied to **Scattered Spider**, suggesting operational shifts. The leaked data reportedly includes **customer records**, posing severe reputational, financial, and operational risks to affected businesses. Salesforce maintains no evidence of a **platform-level vulnerability**, but the extortion attempt escalates pressure on victims.
Salesforce
Cyber Attack
Rankiteo Explanation
Attack threatening the organization’s existence
Description: A cyber gang known as **Scattered LAPSUS$ Hunters** (linked to UNC6040 and UNC6240) has resurfaced, threatening to leak **around a billion customer records** from **40 companies** using Salesforce’s CRM platform unless a **$989 million ransom** is paid by October 10. The attack leverages **telephone social engineering (vishing)**, where criminals impersonate IT staff to trick users into authorizing malicious applications within Salesforce, granting access to sensitive customer data without exploiting technical vulnerabilities. While Salesforce denies a direct platform breach, the group claims to have exfiltrated data via the Salesforce API using custom Python tools, hiding their tracks via VPNs and TOR.Google’s Threat Intelligence Group confirmed a similar **June 2024 breach** in its own Salesforce environment, involving **basic SMB data**, which was swiftly contained. The attackers now employ a **double-extortion model**, with UNC6240 demanding ransoms months post-breach under the guise of **ShinyHunters**, a known data leak collective. The tactics mirror those of **Lapsus$** and **Scattered Spider**, suggesting shared methodologies within the broader cybercriminal network **‘The Com.’** Authorities and external specialists are assisting Salesforce, but the incident underscores persistent threats from financially motivated groups despite prior disruptions.Recommended mitigations include **restricting Data Loader permissions, enforcing MFA, IP-based access controls, and stricter app authorization policies** to prevent unauthorized data exfiltration.
Salesforce
Cyber Attack
Rankiteo Explanation
Attack threatening the organization's existence
Description: The **ShinyHunters** extortion group exploited compromised **Drift OAuth tokens** linked to **Salesloft** to steal over **1.5 billion Salesforce records** from **760 companies**. Attackers used **social engineering and malicious OAuth apps** to infiltrate Salesforce environments, exfiltrating massive CRM data—including **250M Account records, 579M Contact records, 171M Opportunity records, 60M User records, and 459M Case records**. The breach originated from a **GitHub repository compromise** at Salesloft, where attackers used **TruffleHog** to extract secrets, including OAuth tokens for Drift and Drift Email, enabling unauthorized access to Salesforce-integrated systems.The stolen **Case data** was further mined for **AWS keys, Snowflake tokens, and other credentials**, facilitating deeper intrusions into victim networks. High-profile targets allegedly include **Google, Cloudflare, Palo Alto Networks, Zscaler, Tenable, CyberArk, and others**. The attackers demanded **ransom payments** to prevent data leaks, while also **searching for additional secrets** to expand their campaign. The FBI issued an advisory on the threat actors (**UNC6040/6395**), warning of ongoing risks. Salesforce advised customers to enforce **MFA, least-privilege access, and stricter OAuth app management** to mitigate exposure.
Salesforce
Cyber Attack
Rankiteo Explanation
Attack threatening the organization's existence
Description: The cybercriminal group **ShinyHunters** (operating under the alias *Scattered LAPSUS$ Hunters*) executed a **voice phishing (vishing) campaign** in **May 2025**, tricking employees into connecting a malicious app to their **Salesforce portals**. This breach led to the theft of **over a billion customer records** from **dozens of Fortune 500 firms**, including Toyota, FedEx, Disney/Hulu, and UPS. The group threatened to **publicly leak stolen data** unless ransoms were paid by **October 10, 2025**, via a victim-shaming extortion blog. The compromised data included **customer engagement records, internal communications, and sensitive business details**. Salesforce confirmed the attack but refused to negotiate, stating it would not pay extortion demands. The incident also exposed a broader **supply-chain risk**, as the group claimed responsibility for stealing **authentication tokens from Salesloft** (a Salesforce-integrated AI chatbot provider), further expanding the attack surface. The group’s actions were linked to **multiple zero-day exploits**, including **CVE-2025-61882** in Oracle’s E-Business Suite, which they weaponized for additional data theft.
Salesforce
Ransomware
Rankiteo Explanation
Attack threatening the organization's existence
Description: The FBI seized **BreachForums**, a hacking forum operated by **ShinyHunters**, which was used as a platform for leaking corporate data stolen via **ransomware and extortion campaigns**. Among the targeted victims was **Salesforce**, part of a high-profile breach campaign where hackers claimed to have stolen **over one billion customer records** from multiple companies, including FedEx, Disney, Google, and others. The ShinyHunters group confirmed the seizure of BreachForums’ infrastructure, including **all database backups since 2023 and escrow databases**, but emphasized that their **Salesforce data leak was still proceeding as planned**, scheduled for public release. The breach involved **massive customer data exposure**, with the hackers leveraging the forum to extort companies that refused ransom payments. While the FBI’s takedown disrupted the forum’s operations, the **dark web leak site remained active**, indicating persistent risk. The attack highlights a **large-scale, coordinated extortion scheme** targeting enterprise-level customer databases, with **potential financial, reputational, and operational fallout** for Salesforce and its clients. The stolen records likely include **sensitive personal and corporate information**, amplifying the severity of the incident.
Salesforce
Ransomware
Rankiteo Explanation
Attack threatening the organization’s existence
Description: The ransomware group **ShinyHunters (Scattered Lapsus$ Hunters)** breached **Salesforce** by exploiting stolen OAuth tokens from **Salesloft Drift’s AI chatbot integration**, compromising **1.5 billion records** across **760 companies** (including Cisco, Disney, and Marriott). The leaked data includes **PII (names, DOBs, passports, employment histories)**, shipping details, chat transcripts, flight records, and car ownership data—validated by cybersecurity researchers. Attackers first infiltrated **Salesloft’s GitHub repository**, extracting private source code and OAuth tokens, then laterally moved to **Google Workspace, Microsoft 365, and Okta platforms** of victims. The group demanded **separate ransoms** from Salesforce and listed **39 high-profile victims** on a darkweb leak site, pressuring them to pay under threat of full data exposure. The attack leveraged **social engineering (vishing, phishing, IT impersonation)** to trick employees into granting access, highlighting vulnerabilities in **third-party supply-chain integrations** and weak **2FA/OAuth security controls**.
Salesforce
Ransomware
Rankiteo Explanation
Attack threatening the organization’s existence
Description: A cybercriminal collective known as **Scattered Lapsus$ Hunters**—an alliance of the notorious **ShinyHunters, Scattered Spider, and LAPSUS$ ransomware groups**—threatened to leak **one billion records** allegedly exfiltrated from **Salesforce’s systems**, targeting **39 of the world’s largest corporations**, including Disney, Toyota, and McDonald’s. The attackers demanded a ransom, warning that failure to comply by **October 10, 2023**, would result in the **massive exposure of customer data** across dark web and Clearnet platforms. The breach, if executed, would compromise **sensitive personal and corporate information** of Salesforce’s high-profile clients, leading to **severe reputational damage, financial fraud risks, and potential regulatory penalties**. The threat underscores a **large-scale, coordinated extortion campaign** leveraging ransomware tactics to pressure Salesforce into negotiation, with the attackers explicitly stating their intent to **‘target each and every individual customer’** if demands were unmet. The incident highlights the **escalating sophistication of cybercriminal syndicates** in exploiting enterprise vulnerabilities for maximal disruption.
Salesforce
Ransomware
Rankiteo Explanation
Attack threatening the organization's existence
Description: Hackers under the alias **Shiny Hunters** claimed to have breached Salesforce systems via **social engineering attacks**, targeting users rather than the platform itself. They allegedly stole **nearly 1 billion records** from **39 companies** (including Adidas, Cisco, FedEx, and Disney) and demanded a ransom by **October 10, 2025**, threatening to leak the data on a dark web site called *Scattered Lapsus$ Hunters*. The breach stemmed from **voice phishing (vishing) attacks** tricking victims into installing malicious OAuth apps and exploiting a **vulnerable integration between Salesloft Drift and Salesforce** (disabled in August 2025). The incident escalated to **14 lawsuits against Salesforce** by September 2025, with critics arguing the company bears responsibility despite the third-party attack vectors. The stolen data includes **sensitive corporate and customer information**, with samples already published as proof. The attack represents a **large-scale, coordinated ransomware-driven data exfiltration campaign** with severe reputational, financial, and operational consequences for Salesforce and its clients.
Salesforce
Vulnerability
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: A critical vulnerability named **ForcedLeak** was discovered in Salesforce’s **Agentforce** AI platform, enabling external attackers to exploit **prompt injection** via an expired trusted domain (`my-salesforce-cms.com`), purchased for $5. By leveraging the **Web-to-Lead** feature’s unsecured **description field** (42,000-character limit), researchers embedded malicious instructions that tricked AI agents into querying and exfiltrating **sensitive customer lead data**—including email addresses—from Salesforce’s CRM. The attack bypassed traditional security controls by abusing AI’s trust boundaries, sending stolen data to an attacker-controlled server via a crafted HTML snippet. While Salesforce patched the flaw by enforcing **trusted URL allow-lists** and re-securing the expired domain, the vulnerability underscored risks in AI-driven automation, particularly when human oversight is lacking. The exploit, rated **9.4 (Critical)** via CVSS 4.0, highlighted how low-cost domain acquisitions and prompt injection can facilitate large-scale data breaches. Salesforce confirmed no evidence of abuse but acknowledged the evolving threat landscape of AI security.
Slack
Breach
Rankiteo Explanation
Attack threatening the organization's existence
Description: Slack suffered a security incident that affected some of its private GitHub code repositories. The immensely popular Salesforce-owned IM app is used by an estimated 18 million users at workplaces and digital communities around the world. The breach happened on December 31st, 2022. The threat actors gained access to Slack's externally hosted GitHub repositories via a limited number of Slack employee tokens that were stolen.
Slack
Vulnerability
Rankiteo Explanation
Attack limited on finance or reputation
Description: Cybersecurity researchers uncovered a vulnerability in Slack’s link-rendering mechanism, where improper spacing between punctuation and text (e.g., `face.book`) could be exploited to generate deceptive hyperlinks. Attackers manipulated Wikipedia articles by inserting maliciously formatted footnotes, tricking Slack into displaying fake links in preview panes. These links, when clicked, redirected victims to malware-hosting sites. Over 1,000 Wikipedia pages were identified as potential vectors. The attack required prior access to a victim’s Slack workspace (e.g., via compromised accounts) and relied on social engineering to lure clicks. While no direct data breaches or financial losses were confirmed, the flaw exposed users to phishing and malware risks, undermining trust in Slack’s platform security. The issue also highlighted broader concerns about Slack’s third-party app integration policies, which could amplify attack surfaces. No evidence suggested large-scale exploitation, but the method’s simplicity and reliance on trusted sources (Wikipedia) increased its potential effectiveness.
Slack Company Scoring based on AI Models
Cyber Incidents Likelihood 3 - 6 - 9 months
A.I Risk Score Likelihood 3 - 6 - 9 months
Underwriter Stats for Slack
Incidents vs Technology, Information and Internet Industry Average (This Year)
Slack has 23.46% more incidents than the average of same-industry companies with at least one recorded incident.
Incidents vs All-Companies Average (This Year)
Slack has 53.85% more incidents than the average of all companies with at least one recorded incident.
Incident Types Slack vs Technology, Information and Internet Industry Avg (This Year)
Slack reported 1 incidents this year: 0 cyber attacks, 0 ransomware, 1 vulnerabilities, 0 data breaches, compared to industry peers with at least 1 incident.
Incident History — Slack (X = Date, Y = Severity)
Slack cyber incidents detection timeline including parent company and subsidiaries
Slack Company Subsidiaries
Slack is on a mission to make people's working lives simpler, more pleasant and more productive. It is the productivity platform for customer companies that improves performance by empowering everyone with no-code automation, making search and knowledge sharing seamless, and keeping teams connected and engaged as they move work forward together. As part of Salesforce, Slack is deeply integrated into the Salesforce Customer 360, supercharging productivity across sales, service and marketing teams. To learn more and get started with Slack for free, visit slack.com or connect with us @SlackHQ. Ensuring a diverse and inclusive workplace where we learn from each other is core to Slack’s values. We welcome people of different backgrounds, experiences, abilities and perspectives. We are an equal opportunity employer and a pleasant and supportive place to work. Come do the best work of your life here at Slack.
Loading...
Slack Similar Companies
e&
We're a global technology group focused on innovation and collaboration to create a better future for all. Since 1976, we've been pioneering new technologies and expanding our reach to more people and places. Today, we provide services to over 163 million customers across 16 countries in the Middle
Sohu.com Inc. (NASDAQ: SOHU) is China's premier online brand and indispensable to the daily life of millions of Chinese, providing a network of web properties and community based/web 2.0 products which offer the vast Sohu user community a broad array of choices regarding information, entertainment a
As the world’s leading local delivery platform, our mission is to deliver an amazing experience, fast, easy, and to your door. We operate in over 70+ countries worldwide, powered by tech but driven by people. As one of Europe’s largest tech platforms, we enable ambitious talent to deliver solutions
Primary School
www.primaryschool.com.au is a directory of sites for students and lesson plans and reference material for teachers and parents. It is currently averaging up to 350,000 unique visitors a month and has over 44,000 subscribers to its free weekly newsletter which showcases the latest internet based reso
At eBay, we create pathways to connect millions of sellers and buyers in more than 190 markets around the world. Our technology empowers our customers, providing everyone the opportunity to grow and thrive — no matter who they are or where they are in the world. And the ripple effect of our work cre
Mercado Livre Brasil
Fundada em 1999, MercadoLivre é uma companhia de tecnologia líder em comércio eletrônico na América Latina. Por meio de suas principais plataformas MercadoLivre.com e MercadoPago.com, oferece soluções de comércio eletrônico para que pessoas e empresas possam comprar, vender, pagar e anunciar produto
NetEase
As a leading internet technology company based in China, NetEase, Inc. (NASDAQ: NTES and HKEX:9999, "NetEase") provides premium online services centered around content creation. With extensive offerings across its expanding gaming ecosystem, NetEase develops and operates some of China's most popula
Arrow Electronics
Arrow Electronics (NYSE:ARW) guides innovation forward for thousands of leading technology manufacturers and service providers. With 2024 sales of $27.9 billion, Arrow develops technology solutions that help improve business and daily life. Our broad portfolio that spans the entire technology lands
Meesho is India’s fastest growing internet commerce company. We want to make eCommerce accessible to all. Our vision is to enable 100 million small businesses in India, including individual entrepreneurs, to succeed online. Our mission is to democratise internet commerce by bringing a range of produ
.png)
Slack CyberSecurity News
November 13, 2025 08:00 AM
Slack as an Operating System? How AI Workflows Are Transforming Teams
Explore how enterprises use Slack as an operating system, building AI workflows and automations that boost productivity and collaboration.
November 06, 2025 08:00 AM
Nikkei’s Slack breach leaks sensitive data from more than 17,000 users
The Nikkei incident highlights the enterprise risks associated with access to enterprise resources from non-enterprise-managed devices.
November 05, 2025 08:00 AM
Nikkei Suffers Breach Via Slack Compromise
The Japanese media giant said employees and business partners were impacted by an attack that compromised Slack account data and chat...
November 05, 2025 08:00 AM
Nikkei Says 17,000 Impacted by Data Breach Stemming From Slack Account Hack
Japanese media giant Nikkei says hackers had gained access to employee Slack accounts, stealing information of 17000 individuals.
September 08, 2025 07:00 AM
FEMA begins security overhauls following cyber incident and employee firings
The agency recently blocked users from accessing multiple websites and made password changes to an internet security tool in efforts to...
September 05, 2025 07:00 AM
New Exploit Bypasses Code Integrity to Backdoor Signal, 1Password, Slack, and More
A new security exploit has been discovered that lets attackers slip malicious code into widely used desktop applications.
August 22, 2025 07:00 AM
NIST Releases New Control Overlays to Manage Cybersecurity Risks in AI Systems
NIST has unveiled a comprehensive initiative to address the growing cybersecurity challenges associated with artificial intelligence...
August 14, 2025 07:00 AM
NIST Releases Control Overlays for Securing AI Systems Concept Paper
NIST has released a concept paper and proposed action plan for developing a series of NIST SP 800-53 Control Overlays for Securing AI...
August 05, 2025 07:00 AM
Salesforce Locks Down Slack Data: Time to Review Your Slack API Terms
by: Hunton Andrews Kurth's Privacy and Cybersecurity, Hunton Andrews Kurth - Privacy and Information Security Law Blog-Hunton Andrews Kurth.
Frequently Asked Questions
Explore insights on cybersecurity incidents, risk posture, and Rankiteo's assessments.
Slack CyberSecurity History Information
Official Website of Slack
The official website of Slack is http://slack.com.
Slack’s AI-Generated Cybersecurity Score
According to Rankiteo, Slack’s AI-generated cybersecurity score is 764, reflecting their Fair security posture.
How many security badges does Slack’ have ?
According to Rankiteo, Slack currently holds 0 security badges, indicating that no recognized compliance certifications are currently verified for the organization.
Does Slack have SOC 2 Type 1 certification ?
According to Rankiteo, Slack is not certified under SOC 2 Type 1.
Does Slack have SOC 2 Type 2 certification ?
According to Rankiteo, Slack does not hold a SOC 2 Type 2 certification.
Does Slack comply with GDPR ?
According to Rankiteo, Slack is not listed as GDPR compliant.
Does Slack have PCI DSS certification ?
According to Rankiteo, Slack does not currently maintain PCI DSS compliance.
Does Slack comply with HIPAA ?
According to Rankiteo, Slack is not compliant with HIPAA regulations.
Does Slack have ISO 27001 certification ?
According to Rankiteo,Slack is not certified under ISO 27001, indicating the absence of a formally recognized information security management framework.
Industry Classification of Slack
Slack operates primarily in the Technology, Information and Internet industry.
Number of Employees at Slack
Slack employs approximately 2,848 people worldwide.
Subsidiaries Owned by Slack
Slack presently has no subsidiaries across any sectors.
Slack’s LinkedIn Followers
Slack’s official LinkedIn profile has approximately 1,684,661 followers.
NAICS Classification of Slack
Slack is classified under the NAICS code 513, which corresponds to Others.
Slack’s Presence on Crunchbase
No, Slack does not have a profile on Crunchbase.
Slack’s Presence on LinkedIn
Yes, Slack maintains an official LinkedIn profile, which is actively utilized for branding and talent engagement, which can be accessed here: https://www.linkedin.com/company/tiny-spec-inc.
Cybersecurity Incidents Involving Slack
As of December 06, 2025, Rankiteo reports that Slack has experienced 22 cybersecurity incidents.
Number of Peer and Competitor Companies
Slack has an estimated 12,906 peer or competitor companies worldwide.
What types of cybersecurity incidents have occurred at Slack ?
Incident Types: The types of cybersecurity incidents that have occurred include Cyber Attack, Vulnerability, Breach and Ransomware.
How does Slack detect and respond to cybersecurity incidents ?
Detection and Response: The company detects and responds to cybersecurity incidents through an containment measures with blocked access to affected instances, and remediation measures with blocked access to orgs with inadvertent permissions, and and third party assistance with google threat intelligence group (gtig), third party assistance with mandiant, third party assistance with astrix security, and containment measures with revoked all active access tokens for drift app (august 20, 2025), containment measures with temporarily removed drift from salesforce appexchange, and remediation measures with restricting connected app scopes, remediation measures with searching for exposed secrets in salesforce data, remediation measures with rotating compromised credentials, remediation measures with enforcing ip restrictions, and communication strategy with advisories issued by gtig/mandiant, communication strategy with notifications to affected organizations, communication strategy with public blog post by astrix security, and enhanced monitoring with checking for specific ip addresses/user-agent strings linked to attackers, and containment measures with web application firewall (waf) with rate-limiting for api calls, containment measures with siem correlation of oauth events with api usage, containment measures with user and entity behavior analytics (ueba) deployment, containment measures with conditional access policies for oauth apps (ip/device/risk-based), and remediation measures with revoke compromised oauth tokens, remediation measures with audit and restrict connected apps permissions, remediation measures with implement hardware security modules (hsm) for api keys, remediation measures with enforce perfect forward secrecy (pfs) for authentication tokens, remediation measures with deploy caa records and dane for domain spoofing prevention, and adaptive behavioral waf with rate-limiting for bulk api operations (e.g., /services/data/v58.0/jobs/query), and network segmentation with isolate crm api endpoints from untrusted networks, and enhanced monitoring with real-time api call anomaly detection, enhanced monitoring with geofencing for oauth authorizations, and third party assistance with google mandiant (threat intelligence), third party assistance with fbi (advisory & investigation), and law enforcement notified with fbi, and remediation measures with salesforce recommendations: enforce multi-factor authentication (mfa), remediation measures with apply principle of least privilege, remediation measures with closely manage connected applications, and communication strategy with salesforce customer advisories, communication strategy with fbi public advisory on unc6040/6395, and and containment measures with enforced trusted url allow-lists for agentforce/einstein ai, containment measures with re-secured expired domain (my-salesforce-cms.com), and remediation measures with patches to prevent ai agents from sending data to untrusted urls, and communication strategy with public statement to the register, communication strategy with blog post by noma security, and incident response plan activated with yes (salesforce, mandiant, and affected companies), and third party assistance with mandiant (google’s incident response), third party assistance with salesforce security team, third party assistance with fbi cyber division, and law enforcement notified with yes (fbi issued advisory on 2023-09-12), and containment measures with revoking compromised oauth tokens, containment measures with isolating affected salesforce instances, containment measures with disabling salesloft drift integrations, and remediation measures with enforcing 2fa for oauth apps, remediation measures with patching salesloft drift vulnerabilities, remediation measures with audit of third-party integrations, and recovery measures with data backup restoration (if applicable), recovery measures with customer notification plans, recovery measures with dark web monitoring for leaked data, and communication strategy with public disclosure via media (ismg, bleepingcomputer), communication strategy with customer advisories (pending), communication strategy with regulatory notifications, and network segmentation with recommended (to limit lateral movement), and enhanced monitoring with salesforce instance logs, enhanced monitoring with cloud platform (google workspace, microsoft 365, okta) activity, and incident response plan activated with yes (salesforce engaged external experts and authorities), and third party assistance with mandiant (google), third party assistance with external cybersecurity experts, and law enforcement notified with yes (us and uk authorities involved), and remediation measures with customer notifications, remediation measures with investigation of oauth abuse, and communication strategy with public security advisory, communication strategy with media statements, and and third party assistance with external specialists, third party assistance with authorities, and and containment measures with supporting potentially affected customers, containment measures with investigating claims, and communication strategy with public denial of platform hack, communication strategy with advisories to customers, and incident response plan activated with yes (salesforce disabled vulnerable salesloft drift integration on aug 28, 2025), and third party assistance with google threat intelligence (reported attacks in june and august 2025), and containment measures with disabled salesloft drift integration (aug 28–sep 7, 2025), and remediation measures with reinstated integration with security fixes (sep 7, 2025), and communication strategy with public security alert issued, communication strategy with denial of direct platform compromise, and incident response plan activated with yes (salesforce notified customers), and law enforcement notified with likely (fbi may have seized extortion domain), and remediation measures with refusal to pay ransom, remediation measures with customer notifications, and communication strategy with public statements and customer emails, and and third party assistance with google threat intelligence group (gtig), third party assistance with mandiant (malware analysis), third party assistance with law enforcement (fbi, uk nca), and and containment measures with salesforce: disabled malicious oauth apps, containment measures with red hat: isolated compromised gitlab server, containment measures with discord: terminated third-party vendor access, containment measures with oracle: emergency patch for cve-2025-61882, and remediation measures with salesforce: forensic analysis, customer support, remediation measures with red hat: customer notifications, repository audits, remediation measures with discord: affected user notifications, password resets, remediation measures with oracle: urged customers to apply patch, and recovery measures with salesforce: refused to pay ransom, focused on defense, recovery measures with red hat: restored gitlab from backups, recovery measures with discord: enhanced vendor security controls, and communication strategy with salesforce: customer advisories (no negotiation policy), communication strategy with red hat: public disclosure (october 2, 2025), communication strategy with discord: direct emails to affected users, communication strategy with oracle: security advisory for cve-2025-61882, and enhanced monitoring with salesforce: increased logging for oauth integrations, enhanced monitoring with red hat: gitlab access audits, and and third party assistance with google threat intelligence group (warnings), and containment measures with disabled drift app integration, containment measures with token renewal mandate for customers, and remediation measures with customer support outreach, remediation measures with oauth token rotation, and recovery measures with reactivated salesloft integrations (except drift), and communication strategy with internal memo (bloomberg-leaked), communication strategy with public statement on non-payment of ransom, communication strategy with customer advisories, and enhanced monitoring with likely (implied by google threat intelligence collaboration), and incident response plan activated with likely (salesforce refused ransom demand), and third party assistance with mandiant (google-owned threat intelligence), and communication strategy with public refusal of ransom demand (email statement), and incident response plan activated with yes (fbi and france's bl2c unit), and third party assistance with french law enforcement (bl2c unit), and law enforcement notified with yes (fbi-led operation), and containment measures with domain seizure, containment measures with backend server seizure, containment measures with nameserver redirection to fbi, and remediation measures with permanent shutdown of breachforums, remediation measures with prevention of data leak (salesforce campaign disrupted), and communication strategy with public announcement via bleepingcomputer, communication strategy with pgp-signed message from shinyhunters on telegram, and incident response plan activated with yes (fbi-led operation), and third party assistance with europol (in prior operations), and law enforcement notified with yes (fbi-led, with international coordination), and containment measures with domain seizure, containment measures with disruption of forum operations, and communication strategy with public announcement by fbi, communication strategy with media coverage (e.g., itpro), and third party assistance with mandiant (google), and containment measures with end unsolicited support calls without providing access/information, containment measures with verify callers via trusted, on-file contact information, containment measures with require explicit verification from account managers before fulfilling requests, and remediation measures with defense-in-depth strategy for caller verification, remediation measures with employee training on social engineering and phishing, remediation measures with rigorous communication of third-party request verification protocols, and communication strategy with mandiant blog post, communication strategy with knowbe4 advisory, and enhanced monitoring with monitoring for unauthorized saas access, and third party assistance with esentire (research/disclosure), and incident response plan activated with yes (salesforce offered support to affected customers), and remediation measures with salesforce directed customers to its trust page for protective steps; denied platform compromise, and communication strategy with public notices, communication strategy with media statements, communication strategy with trust page updates..
Incident Details
Can you provide details on each incident ?
Title: Slack GitHub Code Repository Breach
Description: Slack suffered a security incident that affected some of its private GitHub code repositories.
Date Detected: 2022-12-31
Type: Data Breach
Attack Vector: Stolen Employee Tokens
Vulnerability Exploited: Stolen Employee Tokens
Title: Salesforce 15-Hour Outage Due to Cyber Attack
Description: Salesforce's North American and European customers endured a 15-hour outage after a cyber attack. The incident came after the salesforce technology team blocked access to certain instances that contain customers affected by a database script deployment that inadvertently gave users broader data access than intended. To protect the customers, the company blocked access to all instances that contain affected customers until they could block access to orgs with the inadvertent permissions. As a result, customers who were not affected may also experienced service disruption.
Type: Cyber Attack
Attack Vector: Database Script Deployment
Vulnerability Exploited: Inadvertent Permissions
Title: UNC6040 Vishing Campaign Targeting Salesforce Customers
Description: A financially motivated threat actor, tracked as UNC6040, is conducting a vishing campaign to compromise organizational data of Salesforce customers and carry out subsequent extortion.
Type: Vishing
Attack Vector: Telephone-based social engineering
Vulnerability Exploited: Human error and social engineering
Threat Actor: UNC6040
Motivation: Financial gain
Title: Widespread Data Breach in Salesforce via OAuth Token Abuse by UNC6395
Description: A widespread data theft campaign targeting Salesforce was carried out by threat actor UNC6395 between August 8 and August 18, 2025. The attackers bypassed MFA by compromising OAuth tokens from the Salesloft Drift third-party application, exporting large volumes of data from corporate Salesforce accounts. Their primary goal was to harvest credentials and high-value 'secrets' like AWS access keys and Snowflake tokens. The breach was detected and mitigated through revocation of access tokens and removal of the Drift app from Salesforce’s AppExchange.
Date Detected: 2025-08-18
Date Publicly Disclosed: 2025-08-20
Date Resolved: 2025-08-20
Type: Data Breach
Attack Vector: OAuth Token AbuseNon-Human Identity (NHI) ExploitationBypassing MFA
Vulnerability Exploited: Compromised OAuth tokens from Salesloft Drift third-party application (no core Salesforce vulnerability)
Threat Actor: UNC6395
Motivation: Data ExfiltrationCredential HarvestingHigh-Value Secrets Theft (e.g., AWS keys, Snowflake tokens)
Title: Sophisticated Vishing Campaigns by UNC6040 Exploiting OAuth and Salesforce APIs for Large-Scale Data Exfiltration
Description: Voice phishing (vishing) campaigns by UNC6040 have reached unprecedented sophistication, leveraging OAuth-based authentication and API exploitation to execute large-scale data exfiltration. The group targets enterprise CRM platforms (e.g., Salesforce) via SIP spoofing, VoIP/Tor routing, and malicious Connected Apps to gain persistent access for extortion. Their infrastructure uses segmented C2 channels (Tor for recon, VPNs like Mullvad for exfiltration) and collaborates with UNC6240 for ransom operations. Countermeasures include Zero Trust API security, WAF rate-limiting, UEBA, and HSM-based key management.
Type: Social Engineering
Attack Vector: Voice Phishing (Vishing)SIP SpoofingOAuth 2.0 ExploitationAPI Abuse (Salesforce SOQL)Malicious Connected AppsVoIP/Tor Routing
Vulnerability Exploited: Trust in IT Support InteractionsSalesforce Connected Apps OAuth Endpoint (/oauth2/authorize)Elevated OAuth Scopes (api, refresh_token, full)Lack of API Rate-Limiting DetectionInsufficient User Behavior Analytics (UBA/UEBA)Weak Conditional Access Policies for OAuth Apps
Threat Actor: UNC6040UNC6240 (associated extortion specialists)
Motivation: Financial GainData ExtortionInitial Access Brokerage (Threat-as-a-Service)
Title: ShinyHunters Exploits Compromised Drift OAuth Tokens to Steal 1.5B Salesforce Records
Description: The ShinyHunters extortion group claims to have stolen over 1.5 billion Salesforce records from 760 companies by exploiting compromised Drift OAuth tokens linked to Salesloft. Attackers used social engineering and malicious OAuth apps to infiltrate Salesforce environments, exfiltrating data and extorting victims with ransom demands. The campaigns are tied to groups operating under the names ShinyHunters, Scattered Spider, and Lapsus$ (now calling themselves 'Scattered Lapsus$ Hunters'). In March, an actor breached Salesloft’s GitHub repository, locating secrets—including OAuth tokens for Drift and Drift Email—using the TruffleHog tool. The stolen data spans Salesforce objects including Account, Contact, Opportunity, User, and Case tables. Attackers also searched Case data for secrets like AWS keys and Snowflake tokens to enable further intrusions. Victims allegedly include Google, Cloudflare, Palo Alto Networks, Zscaler, and others. The FBI issued an advisory on UNC6040/6395, warning of ongoing campaigns.
Type: Data Breach
Attack Vector: Social EngineeringMalicious OAuth ApplicationsCompromised GitHub RepositoryExploited OAuth Tokens (Drift/Salesloft)Secrets Exposure (TruffleHog)
Vulnerability Exploited: Weak OAuth Token ManagementLack of Multi-Factor Authentication (MFA)Excessive Privileges in Connected ApplicationsExposed Secrets in GitHub Repository
Threat Actor: ShinyHuntersScattered SpiderLapsus$UNC6040 (Google Mandiant)UNC6395 (Google Mandiant)Scattered Lapsus$ Hunters
Motivation: Financial Gain (Extortion)Data Theft for ResaleReputation DamageFurther Intrusion (Credential Harvesting)
Title: ForcedLeak: Salesforce Agentforce AI Prompt Injection Vulnerability
Description: A now-fixed flaw in Salesforce’s Agentforce allowed external attackers to steal sensitive customer data via prompt injection. The vulnerability, dubbed 'ForcedLeak,' exploited a DNS misconfiguration and an expired trusted domain (my-salesforce-cms.com) purchased by researchers for $5. Attackers could inject malicious prompts into the Web-to-Lead form's description field (42,000-character limit), tricking AI agents into querying CRM records and exfiltrating data to an attacker-controlled server. Salesforce patched the issue by enforcing trusted URL allow-lists for Agentforce and Einstein Generative AI agents.
Date Publicly Disclosed: 2023-09-07
Date Resolved: 2023-09-08
Type: Data Breach
Attack Vector: Indirect Prompt InjectionDNS MisconfigurationExpired Trusted Domain Exploitation
Vulnerability Exploited: ForcedLeak (CVE-not-applicable; CVSS v4.0: 9.4 - Critical)
Threat Actor: Security Researchers (Noma Security)
Motivation: Research/Proof-of-Concept (No evidence of malicious exploitation)
Title: Scattered Lapsus$ Hunters Ransomware Attack on Salesforce Customer Data via Salesloft Drift Integration
Description: A notorious ransomware group, Scattered Lapsus$ Hunters (aka ShinyHunters), launched a darkweb data-leak site targeting 39 victims—including Cisco, Disney, KFC, Ikea, Marriott, McDonald's, Walgreens, Albertsons, and Saks Fifth Avenue—whose Salesforce CRM was integrated with the Salesloft Drift AI chatbot. The group claims to have stolen **1.5 billion Salesforce records** from **760 Salesloft Drift-using companies**, with leaked samples confirming exposure of **PII (names, DOBs, nationalities, passport numbers, contact details, employment histories)**, shipping data, marketing leads, support case records, chat transcripts, flight details, and car ownership records. The attack exploited **stolen OAuth tokens** from Salesloft’s GitHub repository, granting access to Salesforce instances and other cloud resources (Google Workspace, Microsoft 365, Okta). The FBI and Google’s Mandiant linked the attacks to **UNC6040**, a threat cluster using **social engineering (vishing, phishing, IT impersonation)** to trick support staff into granting access. ShinyHunters demanded separate ransoms from Salesforce and listed victims, threatening to leak data for non-payment.
Date Detected: 2023-08-08
Date Publicly Disclosed: 2023-09-15
Type: Data Breach
Attack Vector: Stolen OAuth TokensGitHub Repository CompromiseSocial Engineering (Vishing/Phishing)Third-Party Software Exploitation (Salesloft Drift)Lateral Movement to Cloud Platforms (Google Workspace, Microsoft 365, Okta)
Vulnerability Exploited: Weak OAuth Token SecurityLack of Multi-Factor Authentication (2FA) for OAuth AppsUnpatched Third-Party Integrations (Salesloft Drift)Human Error (Support Staff Tricked via Impersonation)
Threat Actor: Scattered Lapsus$ Hunters (aka ShinyHunters)UNC6040The Com (English-speaking cybercrime collective)
Motivation: Financial Gain (Extortion/Ransom)Data Theft for Dark Web SalesReputation Damage
Title: Scattered LAPSUS$ Hunters Extortion Campaign Targeting Salesforce Environments
Description: A threat actor group calling itself Scattered LAPSUS$ Hunters (SLH) has launched a data-leak site listing about 40 companies’ Salesforce environments, demanding $989.45 to prevent the publication of what it claims is about 1 billion stolen records. The group set an October 10 deadline for Salesforce to negotiate payment or face data leakage. The incident is linked to prior OAuth token abuse campaigns via Salesloft's Drift integration, which affected hundreds of organizations. Salesforce denies platform compromise but acknowledges extortion attempts tied to past or unsubstantiated incidents. The group includes members from Scattered Spider, ShinyHunters, and Lapsus$, some of whom were recently arrested in connection with other high-profile attacks.
Date Publicly Disclosed: 2024-09-27
Type: Extortion
Attack Vector: OAuth Token Abuse (via Salesloft's Drift integration)Social EngineeringCredential Stuffing
Vulnerability Exploited: Misconfigured OAuth integrations (historical, via Salesloft's Drift)
Threat Actor: Scattered LAPSUS$ Hunters (SLH)Scattered SpiderShinyHuntersLapsus$
Motivation: Financial GainExtortionReputation Damage
Title: Scattered LAPSUS$ Hunters Extortion Threat Targeting Salesforce CRM Users
Description: A cyber gang previously known as LAPSUS$, now rebranded as Scattered LAPSUS$ Hunters, has resurfaced with a massive extortion threat. The group claims to have accessed data from ~40 companies using Salesforce CRM and demands $989 million to prevent the leak of ~1 billion customer records. The threat involves telephone social engineering (vishing) attacks, where criminals pose as IT staff to trick users into authorizing malicious applications within Salesforce, granting access to sensitive data without exploiting technical vulnerabilities. Salesforce denies its platform was hacked and is assisting affected customers. The group is linked to UNC6040 and UNC6240, with tactics overlapping those of Lapsus$ and Scattered Spider.
Type: Extortion
Attack Vector: Telephone Social Engineering (Vishing)Malicious Application Authorization via Salesforce API
Vulnerability Exploited: Human vulnerability (tricking users into authorizing malicious apps)
Threat Actor: Scattered LAPSUS$ HuntersUNC6040UNC6240
Motivation: Financial gain (extortion)
Title: Shiny Hunters Ransom Demand for Nearly 1 Billion Stolen Salesforce Records
Description: Hackers claiming to be part of the Shiny Hunters group set up a dark web site called 'Scattered Lapsus$ Hunters,' demanding a ransom from 39 companies and Salesforce itself for nearly 1 billion allegedly stolen Salesforce records. The hackers provided a deadline of October 10, 2025, and published samples of stolen data from brands like Adidas, Cisco, FedEx, and Disney. Salesforce attributed the breach to social engineering attacks targeting its users, not a direct compromise of its platform. The incident follows a series of related attacks, including voice phishing (vishing) and exploitation of third-party app integrations (e.g., Salesloft Drift). Fourteen companies filed lawsuits against Salesforce in September 2025 over unauthorized data access.
Date Publicly Disclosed: 2025-10-03
Type: Data Breach
Attack Vector: Social Engineering (Voice Phishing/Vishing)Malicious OAuth ApplicationsThird-Party App Exploitation (Salesloft Drift Integration)
Vulnerability Exploited: Human Error (Tricked into Installing Malicious Apps)Weak Third-Party Integration Security
Threat Actor: Shiny Hunters
Motivation: Financial Gain (Ransom Extortion)Data Theft for Dark Web Sale
Title: Salesforce Data Theft and Extortion Campaigns (2024-2025)
Description: Salesforce confirmed it would not negotiate with or pay ransom to the threat actors behind a massive wave of data theft attacks impacting its customers in 2025. The attacks involved two separate campaigns: (1) social engineering impersonating IT support to trick employees into linking malicious OAuth apps to Salesforce instances (late 2024), and (2) exploitation of stolen SalesLoft Drift OAuth tokens to pivot to CRM environments and exfiltrate data (August 2025). Threat actors, including 'Scattered Lapsus$ Hunters' and 'ShinyHunters,' claimed to have stolen nearly 1 billion records in the first campaign and 1.5 billion records (760+ companies) in the second. A data leak site was launched to extort 39 companies, including FedEx, Disney, Google, and others, but was later shut down. The FBI may have seized the domain.
Date Publicly Disclosed: 2025-09-17T00:00:00Z
Type: Data Breach
Attack Vector: Social Engineering (OAuth Phishing)Stolen OAuth Tokens (SalesLoft Drift)Supply Chain Compromise
Vulnerability Exploited: OAuth Application AbuseStolen Credentials/API TokensImproper Access Controls
Threat Actor: Scattered Lapsus$ HuntersShinyHunters
Motivation: Financial Gain (Extortion)
Title: ShinyHunters/Scattered LAPSUS$ Hunters Multi-Company Data Breach and Extortion Campaign (2025)
Description: A cybercriminal group (ShinyHunters/Scattered LAPSUS$ Hunters) used voice phishing (vishing) to compromise Salesforce instances of Fortune 500 companies, stealing over a billion records. The group launched a victim-shame blog threatening to leak data unless ransoms were paid. Additional breaches included Discord (via a third-party vendor), Red Hat (GitLab server compromise), and exploitation of a zero-day in Oracle E-Business Suite (CVE-2025-61882). The group also sent malware-laced threats to security researchers and leveraged ASYNCRAT trojan for persistence. Law enforcement actions targeted members, including arrests and extraditions.
Date Detected: 2025-05
Date Publicly Disclosed: 2025-06-01
Type: Data Breach
Attack Vector: Voice Phishing (Vishing)Malicious OAuth App Integration (Salesforce)Exploit of CVE-2025-61882 (Oracle E-Business Suite)Compromised Third-Party Vendor (Discord)GitLab Server Exfiltration (Red Hat)Malware-Laced Emails (ASYNCRAT Trojan)
Vulnerability Exploited: CVE-2025-61882 (Oracle E-Business Suite - Unauthenticated RCE)Salesforce OAuth Misconfiguration (via Vishing)Third-Party Customer Service Provider (Discord)GitLab Server Misconfiguration (Red Hat)
Threat Actor: Name: ShinyHunters (UNC6040), Aliases: ['Scattered LAPSUS$ Hunters', 'UNC6240', 'UNC6395'], Affiliation: ['Scattered Spider', 'Lapsus$', 'The Com (Cybercriminal Community)'], Nationality: English-speaking (Multinational), Name: Crimson Collective, Role: Claimed Responsibility for Red Hat Breach, Name: Clop Ransomware Gang, Role: Exploited CVE-2025-61882 Prior to Public Disclosure.
Motivation: Financial Gain (Extortion)Data Theft for Resale (Dark Web)Reputation Damage (Victim-Shaming)Harassment of Security Researchers
Title: Salesforce Data Breach via SalesLoft's Drift App by ShinyHunters
Description: Salesforce informed customers that it will not pay ransom to hackers (ShinyHunters) threatening to publish stolen customer data. The breach originated from a security incident at third-party provider SalesLoft, specifically its Drift app (integrated with Salesforce for automated customer communications). Attackers accessed SalesLoft’s GitHub account (March–June), stole OAuth tokens linking Drift to Salesforce environments, and penetrated Drift’s AWS environment to exfiltrate data from hundreds of organizations, including Cloudflare, Zscaler, and Palo Alto Networks. Stolen data included customer contact details, IT support info, access tokens, and IT configurations. Salesforce disabled the Drift app and is supporting affected customers without negotiating with attackers.
Type: Data Breach
Attack Vector: Compromised GitHub AccountStolen OAuth TokensAWS Environment InfiltrationThird-Party App Exploitation (Drift)
Vulnerability Exploited: Improper Token ManagementGitHub Account Security WeaknessThird-Party Integration Risks
Threat Actor: ShinyHunters
Motivation: Financial ExtortionData Theft for Dark Web Sale
Title: Salesforce Data Extortion Campaign by Scattered LAPSUS$ Hunters
Description: Salesforce refused to pay an extortion demand made by a crime syndicate (Scattered LAPSUS$ Hunters) claiming to have stolen roughly 1 billion records from dozens of Salesforce customers. The group, tracked as UNC6040 by Mandiant, initiated the campaign in May 2024 by making voice calls to organizations, tricking them into connecting an attacker-controlled app to their Salesforce portals. The group created a website naming affected customers (including Toyota and FedEx) and demanded ransom from Salesforce, threatening to leak the data if unpaid. Salesforce rejected the demand.
Date Detected: 2024-05-01
Date Publicly Disclosed: 2024-06-01
Type: Data Breach
Attack Vector: Voice Phishing (Vishing)Malicious App IntegrationSocial Engineering
Vulnerability Exploited: Human Error (Compliance with Fraudulent Requests)
Threat Actor: Scattered LAPSUS$ HuntersUNC6040 (Mandiant designation)
Motivation: Financial Gain (Extortion)
Title: FBI Seizure of BreachForums Hacking Forum Operated by ShinyHunters
Description: The FBI, in collaboration with law enforcement authorities in France, seized all domains for the BreachForums hacking forum, a platform primarily used by the ShinyHunters group to leak corporate data stolen in ransomware and extortion attacks. The seizure occurred before the Scattered Lapsus$ Hunters hacker could leak data from Salesforce breaches targeting companies that refused to pay ransoms. The operation compromised all BreachForums database backups since 2023, including escrow databases, and seized backend servers. Despite the takedown, the gang's dark web data leak site remains operational, and the Salesforce data leak (affecting over 1 billion customer records from companies like FedEx, Disney, Google, and others) is still scheduled for release. ShinyHunters confirmed no arrests of core admin team members but declared the 'era of forums' over, warning future platforms may be honeypots.
Date Publicly Disclosed: 2025-10-09
Type: Law Enforcement Takedown
Threat Actor: ShinyHuntersScattered Lapsus$ Hunters
Motivation: Financial Gain (Extortion)Data LeakageCybercrime Facilitation
Title: Scattered Lapsus$ Hunters Threatens to Leak One Billion Records Allegedly Stolen from Salesforce Systems
Description: A message on the BreachForums extortion site threatened to leak one billion records allegedly stolen from the Salesforce systems of 39 of the largest companies in the world, including Disney, Toyota, Adidas, McDonald's, IKEA, and Home Depot. The threat was issued by a super-alliance of the ShinyHunters, Scattered Spider, and LAPSUS$ ransomware groups, known as Scattered Lapsus$ Hunters. The group vowed to carry out the leak via dark web and Clearnet sites if Salesforce did not pay a ransom by 11:59 p.m. EST on October 10, 2023. The message warned of targeting individual customers of Salesforce if the company failed to comply.
Type: data breach
Threat Actor: ShinyHuntersScattered SpiderLAPSUS$Scattered Lapsus$ Hunters
Motivation: financial gainextortion
Title: FBI Seizes Domains Linked to BreachForums Hacking Forum
Description: The FBI has seized control of domains linked to the BreachForums hacking forum, a platform used by cybercriminals (including groups like Baphomet, IntelBroker, and ShinyHunters) to buy, sell, and trade hacked or stolen data. The forum was used to leak data and conduct extortion attempts against high-profile targets such as Salesforce, Google, Palo Alto Networks, Zscaler, Cloudflare, Disney, Qantas, Air France-KLM, and Toyota. This takedown disrupts a key hub for cybercriminal monetization, recruitment, and targeting across multiple sectors. The operation follows prior seizures in March 2023 and a 2023 joint effort with Europol, though the forum had repeatedly resurfaced. Cybercriminals are now shifting to Telegram for communications and extortion, signaling the 'end of an era' for centralized hacking forums.
Type: Forum Takedown
Threat Actor: BaphometIntelBrokerShinyHuntersScattered Lapsus$ Hunters
Motivation: Financial GainData MonetizationExtortionRecruitment of Collaborators
Title: Social Engineering Attacks Targeting Salesforce Instances via Fake Support Calls
Description: Google's Mandiant reported an ongoing wave of social engineering attacks by the criminal gang UNC6040, targeting organizations' Salesforce instances. The attackers impersonate IT support personnel in voice phishing (vishing) calls to trick employees—particularly those with elevated access to SaaS applications—into granting access or sharing sensitive credentials. The attacks rely on manipulating end-users rather than exploiting Salesforce vulnerabilities. Mandiant observed cases where attackers posed as third-party vendors, providing malicious links to authenticate and exfiltrate data. The threat actor primarily targets English-speaking branches of multinational corporations.
Date Publicly Disclosed: 2025-10-21
Type: Social Engineering
Attack Vector: Voice Phishing (Vishing)Impersonation of IT Support/VendorsMalicious Links
Vulnerability Exploited: Human Error (Social Engineering)
Threat Actor: UNC6040 (Organized Criminal Gang)
Motivation: Financial GainData TheftEspionage (Potential)
Title: Slack Wikipedia Link Rendering Glitch Enables Malware Distribution
Description: Cybersecurity researchers from eSentire discovered a vulnerability in how Slack renders Wikipedia articles, allowing attackers to trick users into opening malware-laden websites by exploiting Slack's link-rendering behavior. The flaw arises when a missing space between a full stop and the next sentence causes Slack to misinterpret text as a domain (e.g., 'face.book' becomes 'http://face.book'). Attackers can edit Wikipedia articles to insert reference footnotes in strategic locations, forcing Slack to generate a non-existent link in its preview pane. This link can later be edited to redirect victims to malicious sites. Over 1,000 Wikipedia pages were found to be vulnerable. The attack requires the victim to use Slack, the attacker to join their workspace (potentially via a compromised account), and social engineering to lure the victim into clicking the link. The method also works on other platforms like Medium, but Wikipedia was targeted due to its perceived authority.
Type: Vulnerability Exploitation
Attack Vector: PhishingLink ManipulationThird-Party Platform Exploitation (Wikipedia/Slack Integration)
Vulnerability Exploited: Slack's link-rendering logic flaw (misinterpreting text as domains when missing spaces after punctuation)
Motivation: Malware DistributionCredential TheftExploiting Trust in Authoritative Sources
Title: Formation of Scattered LAPSUS$ Hunters (SLH) Cybercriminal Collective and Targeting of Salesforce
Description: The cybercriminal underground witnessed a significant consolidation as three notorious threat actors—Scattered Spider, ShinyHunters, and LAPSUS$—formally aligned to create the **Scattered LAPSUS$ Hunters (SLH)**, a federated collective that emerged in **early August 2025**. The alliance operates primarily through **Telegram**, leveraging it as both a coordination tool and a performative marketing channel. SLH announced **Salesforce** as one of its victims, targeting high-value enterprises including SaaS providers. The group exhibits sophisticated technical capabilities, including **AI-automated vishing, spearphishing, exploit development (e.g., CVE-2025-61882, CVE-2025-31324), and zero-day vulnerability brokerage**, while formalizing an **Extortion-as-a-Service (EaaS) model**. Core operators include **'shinycorp' (principal orchestrator)** and **'yuka' (exploit developer linked to BlackLotus UEFI bootkit and Medusa rootkit)**. The collective demonstrates **adaptive resilience** through repeated Telegram channel recreations and centralized decision-making, blending **theatrical brand management** with calculated extortion tactics.
Date Detected: 2025-08-08
Date Publicly Disclosed: 2025-08-08
Type: Cybercriminal Alliance Formation
Attack Vector: AI-automated vishingSpearphishingCredential HarvestingLateral MovementPrivilege EscalationZero-day Exploitation (e.g., CVE-2025-61882, CVE-2025-31324)Exploit BrokerageData ExfiltrationExtortion-as-a-Service (EaaS)
Vulnerability Exploited: CVE-2025-61882 (Oracle E-Business Suite)CVE-2025-31324 (unspecified CRM/DBMS/SaaS target)Zero-day vulnerabilities in cloud infrastructure/SaaS platforms
Threat Actor: Name: Scattered LAPSUS$ Hunters (SLH), Aliases: ['SLH', 'scattered LAPSUS$ hunters 7.0'], Affiliated Groups: ['Scattered Spider', 'ShinyHunters', 'LAPSUS$', 'The Com'], Core Members: [{'alias': 'shinycorp', 'handles': ['@sp1d3rhunters', '@shinyc0rp'], 'role': 'Principal Orchestrator'}, {'alias': 'yuka', 'handles': None, 'role': 'Exploit Developer', 'associated_malware': ['BlackLotus UEFI bootkit', 'Medusa rootkit']}, {'alias': 'Alg0d', 'handles': None, 'role': 'Auxiliary Operator'}, {'alias': 'UNC5537', 'handles': None, 'role': 'Auxiliary Operator'}], Operational Model: ['Extortion-as-a-Service (EaaS)', 'Crowdsourced Extortion', 'Vulnerability Brokerage'].
Motivation: Financial GainReputational CapitalOperational ResilienceNarrative ControlPsychological Impact (Theatrical Branding)
Title: Salesforce Cyberattack Exposing Customer Data via OAuth Token Theft
Description: Salesforce is facing multiple lawsuits following a cyberattack that exposed customer data. The breaches involved the theft of OAuth tokens from the third-party Salesloft Drift app, leading to unauthorized access to Salesforce systems. Attackers used social engineering to impersonate IT support and trick employees into sharing credentials. Salesforce denies its platform was compromised, attributing the issue to third-party vulnerabilities. Lawsuits allege negligence in securing PII, with victims at risk of identity theft.
Date Publicly Disclosed: 2025-07
Type: Data Breach
Attack Vector: Social EngineeringOAuth Token TheftThird-Party Compromise (GitHub/Salesloft Drift)
Vulnerability Exploited: Human error (social engineering via impersonation of IT support); Stolen OAuth tokens from Salesloft Drift
Motivation: Data TheftCredential HarvestingPotential Financial Gain (identity theft/fraud)
What are the most common types of attacks the company has faced ?
Common Attack Types: The most common types of attacks the company has faced is Cyber Attack.
How does the company identify the attack vectors used in incidents ?
Identification of Attack Vectors: The company identifies the attack vectors used in incidents through Stolen Employee Tokens, Telephone-based social engineering, Compromised OAuth tokens from Salesloft Drift application, Vishing Calls Spoofing IT SupportSIP Spoofing via VoIP/Tor, Compromised Salesloft GitHub Repository (Secrets Exposure)Malicious OAuth Applications (Drift/Salesforce Integration), Web-to-Lead Form (Description Field), Salesloft GitHub Repository (Stolen OAuth Tokens), OAuth tokens via Salesloft's Drift integration, Telephone social engineering (vishing) to trick users into authorizing malicious Salesforce apps, Voice Phishing (Vishing) CallsMalicious OAuth AppsExploited Third-Party Integrations (e.g., Salesloft Drift), Malicious OAuth ApplicationsStolen SalesLoft Drift OAuth Tokens, Voice Phishing Calls (Salesforce)Compromised Third-Party Vendor (Discord)Exploited GitLab Misconfiguration (Red Hat)Zero-Day Exploit (Oracle CVE-2025-61882)Malicious OAuth App (Salesforce), SalesLoft GitHub Account (Compromised March–June 2024), Voice Phishing (Vishing) Calls, BreachForums (for data trading)Compromised SaaS/enterprise accounts (for extortion), Voice Phishing (Vishing) CallsMalicious Links, Compromised Slack account or social engineering to join workspace, AI-automated vishingSpearphishingCredential Harvesting and Salesloft Drift GitHub repository (compromised in March 2025).
Impact of the Incidents
What was the impact of each incident ?
Incident : Data Breach SLA1946123
Data Compromised: Private github code repositories
Incident : Cyber Attack SAL215719323
Systems Affected: Customer Instances
Downtime: 15 hours
Operational Impact: Service Disruption
Incident : Data Breach SAL729082725
Data Compromised: Customer account data, User data, Opportunities data, Aws access keys, Snowflake tokens, High-value secrets
Systems Affected: Salesforce corporate accountsSalesloft Drift application
Operational Impact: Temporary removal of Drift app from Salesforce AppExchangeRevocation of active access tokens
Brand Reputation Impact: Potential reputational damage due to unauthorized data access and credential theft
Identity Theft Risk: High (due to stolen credentials and secrets)
Incident : Social Engineering SAL815090225
Data Compromised: Crm data (salesforce), Customer records, Sensitive business information
Systems Affected: Salesforce CRM PlatformsConnected Apps InfrastructureVoIP/Tor Communication Channels
Operational Impact: Persistent Unauthorized AccessAutomated Data Exfiltration via APIPotential Extortion Leverage
Brand Reputation Impact: Risk of Public Data Leak via DLS (Data Leak Site)Loss of Customer Trust
Identity Theft Risk: ['High (PII likely exposed via CRM data)']
Incident : Data Breach SAL5732257091825
Data Compromised: Salesforce Account: 2, 5, 0, , m, i, l, l, i, o, n, , r, e, c, o, r, d, s, Salesforce Contact: 5, 7, 9, , m, i, l, l, i, o, n, , r, e, c, o, r, d, s, Salesforce Opportunity: 1, 7, 1, , m, i, l, l, i, o, n, , r, e, c, o, r, d, s, Salesforce User: 6, 0, , m, i, l, l, i, o, n, , r, e, c, o, r, d, s, Salesforce Case: 4, 5, 9, , m, i, l, l, i, o, n, , r, e, c, o, r, d, s, Total: 1, ., 5, , b, i, l, l, i, o, n, , r, e, c, o, r, d, s,
Systems Affected: Salesforce CRMDrift AI Chat/Email ServicesSalesloft PlatformGitHub Repository (Salesloft)Connected Applications (AWS, Snowflake, etc.)
Operational Impact: Unauthorized Data AccessExtortion ThreatsPotential Further Intrusions via Stolen CredentialsReputation Damage for Affected Companies
Brand Reputation Impact: High (Public Disclosure of Breach)Loss of Customer TrustPotential Regulatory Scrutiny
Identity Theft Risk: ['High (PII in Contact/Account Records)', 'Credential Stuffing Risk']
Incident : Data Breach SAL5403154092725
Data Compromised: Customer lead data, Email addresses, Potentially other crm records
Systems Affected: Salesforce AgentforceEinstein Generative AI AgentsWeb-to-Lead Feature
Operational Impact: High (Risk of sensitive data exfiltration via AI agents)
Brand Reputation Impact: Moderate (Public disclosure of critical AI security flaw)
Identity Theft Risk: Potential (Exposed email addresses and lead data)
Incident : Data Breach SAL5592855100325
Data Compromised: Personally identifiable information (pii), Shipping information, Marketing lead data, Customer support case records, Chat transcripts, Flight details, Car ownership records, Employment histories, Passport numbers, Full contact information
Systems Affected: Salesforce CRM InstancesSalesloft Drift AI ChatbotGoogle WorkspaceMicrosoft 365Okta PlatformsGitHub Repository (Salesloft)
Operational Impact: Potential Disruption to CRM OperationsCustomer Data Exposure RisksIncident Response Activation
Brand Reputation Impact: High (Public Data Leak Site)Loss of Customer TrustMedia Scrutiny
Legal Liabilities: Potential GDPR/CCPA ViolationsRegulatory FinesClass-Action Lawsuits
Identity Theft Risk: High (Exposed PII Includes Passport Numbers, DOBs, Contact Details)
Incident : Extortion SAL2102121100425
Data Compromised: 1 billion records (claimed by threat actors)
Systems Affected: Salesforce environments of ~40 companiesCustomer data via OAuth abuse
Brand Reputation Impact: High (public extortion threats, media coverage)
Identity Theft Risk: Potential (if PII was exposed)
Incident : Extortion SAL4932949100625
Data Compromised: Customer records (~1 billion), Sensitive customer information
Systems Affected: Salesforce CRM environments of ~40 companies
Brand Reputation Impact: Potential reputational damage to Salesforce and affected companies
Identity Theft Risk: High (due to compromised customer data)
Incident : Data Breach SAL0693606100625
Data Compromised: Nearly 1 billion records (claimed)
Systems Affected: Salesforce User AccountsThird-Party Integrations (e.g., Salesloft Drift)
Operational Impact: Disruption of Third-Party Integrations (Aug 28–Sep 7, 2025)Legal Actions (14 Lawsuits Filed)
Customer Complaints: High (across online platforms like LinkedIn and Reddit)
Brand Reputation Impact: Severe (described as a 'slow-motion train wreck' by observers; criticism over accountability)
Legal Liabilities: 14 Lawsuits Filed by Affected Companies (as of September 2025)
Identity Theft Risk: High (PII likely included in stolen data)
Incident : Data Breach SAL0962109100825
Data Compromised: Customer data, Support tickets, Credentials, Api tokens, Authentication tokens
Systems Affected: Salesforce CRM InstancesSalesLoft Drift Environments
Operational Impact: Potential infrastructure breaches due to stolen credentials/tokens
Brand Reputation Impact: High (public extortion of major brands)
Identity Theft Risk: High (PII and credentials exposed)
Incident : Data Breach SAL0562205100825
Data Compromised: Salesforce customer records (>1b), Discord user data (usernames, emails, ip addresses, payment card last 4 digits, government ids), Red hat gitlab repositories (28,000+ repos, 5,000+ customer engagement reports, api tokens, infrastructure details), Oracle e-business suite data (via cve-2025-61882), Salesloft authentication tokens (cloud services: snowflake, aws)
Systems Affected: Salesforce Instances (Multiple Fortune 500 Companies)Discord Third-Party Customer Service ProviderRed Hat GitLab ServerOracle E-Business Suite ServersSalesloft AI Chatbot Platform
Operational Impact: Forensic Investigations (Salesforce, Red Hat, Discord)Customer Notifications (Ongoing)Regulatory ScrutinyReputation Damage for Victim Companies
Customer Complaints: Expected (Due to Data Leak Threats)
Brand Reputation Impact: Salesforce (Extortion Refusal Publicized)Fortune 500 Victims (Named on Victim-Shame Blog)Red Hat (Trust Erosion Due to GitLab Breach)Discord (User Privacy Concerns)
Legal Liabilities: Potential GDPR/CCPA Violations (Discord, Salesforce Customers)Regulatory Fines (Pending Investigations)Lawsuits from Affected Individuals
Identity Theft Risk: High (Discord Government IDs, Payment Data)
Payment Information Risk: Moderate (Discord: Last 4 Digits of Cards)
Incident : Data Breach SAL3132231100825
Data Compromised: Customer contact details, It support information, Access tokens, It configurations, Crm fields, Support cases, Integration data
Systems Affected: SalesLoft Drift AppSalesforce IntegrationsDrift’s AWS EnvironmentGitHub Account (SalesLoft)
Operational Impact: Disabled Drift App IntegrationToken Renewal Required for CustomersOngoing Customer Support Efforts
Brand Reputation Impact: Public Refusal to Pay RansomThird-Party Trust ErosionMedia Coverage (Bloomberg, Google Threat Intelligence)
Identity Theft Risk: ['Low (Primarily Corporate Data)']
Incident : Data Breach SAL5002150100925
Data Compromised: ~1 billion records
Systems Affected: Salesforce Customer Portals
Brand Reputation Impact: High (Public extortion threat and data leak risk)
Identity Theft Risk: Potential (depends on compromised data types)
Incident : Law Enforcement Takedown SAL4232242101025
Data Compromised: Corporate data, Customer records (1+ billion), Escrow databases, Database backups (since 2023)
Systems Affected: BreachForums DomainsBackend ServersDatabase Backups
Downtime: ['BreachForums (Permanent)', 'Forum Infrastructure (Seized)']
Operational Impact: Termination of BreachForums OperationsDisruption of Cybercrime EcosystemLoss of Trust in Hacking Forums
Brand Reputation Impact: Negative (for Affected Companies)Loss of Anonymity for Cybercriminals
Legal Liabilities: Potential Charges for BreachForums Admins (e.g., Kai West aka 'IntelBroker')Regulatory Scrutiny for Affected Companies
Identity Theft Risk: ['High (1+ billion customer records exposed)']
Incident : data breach SAL5602056101125
Data Compromised: one billion records (alleged)
Brand Reputation Impact: high (potential, due to threat of massive data leak)
Identity Theft Risk: high (potential, given scale of alleged breach)
Incident : Forum Takedown SAL4432144101325
Data Compromised: Hacked/stolen data (traded on breachforums), Leaked corporate data (e.g., salesforce, google, disney, etc.)
Systems Affected: BreachForums Domain Infrastructure
Downtime: ['BreachForums and successor sites disrupted']
Operational Impact: Disruption of cybercriminal operationsReduced trust in hacking forumsShift to decentralized platforms (e.g., Telegram)
Brand Reputation Impact: Erosion of credibility for BreachForums and similar platformsIncreased skepticism among cybercriminal communities
Legal Liabilities: Potential legal consequences for forum operators (e.g., Conor Brian Fitzpatrick)
Identity Theft Risk: ['High (due to traded stolen data)']
Payment Information Risk: ['High (if financial data was traded)']
Incident : Social Engineering SAL4493244102125
Data Compromised: Salesforce data, Sensitive credentials
Systems Affected: Salesforce InstancesSaaS Applications
Operational Impact: Unauthorized Access to SaaS ApplicationsPotential Data Exfiltration
Brand Reputation Impact: Potential Loss of Trust Due to Credential Theft
Identity Theft Risk: ['High (Due to Stolen Credentials)']
Incident : Vulnerability Exploitation TIN0344703102825
Systems Affected: Slack WorkspacesUser Endpoints (via Malware)
Brand Reputation Impact: Potential erosion of trust in Slack's securityExploitation of Wikipedia's perceived authority
Identity Theft Risk: High (if malware includes keyloggers or info-stealers)
Incident : Cybercriminal Alliance Formation SAL5402554110625
Data Compromised: Potential crm/saas/database records (salesforce and other high-value enterprises)
Systems Affected: Cloud InfrastructureSaaS Platforms (e.g., Salesforce)Database Systems
Operational Impact: Disruption of SaaS OperationsPotential Supply Chain Risks
Brand Reputation Impact: High (Targeting of Salesforce and public extortion tactics)
Identity Theft Risk: ['Potential (PII in compromised databases)']
Incident : Data Breach SAL5090350110725
Data Compromised: Personally identifiable information (pii), Aws access keys, Passwords, Snowflake-related access tokens
Systems Affected: Salesforce CRM (via third-party integration)Salesloft DriftGitHub repositories
Customer Complaints: Multiple lawsuits filed (15+ cases, including class actions)
Brand Reputation Impact: Significant (lawsuits, media coverage, customer distrust)
Legal Liabilities: Class action lawsuits (e.g., Staci Johnson v. Salesforce)Potential regulatory fines
Identity Theft Risk: High (victims required to monitor financial accounts/credit reports)
What types of data are most commonly compromised in incidents ?
Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Private Github Code Repositories, , Customer Account Data, User Data, Opportunities Data, Credentials, Aws Access Keys, Snowflake Tokens, High-Value Secrets, , Crm Data, Customer Records, Business Intelligence, Potentially Pii, , Crm Data (Salesforce Objects), Account Records, Contact Records (Pii), Opportunity Records, User Records, Case Records (Support Tickets), Aws Keys, Snowflake Tokens, Other Credentials, , Customer Lead Information, Email Addresses, , Pii, Customer Support Records, Chat Transcripts, Marketing Data, Shipping Information, Flight Details, Employment Histories, , Customer Data, Potentially Pii (Unconfirmed), , Customer Records, Sensitive Customer Information, Basic Business Information (For Google Breach), , Customer Records, Sensitive Corporate Data, , Customer Records, Support Tickets, Credentials, Api Tokens, Authentication Tokens, , Customer Records (Salesforce), User Pii (Discord: Emails, Ips, Government Ids), Source Code (Red Hat Git Repos), Api Tokens (Red Hat Cers), Infrastructure Details (Red Hat Audits), Authentication Tokens (Salesloft), , Customer Contact Details, It Support Information, Oauth Tokens, It Configurations, Crm Data, Support Cases, , Customer Records, Corporate Data, Escrow Databases, Database Backups, , Corporate Data, Stolen Credentials, Sensitive Information (Varies By Victim), , Salesforce Data, Credentials, , Potentially Pii, Crm Data, Saas Configuration Details, , Pii, Credentials (Aws Keys, Passwords), Access Tokens and .
Which entities were affected by each incident ?
Incident : Data Breach SLA1946123
Entity Name: Slack
Entity Type: Company
Industry: Technology
Size: 18 million users
Incident : Cyber Attack SAL215719323
Entity Name: Salesforce
Entity Type: Company
Industry: Technology
Location: North AmericaEurope
Incident : Vishing SAL633060625
Entity Name: Salesforce customers
Entity Type: Organizations
Industry: Multinational corporations
Location: English-speaking branches
Incident : Data Breach SAL729082725
Entity Name: Salesforce
Entity Type: Cloud CRM Platform
Industry: Technology
Location: Global
Size: Large Enterprise
Customers Affected: Multiple corporate Salesforce accounts (exact number undisclosed)
Incident : Data Breach SAL729082725
Entity Name: Salesloft (Drift application)
Entity Type: Third-Party SaaS Provider
Industry: Sales Engagement
Location: Global
Incident : Data Breach SAL729082725
Entity Name: Multiple Unnamed Organizations
Entity Type: Corporate, Enterprise
Industry: Various
Location: Global
Incident : Social Engineering SAL815090225
Entity Type: Enterprise Organizations
Industry: Multiple (Targeting CRM Users)
Incident : Data Breach SAL5732257091825
Entity Name: Salesforce
Entity Type: Cloud CRM Provider
Industry: Technology/Software
Location: Global (HQ: San Francisco, USA)
Size: Enterprise
Customers Affected: 760 companies
Incident : Data Breach SAL5732257091825
Entity Name: Salesloft
Entity Type: Sales Engagement Platform
Industry: Technology/Software
Location: USA (HQ: Atlanta, Georgia)
Size: Mid-to-Large Enterprise
Incident : Data Breach SAL5732257091825
Entity Name: Drift
Entity Type: Conversational Marketing Platform
Industry: Technology/Software
Location: USA (HQ: Boston, Massachusetts)
Size: Mid-to-Large Enterprise
Incident : Data Breach SAL5732257091825
Entity Name: Google
Entity Type: Technology Conglomerate
Industry: Technology/Internet Services
Location: Global (HQ: Mountain View, USA)
Size: Mega-Enterprise
Incident : Data Breach SAL5732257091825
Entity Name: Cloudflare
Entity Type: Web Infrastructure & Security
Industry: Technology/Cybersecurity
Location: Global (HQ: San Francisco, USA)
Size: Enterprise
Incident : Data Breach SAL5732257091825
Entity Name: Palo Alto Networks
Entity Type: Cybersecurity
Industry: Technology/Cybersecurity
Location: Global (HQ: Santa Clara, USA)
Size: Enterprise
Incident : Data Breach SAL5732257091825
Entity Name: Zscaler
Entity Type: Cloud Security
Industry: Technology/Cybersecurity
Location: Global (HQ: San Jose, USA)
Size: Enterprise
Incident : Data Breach SAL5732257091825
Entity Name: Tenable
Entity Type: Vulnerability Management
Industry: Technology/Cybersecurity
Location: Global (HQ: Columbia, USA)
Size: Enterprise
Incident : Data Breach SAL5732257091825
Entity Name: CyberArk
Entity Type: Privileged Access Management
Industry: Technology/Cybersecurity
Location: Global (HQ: Petah Tikva, Israel)
Size: Enterprise
Incident : Data Breach SAL5732257091825
Entity Name: Elastic
Entity Type: Search & Analytics
Industry: Technology/Software
Location: Global (HQ: Mountain View, USA)
Size: Enterprise
Incident : Data Breach SAL5732257091825
Entity Name: Qualys
Entity Type: IT Security & Compliance
Industry: Technology/Cybersecurity
Location: Global (HQ: Foster City, USA)
Size: Enterprise
Incident : Data Breach SAL5732257091825
Entity Name: Nutanix
Entity Type: Cloud Computing
Industry: Technology/Software
Location: Global (HQ: San Jose, USA)
Size: Enterprise
Incident : Data Breach SAL5732257091825
Entity Name: Proofpoint
Entity Type: Cybersecurity (Email Security)
Industry: Technology/Cybersecurity
Location: Global (HQ: Sunnyvale, USA)
Size: Enterprise
Incident : Data Breach SAL5732257091825
Entity Name: BeyondTrust
Entity Type: Privileged Access Management
Industry: Technology/Cybersecurity
Location: Global (HQ: Phoenix, USA)
Size: Enterprise
Incident : Data Breach SAL5732257091825
Entity Name: Rubrik
Entity Type: Data Management & Security
Industry: Technology/Cybersecurity
Location: Global (HQ: Palo Alto, USA)
Size: Enterprise
Incident : Data Breach SAL5732257091825
Entity Name: Cato Networks
Entity Type: Network Security
Industry: Technology/Cybersecurity
Location: Global (HQ: Tel Aviv, Israel)
Size: Mid-to-Large Enterprise
Incident : Data Breach SAL5403154092725
Entity Name: Salesforce
Entity Type: Corporation
Industry: Cloud Computing / CRM
Location: San Francisco, California, USA
Size: Enterprise (150,000+ employees)
Incident : Data Breach SAL5592855100325
Entity Name: Salesforce
Entity Type: Software Company (CRM)
Industry: Technology
Location: Global (HQ: San Francisco, USA)
Size: Enterprise
Customers Affected: 760+ (via Salesloft Drift integration)
Incident : Data Breach SAL5592855100325
Entity Name: Salesloft (Drift)
Entity Type: Software Company (AI Chatbot)
Industry: Technology/SaaS
Location: Global (HQ: Atlanta, USA)
Size: Mid-to-Large
Customers Affected: 760+
Incident : Data Breach SAL5592855100325
Entity Name: Cisco
Entity Type: Corporation
Industry: Technology
Location: Global (HQ: San Jose, USA)
Size: Enterprise
Incident : Data Breach SAL5592855100325
Entity Name: The Walt Disney Company
Entity Type: Corporation
Industry: Entertainment
Location: Global (HQ: Burbank, USA)
Size: Enterprise
Incident : Data Breach SAL5592855100325
Entity Name: KFC (Yum! Brands)
Entity Type: Restaurant Chain
Industry: Food & Beverage
Location: Global
Size: Enterprise
Incident : Data Breach SAL5592855100325
Entity Name: IKEA
Entity Type: Retailer
Industry: Furniture
Location: Global (HQ: Netherlands)
Size: Enterprise
Incident : Data Breach SAL5592855100325
Entity Name: Marriott International
Entity Type: Hospitality
Industry: Hotels
Location: Global (HQ: Bethesda, USA)
Size: Enterprise
Incident : Data Breach SAL5592855100325
Entity Name: McDonald's
Entity Type: Restaurant Chain
Industry: Food & Beverage
Location: Global (HQ: Chicago, USA)
Size: Enterprise
Incident : Data Breach SAL5592855100325
Entity Name: Walgreens Boots Alliance
Entity Type: Pharmacy Retailer
Industry: Healthcare/Retail
Location: Global (HQ: Deerfield, USA)
Size: Enterprise
Incident : Data Breach SAL5592855100325
Entity Name: Albertsons Companies
Entity Type: Grocery Retailer
Industry: Retail
Location: USA
Size: Enterprise
Incident : Data Breach SAL5592855100325
Entity Name: Saks Fifth Avenue
Entity Type: Luxury Retailer
Industry: Retail
Location: USA (HQ: New York)
Size: Large
Incident : Extortion SAL2102121100425
Entity Name: Salesforce
Entity Type: Corporation
Industry: Cloud Computing / CRM
Location: San Francisco, California, USA
Size: Large (Enterprise)
Customers Affected: ~40 companies (via Salesforce environments)
Incident : Extortion SAL2102121100425
Entity Name: Salesloft (Drift integration)
Entity Type: Corporation
Industry: Sales Engagement Software
Location: Atlanta, Georgia, USA
Customers Affected: Hundreds of organizations (via OAuth abuse)
Incident : Extortion SAL2102121100425
Entity Name: Multiple Unnamed Companies
Entity Type: Corporations, Organizations
Industry: Various
Location: Global
Incident : Extortion SAL4932949100625
Entity Name: Salesforce
Entity Type: Corporation
Industry: Cloud Computing / CRM
Location: San Francisco, California, USA
Size: Large (Enterprise)
Customers Affected: ~40 companies using Salesforce CRM (indirectly affecting ~1 billion customer records)
Incident : Extortion SAL4932949100625
Entity Name: Google
Entity Type: Corporation
Industry: Technology
Location: Mountain View, California, USA
Size: Large (Enterprise)
Customers Affected: Basic information of small and medium-sized businesses (resolved in June)
Incident : Extortion SAL4932949100625
Entity Name: 40 unnamed companies
Entity Type: Corporations, Businesses
Customers Affected: ~1 billion customer records collectively
Incident : Data Breach SAL0693606100625
Entity Name: Salesforce
Entity Type: Cloud-Based CRM Provider
Industry: Technology/Software
Location: San Francisco, California, USA
Size: Enterprise (150,000+ employees)
Customers Affected: 39 companies (targeted for ransom) + unspecified number of users
Incident : Data Breach SAL0693606100625
Entity Name: Adidas
Entity Type: Corporation
Industry: Retail/Apparel
Location: Global (HQ: Herzogenaurach, Germany)
Size: Enterprise
Incident : Data Breach SAL0693606100625
Entity Name: Cisco
Entity Type: Corporation
Industry: Technology/Networking
Location: Global (HQ: San Jose, California, USA)
Size: Enterprise
Incident : Data Breach SAL0693606100625
Entity Name: FedEx
Entity Type: Corporation
Industry: Logistics/Transportation
Location: Global (HQ: Memphis, Tennessee, USA)
Size: Enterprise
Incident : Data Breach SAL0693606100625
Entity Name: Disney
Entity Type: Corporation
Industry: Entertainment/Media
Location: Global (HQ: Burbank, California, USA)
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: Salesforce
Entity Type: Cloud Service Provider
Industry: Technology (CRM/SaaS)
Location: San Francisco, California, USA
Size: Enterprise
Customers Affected: 39+ (direct extortion targets), 760+ (SalesLoft campaign)
Incident : Data Breach SAL0962109100825
Entity Name: FedEx
Entity Type: Corporation
Industry: Logistics
Location: Memphis, Tennessee, USA
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: Disney/Hulu
Entity Type: Corporation
Industry: Entertainment
Location: Burbank, California, USA
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: Home Depot
Entity Type: Corporation
Industry: Retail
Location: Atlanta, Georgia, USA
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: Marriott
Entity Type: Corporation
Industry: Hospitality
Location: Bethesda, Maryland, USA
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: Google
Entity Type: Corporation
Industry: Technology
Location: Mountain View, California, USA
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: Cisco
Entity Type: Corporation
Industry: Technology
Location: San Jose, California, USA
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: Toyota
Entity Type: Corporation
Industry: Automotive
Location: Toyota City, Aichi, Japan
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: Gap
Entity Type: Corporation
Industry: Retail
Location: San Francisco, California, USA
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: Kering
Entity Type: Corporation
Industry: Luxury Goods
Location: Paris, France
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: McDonald's
Entity Type: Corporation
Industry: Food Service
Location: Chicago, Illinois, USA
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: Walgreens
Entity Type: Corporation
Industry: Pharmacy/Retail
Location: Deerfield, Illinois, USA
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: Instacart
Entity Type: Corporation
Industry: E-commerce
Location: San Francisco, California, USA
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: Cartier
Entity Type: Corporation
Industry: Luxury Goods
Location: Paris, France
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: Adidas
Entity Type: Corporation
Industry: Apparel
Location: Herzogenaurach, Germany
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: Saks Fifth Avenue
Entity Type: Corporation
Industry: Retail
Location: New York, New York, USA
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: Air France & KLM
Entity Type: Corporation
Industry: Aviation
Location: Paris, France / Amstelveen, Netherlands
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: TransUnion
Entity Type: Corporation
Industry: Credit Reporting
Location: Chicago, Illinois, USA
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: HBO Max
Entity Type: Corporation
Industry: Entertainment
Location: New York, New York, USA
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: UPS
Entity Type: Corporation
Industry: Logistics
Location: Atlanta, Georgia, USA
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: Chanel
Entity Type: Corporation
Industry: Luxury Goods
Location: Paris, France
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: IKEA
Entity Type: Corporation
Industry: Retail
Location: Delft, Netherlands
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: Qantas
Entity Type: Corporation
Industry: Aviation
Location: Sydney, Australia
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: Allianz Life
Entity Type: Corporation
Industry: Insurance
Location: Minneapolis, Minnesota, USA
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: Farmers Insurance
Entity Type: Corporation
Industry: Insurance
Location: Los Angeles, California, USA
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: Workday
Entity Type: Corporation
Industry: Technology (HR/Finance SaaS)
Location: Pleasanton, California, USA
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: LVMH (Dior, Louis Vuitton, Tiffany & Co.)
Entity Type: Corporation
Industry: Luxury Goods
Location: Paris, France
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: Cloudflare
Entity Type: Corporation
Industry: Technology (Cybersecurity)
Location: San Francisco, California, USA
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: Zscaler
Entity Type: Corporation
Industry: Technology (Cybersecurity)
Location: San Jose, California, USA
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: Tenable
Entity Type: Corporation
Industry: Technology (Cybersecurity)
Location: Columbia, Maryland, USA
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: CyberArk
Entity Type: Corporation
Industry: Technology (Cybersecurity)
Location: Petah Tikva, Israel
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: Elastic
Entity Type: Corporation
Industry: Technology (Search/Data Analytics)
Location: Mountain View, California, USA
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: BeyondTrust
Entity Type: Corporation
Industry: Technology (Cybersecurity)
Location: Phoenix, Arizona, USA
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: Proofpoint
Entity Type: Corporation
Industry: Technology (Cybersecurity)
Location: Sunnyvale, California, USA
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: JFrog
Entity Type: Corporation
Industry: Technology (DevOps)
Location: Sunnyvale, California, USA
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: Nutanix
Entity Type: Corporation
Industry: Technology (Cloud Computing)
Location: San Jose, California, USA
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: Qualys
Entity Type: Corporation
Industry: Technology (Cybersecurity)
Location: Foster City, California, USA
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: Rubrik
Entity Type: Corporation
Industry: Technology (Data Management)
Location: Palo Alto, California, USA
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: Cato Networks
Entity Type: Corporation
Industry: Technology (Network Security)
Location: Tel Aviv, Israel
Size: Enterprise
Incident : Data Breach SAL0962109100825
Entity Name: Palo Alto Networks
Entity Type: Corporation
Industry: Technology (Cybersecurity)
Location: Santa Clara, California, USA
Size: Enterprise
Incident : Data Breach SAL0562205100825
Entity Name: Salesforce
Entity Type: CRM Platform
Industry: Enterprise Software
Location: USA (Global Operations)
Size: Large (Fortune 500)
Customers Affected: >1B Records (Across Dozens of Clients)
Incident : Data Breach SAL0562205100825
Entity Name: Google
Entity Type: Technology
Industry: Internet Services
Location: USA
Size: Large
Customers Affected: Corporate Salesforce Instance Compromised
Incident : Data Breach SAL0562205100825
Entity Name: Toyota
Entity Type: Corporation
Industry: Automotive
Location: Japan/Global
Size: Large
Customers Affected: Salesforce Data Stolen (Volume Undisclosed)
Incident : Data Breach SAL0562205100825
Entity Name: FedEx
Entity Type: Corporation
Industry: Logistics
Location: USA/Global
Size: Large
Customers Affected: Salesforce Data Stolen (Volume Undisclosed)
Incident : Data Breach SAL0562205100825
Entity Name: Disney/Hulu
Entity Type: Corporation
Industry: Entertainment
Location: USA
Size: Large
Customers Affected: Salesforce Data Stolen (Volume Undisclosed)
Incident : Data Breach SAL0562205100825
Entity Name: UPS
Entity Type: Corporation
Industry: Logistics
Location: USA/Global
Size: Large
Customers Affected: Salesforce Data Stolen (Volume Undisclosed)
Incident : Data Breach SAL0562205100825
Entity Name: Red Hat (IBM)
Entity Type: Subsidiary
Industry: Enterprise Software
Location: USA/Global
Size: Large
Customers Affected: 28,000+ Git Repos, 5,000+ Customer Engagement Reports
Incident : Data Breach SAL0562205100825
Entity Name: Discord
Entity Type: Corporation
Industry: Social Media/Communication
Location: USA
Size: Large
Customers Affected: Limited Number of Users (Support/Trust & Safety Interactions)
Incident : Data Breach SAL0562205100825
Entity Name: Oracle
Entity Type: Corporation
Industry: Enterprise Software
Location: USA/Global
Size: Large
Customers Affected: E-Business Suite Users (Via CVE-2025-61882)
Incident : Data Breach SAL0562205100825
Entity Name: Salesloft
Entity Type: Corporation
Industry: Sales Engagement
Location: USA
Size: Medium
Customers Affected: Authentication Tokens Stolen (Impacted Cloud Services: Snowflake, AWS)
Incident : Data Breach SAL3132231100825
Entity Name: Salesforce
Entity Type: CRM Provider
Industry: Cloud Computing / SaaS
Location: San Francisco, California, USA
Size: Enterprise (150,000+ employees)
Customers Affected: Unknown (Hundreds of organizations)
Incident : Data Breach SAL3132231100825
Entity Name: SalesLoft
Entity Type: Sales Engagement Platform
Industry: Sales Technology
Location: Atlanta, Georgia, USA
Size: Mid-Large (500+ employees)
Customers Affected: Unknown (Via Drift App)
Incident : Data Breach SAL3132231100825
Entity Name: Cloudflare
Entity Type: Web Infrastructure & Security
Industry: Cybersecurity
Location: San Francisco, California, USA
Size: Enterprise
Incident : Data Breach SAL3132231100825
Entity Name: Zscaler
Entity Type: Cloud Security
Industry: Cybersecurity
Location: San Jose, California, USA
Size: Enterprise
Incident : Data Breach SAL3132231100825
Entity Name: Palo Alto Networks
Entity Type: Cybersecurity
Industry: Network Security
Location: Santa Clara, California, USA
Size: Enterprise
Incident : Data Breach SAL3132231100825
Entity Name: CyberArk
Entity Type: Privileged Access Security
Industry: Cybersecurity
Location: Petah Tikva, Israel / Newton, Massachusetts, USA
Size: Enterprise
Incident : Data Breach SAL3132231100825
Entity Name: Rubrik
Entity Type: Data Management & Security
Industry: Cloud Data Protection
Location: Palo Alto, California, USA
Size: Mid-Large
Incident : Data Breach SAL3132231100825
Entity Name: Nutanix
Entity Type: Hybrid Cloud Computing
Industry: IT Infrastructure
Location: San Jose, California, USA
Size: Enterprise
Incident : Data Breach SAL3132231100825
Entity Name: Ericsson
Entity Type: Telecommunications
Industry: Networking & 5G
Location: Stockholm, Sweden
Size: Enterprise
Incident : Data Breach SAL3132231100825
Entity Name: JFrog
Entity Type: DevOps Platform
Industry: Software Development
Location: Sunnyvale, California, USA
Size: Mid-Large
Incident : Data Breach SAL5002150100925
Entity Name: Salesforce
Entity Type: Cloud CRM Provider
Industry: Technology
Location: San Francisco, California, USA
Size: Large Enterprise
Customers Affected: Dozens (including Toyota, FedEx, and 37 others)
Incident : Data Breach SAL5002150100925
Entity Name: Toyota
Entity Type: Automotive Manufacturer
Industry: Automotive
Location: Global
Size: Large Enterprise
Incident : Data Breach SAL5002150100925
Entity Name: FedEx
Entity Type: Logistics Company
Industry: Transportation/Logistics
Location: Global
Size: Large Enterprise
Incident : Law Enforcement Takedown SAL4232242101025
Entity Name: BreachForums
Entity Type: Hacking Forum / Data Extortion Site
Industry: Cybercrime
Location: Global (Seized by U.S. and France)
Incident : Law Enforcement Takedown SAL4232242101025
Entity Name: Salesforce (Indirectly Affected via Breach)
Entity Type: Cloud Computing / CRM
Industry: Technology
Location: Global
Size: Enterprise
Customers Affected: 1+ billion records (across multiple companies)
Incident : Law Enforcement Takedown SAL4232242101025
Entity Name: FedEx
Entity Type: Logistics
Industry: Transportation
Location: Global
Size: Enterprise
Incident : Law Enforcement Takedown SAL4232242101025
Entity Name: Disney/Hulu
Entity Type: Entertainment
Industry: Media
Location: Global
Size: Enterprise
Incident : Law Enforcement Takedown SAL4232242101025
Entity Name: Home Depot
Entity Type: Retail
Industry: Home Improvement
Location: Global
Size: Enterprise
Incident : Law Enforcement Takedown SAL4232242101025
Entity Name: Marriott
Entity Type: Hospitality
Industry: Travel
Location: Global
Size: Enterprise
Incident : Law Enforcement Takedown SAL4232242101025
Entity Name: Google
Entity Type: Technology
Industry: Internet Services
Location: Global
Size: Enterprise
Incident : Law Enforcement Takedown SAL4232242101025
Entity Name: Cisco
Entity Type: Technology
Industry: Networking
Location: Global
Size: Enterprise
Incident : Law Enforcement Takedown SAL4232242101025
Entity Name: Toyota
Entity Type: Automotive
Industry: Manufacturing
Location: Global
Size: Enterprise
Incident : Law Enforcement Takedown SAL4232242101025
Entity Name: Gap
Entity Type: Retail
Industry: Fashion
Location: Global
Size: Enterprise
Incident : Law Enforcement Takedown SAL4232242101025
Entity Name: McDonald's
Entity Type: Food Service
Industry: Restaurant
Location: Global
Size: Enterprise
Incident : Law Enforcement Takedown SAL4232242101025
Entity Name: Walgreens
Entity Type: Retail
Industry: Pharmacy
Location: Global
Size: Enterprise
Incident : Law Enforcement Takedown SAL4232242101025
Entity Name: Instacart
Entity Type: E-Commerce
Industry: Grocery Delivery
Location: Global
Size: Enterprise
Incident : Law Enforcement Takedown SAL4232242101025
Entity Name: Cartier
Entity Type: Luxury Goods
Industry: Retail
Location: Global
Size: Enterprise
Incident : Law Enforcement Takedown SAL4232242101025
Entity Name: Adidas
Entity Type: Retail
Industry: Sportswear
Location: Global
Size: Enterprise
Incident : Law Enforcement Takedown SAL4232242101025
Entity Name: Saks Fifth Avenue
Entity Type: Retail
Industry: Luxury Department Store
Location: Global
Size: Enterprise
Incident : Law Enforcement Takedown SAL4232242101025
Entity Name: Air France & KLM
Entity Type: Aviation
Industry: Travel
Location: Global
Size: Enterprise
Incident : Law Enforcement Takedown SAL4232242101025
Entity Name: TransUnion
Entity Type: Financial Services
Industry: Credit Reporting
Location: Global
Size: Enterprise
Incident : Law Enforcement Takedown SAL4232242101025
Entity Name: HBO Max
Entity Type: Entertainment
Industry: Streaming
Location: Global
Size: Enterprise
Incident : Law Enforcement Takedown SAL4232242101025
Entity Name: UPS
Entity Type: Logistics
Industry: Transportation
Location: Global
Size: Enterprise
Incident : Law Enforcement Takedown SAL4232242101025
Entity Name: Chanel
Entity Type: Luxury Goods
Industry: Retail
Location: Global
Size: Enterprise
Incident : Law Enforcement Takedown SAL4232242101025
Entity Name: IKEA
Entity Type: Retail
Industry: Furniture
Location: Global
Size: Enterprise
Incident : data breach SAL5602056101125
Entity Name: Salesforce
Entity Type: corporation
Industry: cloud computing / CRM
Location: San Francisco, California, USA
Size: large
Customers Affected: 39 (including Disney, Toyota, Adidas, McDonald's, IKEA, Home Depot)
Incident : data breach SAL5602056101125
Entity Name: Disney
Entity Type: corporation
Industry: entertainment
Location: Burbank, California, USA
Size: large
Incident : data breach SAL5602056101125
Entity Name: Toyota
Entity Type: corporation
Industry: automotive
Location: Toyota City, Aichi, Japan
Size: large
Incident : data breach SAL5602056101125
Entity Name: Adidas
Entity Type: corporation
Industry: sportswear
Location: Herzogenaurach, Germany
Size: large
Incident : data breach SAL5602056101125
Entity Name: McDonald's
Entity Type: corporation
Industry: fast food
Location: Chicago, Illinois, USA
Size: large
Incident : data breach SAL5602056101125
Entity Name: IKEA
Entity Type: corporation
Industry: retail / furniture
Location: Delft, Netherlands
Size: large
Incident : data breach SAL5602056101125
Entity Name: Home Depot
Entity Type: corporation
Industry: retail / home improvement
Location: Atlanta, Georgia, USA
Size: large
Incident : Forum Takedown SAL4432144101325
Entity Name: BreachForums
Entity Type: Hacking Forum
Industry: Cybercrime
Location: Global (Online)
Customers Affected: Cybercriminals and victims of data leaks/extortion
Incident : Forum Takedown SAL4432144101325
Entity Name: Salesforce
Entity Type: Corporation
Industry: Cloud Computing/SaaS
Location: USA
Size: Large
Incident : Forum Takedown SAL4432144101325
Entity Name: Google
Entity Type: Corporation
Industry: Technology
Location: USA
Size: Large
Incident : Forum Takedown SAL4432144101325
Entity Name: Palo Alto Networks
Entity Type: Corporation
Industry: Cybersecurity
Location: USA
Size: Large
Incident : Forum Takedown SAL4432144101325
Entity Name: Zscaler
Entity Type: Corporation
Industry: Cybersecurity
Location: USA
Size: Large
Incident : Forum Takedown SAL4432144101325
Entity Name: Cloudflare
Entity Type: Corporation
Industry: Web Infrastructure
Location: USA
Size: Large
Incident : Forum Takedown SAL4432144101325
Entity Name: Disney
Entity Type: Corporation
Industry: Entertainment
Location: USA
Size: Large
Incident : Forum Takedown SAL4432144101325
Entity Name: Qantas
Entity Type: Corporation
Industry: Aviation
Location: Australia
Size: Large
Incident : Forum Takedown SAL4432144101325
Entity Name: Air France-KLM
Entity Type: Corporation
Industry: Aviation
Location: France/Netherlands
Size: Large
Incident : Forum Takedown SAL4432144101325
Entity Name: Toyota
Entity Type: Corporation
Industry: Automotive
Location: Japan
Size: Large
Incident : Social Engineering SAL4493244102125
Entity Type: Multinational Corporations, Organizations Using Salesforce
Location: Global (Focus on English-Speaking Branches)
Incident : Vulnerability Exploitation TIN0344703102825
Entity Name: Slack (by Salesforce)
Entity Type: Technology Company
Industry: Enterprise Communication/SaaS
Location: Global
Size: Large
Incident : Vulnerability Exploitation TIN0344703102825
Entity Name: Wikipedia (Wikimedia Foundation)
Entity Type: Non-Profit Organization
Industry: Online Encyclopedia
Location: Global
Size: Large
Incident : Cybercriminal Alliance Formation SAL5402554110625
Entity Name: Salesforce
Entity Type: SaaS Provider
Industry: Customer Relationship Management (CRM)
Location: Global (HQ: San Francisco, USA)
Size: Enterprise
Incident : Data Breach SAL5090350110725
Entity Name: Salesforce
Entity Type: SaaS CRM Vendor
Industry: Technology/Cloud Services
Location: Northern California, USA
Incident : Data Breach SAL5090350110725
Entity Name: Salesloft
Entity Type: Third-Party Vendor
Industry: Sales Engagement Platform
Incident : Data Breach SAL5090350110725
Entity Name: TransUnion
Entity Type: Customer of Salesforce
Industry: Consumer Credit Reporting
Customers Affected: 4.5 million individuals
Incident : Data Breach SAL5090350110725
Entity Name: Allianz Life Insurance
Entity Type: Customer of Salesforce
Industry: Insurance
Incident : Data Breach SAL5090350110725
Entity Name: Farmers Insurance
Entity Type: Customer of Salesforce
Industry: Insurance
Customers Affected: 1 million customers
Incident : Data Breach SAL5090350110725
Entity Name: Workday
Entity Type: Customer of Salesforce
Industry: HR/Enterprise Software
Incident : Data Breach SAL5090350110725
Entity Name: Pandora Jewelry
Entity Type: Customer of Salesforce
Industry: Retail/Jewelry
Response to the Incidents
What measures were taken in response to each incident ?
Incident : Cyber Attack SAL215719323
Containment Measures: Blocked access to affected instances
Remediation Measures: Blocked access to orgs with inadvertent permissions
Incident : Data Breach SAL729082725
Incident Response Plan Activated: True
Third Party Assistance: Google Threat Intelligence Group (Gtig), Mandiant, Astrix Security.
Containment Measures: Revoked all active access tokens for Drift app (August 20, 2025)Temporarily removed Drift from Salesforce AppExchange
Remediation Measures: Restricting Connected App scopesSearching for exposed secrets in Salesforce dataRotating compromised credentialsEnforcing IP restrictions
Communication Strategy: Advisories issued by GTIG/MandiantNotifications to affected organizationsPublic blog post by Astrix Security
Enhanced Monitoring: Checking for specific IP addresses/User-Agent strings linked to attackers
Incident : Social Engineering SAL815090225
Containment Measures: Web Application Firewall (WAF) with Rate-Limiting for API CallsSIEM Correlation of OAuth Events with API UsageUser and Entity Behavior Analytics (UEBA) DeploymentConditional Access Policies for OAuth Apps (IP/Device/Risk-Based)
Remediation Measures: Revoke Compromised OAuth TokensAudit and Restrict Connected Apps PermissionsImplement Hardware Security Modules (HSM) for API KeysEnforce Perfect Forward Secrecy (PFS) for Authentication TokensDeploy CAA Records and DANE for Domain Spoofing Prevention
Adaptive Behavioral WAF: ['Rate-Limiting for Bulk API Operations (e.g., /services/data/v58.0/jobs/query)']
Network Segmentation: ['Isolate CRM API Endpoints from Untrusted Networks']
Enhanced Monitoring: Real-Time API Call Anomaly DetectionGeofencing for OAuth Authorizations
Incident : Data Breach SAL5732257091825
Third Party Assistance: Google Mandiant (Threat Intelligence), Fbi (Advisory & Investigation).
Law Enforcement Notified: FBI,
Remediation Measures: Salesforce Recommendations: Enforce Multi-Factor Authentication (MFA)Apply Principle of Least PrivilegeClosely Manage Connected Applications
Communication Strategy: Salesforce Customer AdvisoriesFBI Public Advisory on UNC6040/6395
Incident : Data Breach SAL5403154092725
Incident Response Plan Activated: True
Containment Measures: Enforced Trusted URL Allow-Lists for Agentforce/Einstein AIRe-secured Expired Domain (my-salesforce-cms.com)
Remediation Measures: Patches to prevent AI agents from sending data to untrusted URLs
Communication Strategy: Public Statement to The RegisterBlog Post by Noma Security
Incident : Data Breach SAL5592855100325
Incident Response Plan Activated: Yes (Salesforce, Mandiant, and Affected Companies)
Third Party Assistance: Mandiant (Google’S Incident Response), Salesforce Security Team, Fbi Cyber Division.
Law Enforcement Notified: Yes (FBI Issued Advisory on 2023-09-12)
Containment Measures: Revoking Compromised OAuth TokensIsolating Affected Salesforce InstancesDisabling Salesloft Drift Integrations
Remediation Measures: Enforcing 2FA for OAuth AppsPatching Salesloft Drift VulnerabilitiesAudit of Third-Party Integrations
Recovery Measures: Data Backup Restoration (if applicable)Customer Notification PlansDark Web Monitoring for Leaked Data
Communication Strategy: Public Disclosure via Media (ISMG, BleepingComputer)Customer Advisories (Pending)Regulatory Notifications
Network Segmentation: Recommended (to Limit Lateral Movement)
Enhanced Monitoring: Salesforce Instance LogsCloud Platform (Google Workspace, Microsoft 365, Okta) Activity
Incident : Extortion SAL2102121100425
Incident Response Plan Activated: Yes (Salesforce engaged external experts and authorities)
Third Party Assistance: Mandiant (Google), External Cybersecurity Experts.
Law Enforcement Notified: Yes (US and UK authorities involved)
Remediation Measures: Customer notificationsInvestigation of OAuth abuse
Communication Strategy: Public security advisoryMedia statements
Incident : Extortion SAL4932949100625
Incident Response Plan Activated: True
Third Party Assistance: External Specialists, Authorities.
Containment Measures: Supporting potentially affected customersInvestigating claims
Communication Strategy: Public denial of platform hackAdvisories to customers
Incident : Data Breach SAL0693606100625
Incident Response Plan Activated: Yes (Salesforce disabled vulnerable Salesloft Drift integration on Aug 28, 2025)
Third Party Assistance: Google Threat Intelligence (Reported Attacks In June And August 2025).
Containment Measures: Disabled Salesloft Drift Integration (Aug 28–Sep 7, 2025)
Remediation Measures: Reinstated Integration with Security Fixes (Sep 7, 2025)
Communication Strategy: Public Security Alert IssuedDenial of Direct Platform Compromise
Incident : Data Breach SAL0962109100825
Incident Response Plan Activated: Yes (Salesforce notified customers)
Law Enforcement Notified: Likely (FBI may have seized extortion domain)
Remediation Measures: Refusal to pay ransomCustomer notifications
Communication Strategy: Public statements and customer emails
Incident : Data Breach SAL0562205100825
Incident Response Plan Activated: True
Third Party Assistance: Google Threat Intelligence Group (Gtig), Mandiant (Malware Analysis), Law Enforcement (Fbi, Uk Nca).
Containment Measures: Salesforce: Disabled Malicious OAuth AppsRed Hat: Isolated Compromised GitLab ServerDiscord: Terminated Third-Party Vendor AccessOracle: Emergency Patch for CVE-2025-61882
Remediation Measures: Salesforce: Forensic Analysis, Customer SupportRed Hat: Customer Notifications, Repository AuditsDiscord: Affected User Notifications, Password ResetsOracle: Urged Customers to Apply Patch
Recovery Measures: Salesforce: Refused to Pay Ransom, Focused on DefenseRed Hat: Restored GitLab from BackupsDiscord: Enhanced Vendor Security Controls
Communication Strategy: Salesforce: Customer Advisories (No Negotiation Policy)Red Hat: Public Disclosure (October 2, 2025)Discord: Direct Emails to Affected UsersOracle: Security Advisory for CVE-2025-61882
Enhanced Monitoring: Salesforce: Increased Logging for OAuth IntegrationsRed Hat: GitLab Access Audits
Incident : Data Breach SAL3132231100825
Incident Response Plan Activated: True
Third Party Assistance: Google Threat Intelligence Group (Warnings).
Containment Measures: Disabled Drift App IntegrationToken Renewal Mandate for Customers
Remediation Measures: Customer Support OutreachOAuth Token Rotation
Recovery Measures: Reactivated SalesLoft Integrations (Except Drift)
Communication Strategy: Internal Memo (Bloomberg-Leaked)Public Statement on Non-Payment of RansomCustomer Advisories
Enhanced Monitoring: Likely (Implied by Google Threat Intelligence Collaboration)
Incident : Data Breach SAL5002150100925
Incident Response Plan Activated: Likely (Salesforce refused ransom demand)
Third Party Assistance: Mandiant (Google-Owned Threat Intelligence).
Communication Strategy: Public refusal of ransom demand (email statement)
Incident : Law Enforcement Takedown SAL4232242101025
Incident Response Plan Activated: Yes (FBI and France's BL2C Unit)
Third Party Assistance: French Law Enforcement (Bl2C Unit).
Law Enforcement Notified: Yes (FBI-led operation)
Containment Measures: Domain SeizureBackend Server SeizureNameserver Redirection to FBI
Remediation Measures: Permanent Shutdown of BreachForumsPrevention of Data Leak (Salesforce Campaign Disrupted)
Communication Strategy: Public Announcement via BleepingComputerPGP-Signed Message from ShinyHunters on Telegram
Incident : Forum Takedown SAL4432144101325
Incident Response Plan Activated: Yes (FBI-led operation)
Third Party Assistance: Europol (In Prior Operations).
Law Enforcement Notified: Yes (FBI-led, with international coordination)
Containment Measures: Domain seizureDisruption of forum operations
Communication Strategy: Public announcement by FBIMedia coverage (e.g., ITPro)
Incident : Social Engineering SAL4493244102125
Third Party Assistance: Mandiant (Google).
Containment Measures: End unsolicited support calls without providing access/informationVerify callers via trusted, on-file contact informationRequire explicit verification from account managers before fulfilling requests
Remediation Measures: Defense-in-Depth Strategy for Caller VerificationEmployee Training on Social Engineering and PhishingRigorous Communication of Third-Party Request Verification Protocols
Communication Strategy: Mandiant Blog PostKnowBe4 Advisory
Enhanced Monitoring: Monitoring for Unauthorized SaaS Access
Incident : Vulnerability Exploitation TIN0344703102825
Third Party Assistance: Esentire (Research/Disclosure).
Incident : Data Breach SAL5090350110725
Incident Response Plan Activated: Yes (Salesforce offered support to affected customers)
Remediation Measures: Salesforce directed customers to its Trust page for protective steps; denied platform compromise
Communication Strategy: Public noticesMedia statementsTrust page updates
What is the company's incident response plan?
Incident Response Plan: The company's incident response plan is described as Yes (Salesforce, Mandiant, and Affected Companies), Yes (Salesforce engaged external experts and authorities), , Yes (Salesforce disabled vulnerable Salesloft Drift integration on Aug 28, 2025), Yes (Salesforce notified customers), , , Likely (Salesforce refused ransom demand), Yes (FBI and France's BL2C Unit), Yes (FBI-led operation), Yes (Salesforce offered support to affected customers).
How does the company involve third-party assistance in incident response ?
Third-Party Assistance: The company involves third-party assistance in incident response through Google Threat Intelligence Group (GTIG), Mandiant, Astrix Security, , Google Mandiant (Threat Intelligence), FBI (Advisory & Investigation), , Mandiant (Google’s Incident Response), Salesforce Security Team, FBI Cyber Division, , Mandiant (Google), External cybersecurity experts, , External specialists, Authorities, , Google Threat Intelligence (reported attacks in June and August 2025), , Google Threat Intelligence Group (GTIG), Mandiant (Malware Analysis), Law Enforcement (FBI, UK NCA), , Google Threat Intelligence Group (Warnings), , Mandiant (Google-owned threat intelligence), , French Law Enforcement (BL2C Unit), , Europol (in prior operations), , Mandiant (Google), , eSentire (Research/Disclosure), .
Data Breach Information
What type of data was compromised in each breach ?
Incident : Data Breach SLA1946123
Type of Data Compromised: Private github code repositories
Incident : Data Breach SAL729082725
Type of Data Compromised: Customer account data, User data, Opportunities data, Credentials, Aws access keys, Snowflake tokens, High-value secrets
Sensitivity of Data: High (includes cloud infrastructure keys and authentication tokens)
Incident : Social Engineering SAL815090225
Type of Data Compromised: Crm data, Customer records, Business intelligence, Potentially pii
Sensitivity of Data: High (Includes Salesforce Object Data via SOQL)
Data Exfiltration: Automated via Bulk API EndpointsPython Scripts with Rate-Limiting to Evade Detection
Personally Identifiable Information: Likely (Dependent on CRM Data Structure)
Incident : Data Breach SAL5732257091825
Type of Data Compromised: Crm data (salesforce objects), Account records, Contact records (pii), Opportunity records, User records, Case records (support tickets), Aws keys, Snowflake tokens, Other credentials
Number of Records Exposed: 1.5 billion
Sensitivity of Data: High (PII, Business-Critical CRM Data, Credentials)
Data Exfiltration: Confirmed (Massive Scale)Evidence: Shared File Listing Salesloft’s Breached Source Code Folders
File Types Exposed: Salesforce Database RecordsSource Code (Salesloft GitHub)Configuration FilesAPI Keys/Secrets
Personally Identifiable Information: Contact Records (Names, Email Addresses, Phone Numbers, etc.)User Records (Employee/Client Data)
Incident : Data Breach SAL5403154092725
Type of Data Compromised: Customer lead information, Email addresses
Sensitivity of Data: Moderate (Business contact data, no financial/PII confirmed)
Personally Identifiable Information: Partial (Email addresses, potentially names/companies)
Incident : Data Breach SAL5592855100325
Type of Data Compromised: Pii, Customer support records, Chat transcripts, Marketing data, Shipping information, Flight details, Employment histories
Number of Records Exposed: 1,500,000,000 (claimed)
Sensitivity of Data: High (Includes Passport Numbers, Nationalities, Contact Details)
Data Exfiltration: Confirmed (Samples Validated by Researchers)
Data Encryption: No (Data Stolen in Plaintext)
File Types Exposed: Database DumpsCSV/Excel FilesJSON/Log FilesChat Transcripts
Personally Identifiable Information: Full NamesDates of BirthNationalitiesPassport NumbersEmail AddressesPhone NumbersPhysical AddressesEmployment Histories
Incident : Extortion SAL2102121100425
Type of Data Compromised: Customer data, Potentially pii (unconfirmed)
Number of Records Exposed: 1 billion (claimed; unverified)
Sensitivity of Data: Moderate to High (if PII included)
Data Exfiltration: Claimed by threat actors
Personally Identifiable Information: Potential (unconfirmed)
Incident : Extortion SAL4932949100625
Type of Data Compromised: Customer records, Sensitive customer information, Basic business information (for google breach)
Number of Records Exposed: ~1 billion (claimed)
Sensitivity of Data: High (customer data, potentially PII)
Incident : Data Breach SAL0693606100625
Type of Data Compromised: Customer records, Sensitive corporate data
Number of Records Exposed: Nearly 1 billion (claimed)
Sensitivity of Data: High (includes PII and potentially proprietary business data)
Data Exfiltration: Yes (samples published on dark web site 'Scattered Lapsus$ Hunters')
Personally Identifiable Information: Likely (based on context)
Incident : Data Breach SAL0962109100825
Type of Data Compromised: Customer records, Support tickets, Credentials, Api tokens, Authentication tokens
Number of Records Exposed: ~2.5 billion (1B in first campaign, 1.5B in second)
Sensitivity of Data: High (PII, credentials, business-sensitive data)
Data Exfiltration: Yes
File Types Exposed: DatabasesSupport LogsConfiguration Files
Personally Identifiable Information: Yes
Incident : Data Breach SAL0562205100825
Type of Data Compromised: Customer records (salesforce), User pii (discord: emails, ips, government ids), Source code (red hat git repos), Api tokens (red hat cers), Infrastructure details (red hat audits), Authentication tokens (salesloft)
Number of Records Exposed: >1B (Salesforce) + Undisclosed (Discord, Red Hat, Oracle)
Sensitivity of Data: High (PII, Government IDs, Source Code, API Tokens)
File Types Exposed: Salesforce Database ExportsGit Repositories (Red Hat)Customer Support Tickets (Discord)Oracle E-Business Suite Records
Personally Identifiable Information: Discord: Usernames, Emails, IPs, Government ID ImagesSalesforce: Customer Data (Varies by Client)Red Hat: Business Contact Information (Limited)
Incident : Data Breach SAL3132231100825
Type of Data Compromised: Customer contact details, It support information, Oauth tokens, It configurations, Crm data, Support cases
Number of Records Exposed: Unknown (Hundreds of organizations affected)
Sensitivity of Data: Moderate (Corporate IT and Customer Data)
Personally Identifiable Information: Limited (Primarily Corporate PII)
Incident : Data Breach SAL5002150100925
Number of Records Exposed: 989.45 million (~1 billion)
Data Exfiltration: Claimed by threat actor
Incident : Law Enforcement Takedown SAL4232242101025
Type of Data Compromised: Customer records, Corporate data, Escrow databases, Database backups
Number of Records Exposed: 1+ billion (Salesforce campaign)
Sensitivity of Data: High (Personally Identifiable Information)
Data Exfiltration: Yes (Stolen from Salesforce breaches)
Personally Identifiable Information: Yes
Incident : data breach SAL5602056101125
Number of Records Exposed: one billion (alleged)
Data Exfiltration: alleged
Incident : Forum Takedown SAL4432144101325
Type of Data Compromised: Corporate data, Stolen credentials, Sensitive information (varies by victim)
Sensitivity of Data: High
Data Exfiltration: Yes (via BreachForums)
Personally Identifiable Information: Likely (depends on leaked datasets)
Incident : Social Engineering SAL4493244102125
Type of Data Compromised: Salesforce data, Credentials
Sensitivity of Data: High (Potential PII, Corporate Data)
Data Exfiltration: Confirmed in Observed Cases
Personally Identifiable Information: Potential (If Credentials Include PII)
Incident : Cybercriminal Alliance Formation SAL5402554110625
Type of Data Compromised: Potentially pii, crm data, saas configuration details
Sensitivity of Data: High (Enterprise SaaS and cloud infrastructure)
Personally Identifiable Information: Likely (based on target profile)
Incident : Data Breach SAL5090350110725
Type of Data Compromised: Pii, Credentials (aws keys, passwords), Access tokens
Sensitivity of Data: High (PII, credentials)
Data Exfiltration: Yes (OAuth tokens and credentials stolen)
Personally Identifiable Information: Yes (names, financial data, etc.)
What measures does the company take to prevent data exfiltration ?
Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Blocked access to orgs with inadvertent permissions, , Restricting Connected App scopes, Searching for exposed secrets in Salesforce data, Rotating compromised credentials, Enforcing IP restrictions, , Revoke Compromised OAuth Tokens, Audit and Restrict Connected Apps Permissions, Implement Hardware Security Modules (HSM) for API Keys, Enforce Perfect Forward Secrecy (PFS) for Authentication Tokens, Deploy CAA Records and DANE for Domain Spoofing Prevention, , Salesforce Recommendations: Enforce Multi-Factor Authentication (MFA), Apply Principle of Least Privilege, Closely Manage Connected Applications, , Patches to prevent AI agents from sending data to untrusted URLs, , Enforcing 2FA for OAuth Apps, Patching Salesloft Drift Vulnerabilities, Audit of Third-Party Integrations, , Customer notifications, Investigation of OAuth abuse, , Reinstated Integration with Security Fixes (Sep 7, 2025), , Refusal to pay ransom, Customer notifications, , Salesforce: Forensic Analysis, Customer Support, Red Hat: Customer Notifications, Repository Audits, Discord: Affected User Notifications, Password Resets, Oracle: Urged Customers to Apply Patch, , Customer Support Outreach, OAuth Token Rotation, , Permanent Shutdown of BreachForums, Prevention of Data Leak (Salesforce Campaign Disrupted), , Defense-in-Depth Strategy for Caller Verification, Employee Training on Social Engineering and Phishing, Rigorous Communication of Third-Party Request Verification Protocols, , Salesforce directed customers to its Trust page for protective steps; denied platform compromise.
How does the company handle incidents involving personally identifiable information (PII) ?
Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by blocked access to affected instances, , revoked all active access tokens for drift app (august 20, 2025), temporarily removed drift from salesforce appexchange, , web application firewall (waf) with rate-limiting for api calls, siem correlation of oauth events with api usage, user and entity behavior analytics (ueba) deployment, conditional access policies for oauth apps (ip/device/risk-based), , enforced trusted url allow-lists for agentforce/einstein ai, re-secured expired domain (my-salesforce-cms.com), , revoking compromised oauth tokens, isolating affected salesforce instances, disabling salesloft drift integrations, , supporting potentially affected customers, investigating claims, , disabled salesloft drift integration (aug 28–sep 7, 2025), , salesforce: disabled malicious oauth apps, red hat: isolated compromised gitlab server, discord: terminated third-party vendor access, oracle: emergency patch for cve-2025-61882, , disabled drift app integration, token renewal mandate for customers, , domain seizure, backend server seizure, nameserver redirection to fbi, , domain seizure, disruption of forum operations, , end unsolicited support calls without providing access/information, verify callers via trusted, on-file contact information, require explicit verification from account managers before fulfilling requests and .
Ransomware Information
Was ransomware involved in any of the incidents ?
Incident : Data Breach SAL729082725
Data Exfiltration: True
Incident : Social Engineering SAL815090225
Data Exfiltration: ['Primary Focus (Extortion via Data Leak Threats)']
Incident : Data Breach SAL5732257091825
Ransom Demanded: ['Extortion Threats (No Specific Ransom Amount Disclosed)']
Data Exfiltration: ['Yes (Extortion-Based)']
Incident : Data Breach SAL5592855100325
Ransom Demanded: ['Separate Ransoms from Salesforce and Listed Victims', 'Extortion Threats via Dark Web Leak Site']
Data Encryption: No (Data Theft Without Encryption)
Data Exfiltration: Yes (1.5B Records Claimed)
Incident : Extortion SAL2102121100425
Ransom Demanded: $989.45 (for all data)
Ransom Paid: No (as of disclosure)
Data Exfiltration: Claimed
Incident : Data Breach SAL0693606100625
Ransom Demanded: Yes (amount unspecified; deadline: Oct 10, 2025)
Data Encryption: No (extortion-based, not encryption)
Data Exfiltration: Yes
Incident : Data Breach SAL0962109100825
Ransom Demanded: Unspecified (extortion demands to companies or Salesforce)
Ransom Paid: No (Salesforce refused to pay)
Data Encryption: No (data theft, not encryption)
Data Exfiltration: Yes
Incident : Data Breach SAL0562205100825
Ransom Demanded: Unspecified (Threatened Public Leak if Unpaid by October 10, 2025)
Data Exfiltration: True
Incident : Data Breach SAL5002150100925
Ransom Demanded: Unspecified (extortion demand to Salesforce)
Ransom Paid: No (Salesforce refused)
Data Exfiltration: Claimed (~1 billion records)
Incident : Law Enforcement Takedown SAL4232242101025
Ransom Demanded: Yes (Salesforce Campaign)
Ransom Paid: Unknown (Companies targeted for non-payment)
Data Exfiltration: Yes
Incident : data breach SAL5602056101125
Ransom Demanded: unspecified (threatened leak if unpaid by October 10, 2023, 11:59 p.m. EST)
Data Exfiltration: alleged
Incident : Forum Takedown SAL4432144101325
Data Exfiltration: Yes (as part of extortion schemes)
Incident : Cybercriminal Alliance Formation SAL5402554110625
Data Exfiltration: True
How does the company recover data encrypted by ransomware ?
Data Recovery from Ransomware: The company recovers data encrypted by ransomware through Data Backup Restoration (if applicable), Customer Notification Plans, Dark Web Monitoring for Leaked Data, , Salesforce: Refused to Pay Ransom, Focused on Defense, Red Hat: Restored GitLab from Backups, Discord: Enhanced Vendor Security Controls, , Reactivated SalesLoft Integrations (Except Drift), .
Regulatory Compliance
Were there any regulatory violations and fines imposed for each incident ?
Incident : Data Breach SAL729082725
Regulatory Notifications: Notifications sent to affected organizations (details undisclosed)
Incident : Data Breach SAL5592855100325
Regulations Violated: Potential GDPR (EU), CCPA (California), Sector-Specific Data Protection Laws,
Legal Actions: Pending (Potential Class-Action Lawsuits), Regulatory Investigations,
Regulatory Notifications: Likely Required (e.g., GDPR 72-Hour Rule)State Attorney General Notifications (USA)
Incident : Extortion SAL2102121100425
Legal Actions: Arrests of UK teens (Scattered Spider members), Ongoing investigations,
Incident : Data Breach SAL0693606100625
Legal Actions: 14 Lawsuits Filed by Affected Companies (September 2025),
Incident : Data Breach SAL0562205100825
Regulations Violated: Potential GDPR (EU Customer Data in Salesforce/Discord), Potential CCPA (California Residents), Industry-Specific Compliance (e.g., PCI DSS for Payment Data),
Legal Actions: UK Charges Against Scattered Spider Members (September 2025), US Charges Against Thalha Jubair (MGM, Caesars, Harrods Attacks), Extradition of Tyler Buchanan (Spain to US, April 2025), Noah Urban Sentencing (10 Years, August 2025),
Regulatory Notifications: Salesforce: Notified Customers (No Regulatory Filings Mentioned)Red Hat: Customer Notifications (October 2, 2025)Discord: Affected User Notifications (Ongoing)
Incident : Law Enforcement Takedown SAL4232242101025
Legal Actions: Arrests of BreachForums Admins (France), Charges Against Kai West ('IntelBroker') in U.S.,
Incident : Forum Takedown SAL4432144101325
Legal Actions: Domain seizures, Arrest of forum founder (Conor Brian Fitzpatrick in 2023),
Incident : Data Breach SAL5090350110725
Legal Actions: Class action lawsuits (e.g., Staci Johnson v. Salesforce),
How does the company ensure compliance with regulatory requirements ?
Ensuring Regulatory Compliance: The company ensures compliance with regulatory requirements through Pending (Potential Class-Action Lawsuits), Regulatory Investigations, , Arrests of UK teens (Scattered Spider members), Ongoing investigations, , 14 Lawsuits Filed by Affected Companies (September 2025), , UK Charges Against Scattered Spider Members (September 2025), US Charges Against Thalha Jubair (MGM, Caesars, Harrods Attacks), Extradition of Tyler Buchanan (Spain to US, April 2025), Noah Urban Sentencing (10 Years, August 2025), , Arrests of BreachForums Admins (France), Charges Against Kai West ('IntelBroker') in U.S., , Domain seizures, Arrest of forum founder (Conor Brian Fitzpatrick in 2023), , Class action lawsuits (e.g., Staci Johnson v. Salesforce), .
Lessons Learned and Recommendations
What lessons were learned from each incident ?
Incident : Data Breach SAL729082725
Lessons Learned: Non-human identities (NHIs) are persistent, high-privilege targets for attackers., OAuth token abuse can bypass MFA, highlighting the need for stricter access controls., Organizations often lack visibility into NHIs, increasing risk of exploitation., Proactive measures (e.g., IP restrictions, secret scanning) are critical to mitigate NHI-based attacks.
Incident : Social Engineering SAL815090225
Lessons Learned: OAuth 2.0 Connected Apps Require Stricter Permission Scoping and Monitoring, API Security Must Extend Beyond Authentication to Include Behavioral Analysis, VoIP/Tor-Based Vishing Attacks Bypass Traditional Phishing Defenses, Segmented C2 Infrastructure (Tor + VPN) Complicates Attribution and Takedown
Incident : Data Breach SAL5732257091825
Lessons Learned: OAuth tokens and connected applications are high-value targets for attackers., Social engineering and malicious OAuth apps can bypass traditional security controls., Exposed secrets in repositories (e.g., GitHub) enable supply chain attacks., Extortion groups increasingly target CRM data for its sensitivity and leverage in negotiations., Multi-factor authentication (MFA) and least privilege principles are critical for mitigating such breaches.
Incident : Data Breach SAL5403154092725
Lessons Learned: The incident highlights the need for: (1) Proactive AI security governance, (2) Strict input validation for AI prompts, (3) Domain lifecycle management to prevent expired domain exploitation, (4) Human oversight for AI-agent interactions, and (5) Defense-in-depth for AI-integrated business tools against prompt injection attacks.
Incident : Data Breach SAL5592855100325
Lessons Learned: Third-party integrations (e.g., Salesloft Drift) introduce significant supply-chain risks; rigorous vendor security assessments are critical., OAuth tokens and API keys must be protected with **2FA and strict access controls** to prevent abuse., Social engineering (vishing/phishing) remains a highly effective attack vector; **employee training and verification protocols** are essential., Lateral movement to cloud platforms (Google Workspace, Microsoft 365, Okta) underscores the need for **zero-trust architecture and segmentation**., Proactive threat hunting and **dark web monitoring** can help detect stolen data early., Incident response plans must include **third-party breach scenarios** with clear escalation paths.
Incident : Extortion SAL4932949100625
Lessons Learned: Financially motivated cyber groups can reemerge despite arrests or disbandment claims. Social engineering (e.g., vishing) remains a critical attack vector, bypassing technical safeguards by exploiting human trust. Organizations must enforce stricter access controls, including MFA, IP restrictions, and app permissions.
Incident : Data Breach SAL0693606100625
Lessons Learned: Social engineering and third-party app vulnerabilities can bypass platform-level security. Proactive monitoring of OAuth app installations and third-party integrations is critical. User education on phishing/vishing attacks is essential to mitigate human-error risks.
Incident : Data Breach SAL0562205100825
Lessons Learned: Vishing Remains Effective for OAuth Abuse (Salesforce), Third-Party Vendors Are Critical Attack Vectors (Discord, Salesloft), GitLab Server Hardening Needed (Red Hat), Zero-Day Patching Urgency (Oracle CVE-2025-61882), Extortion Groups Evolve Tactics (Victim-Shaming Blogs, Malware Threats), Cross-Group Collaboration (Scattered Spider + Lapsus$ + ShinyHunters)
Incident : Data Breach SAL3132231100825
Lessons Learned: Third-party app integrations introduce significant risk; rigorous vetting and monitoring are critical., OAuth token management requires stricter controls (e.g., rotation, least-privilege access)., GitHub account security is a high-value target for attackers; MFA and access logging are essential., Public refusal to pay ransom can deter attackers but may escalate data leak risks.
Incident : Law Enforcement Takedown SAL4232242101025
Lessons Learned: Cybercrime forums are vulnerable to law enforcement takedowns, especially with international cooperation., Data backups can be compromised if stored within seized infrastructure., High-profile data leak threats can accelerate law enforcement action., The 'era of forums' for cybercriminals may be ending due to increased scrutiny and takedowns.
Incident : Forum Takedown SAL4432144101325
Lessons Learned: Repeated takedowns erode trust in cybercriminal forums, making them less sustainable., Cybercriminals adapt by shifting to encrypted platforms (e.g., Telegram) for resilience., Coordinated international law enforcement actions can disrupt high-profile cybercrime hubs., The 'era of forums' may be ending, but extortion and data monetization tactics persist.
Incident : Social Engineering SAL4493244102125
Lessons Learned: Social engineering attacks bypass technical vulnerabilities by exploiting human trust., Voice phishing (vishing) is highly effective when attackers impersonate trusted entities (e.g., IT support, vendors)., Employees with elevated SaaS access are prime targets for credential theft., Verification protocols for third-party requests must be rigorously enforced., AI tools (e.g., ChatGPT) can enhance the sophistication of phishing content, increasing attack success rates.
Incident : Vulnerability Exploitation TIN0344703102825
Lessons Learned: Trust in authoritative sources (e.g., Wikipedia) can be weaponized in social engineering attacks., Third-party platform integrations (e.g., Slack's link preview) can introduce unintended attack vectors., Attackers exploit human behavior (e.g., missing spaces in text) to bypass technical controls., Proactive monitoring of public platforms (e.g., Wikipedia edits) is critical for early threat detection.
Incident : Cybercriminal Alliance Formation SAL5402554110625
Lessons Learned: Cybercriminal consolidation enhances operational resilience and technical sophistication., Telegram’s role as both a coordination and performative marketing tool amplifies psychological impact., Exploit brokerage and zero-day vulnerabilities are critical force multipliers for modern threat actors., Extortion-as-a-Service (EaaS) models lower the barrier to entry for affiliate-driven attacks., Theatrical branding and narrative control are strategic assets equivalent to technical capabilities.
Incident : Data Breach SAL5090350110725
Lessons Learned: Third-party integrations (e.g., OAuth tokens) can be critical attack vectors; social engineering remains a potent threat; proactive customer support and transparency are essential during incidents.
What recommendations were made to prevent future incidents ?
Incident : Data Breach SAL729082725
Recommendations: Hardening access controls by restricting Connected App scopes in Salesforce., Conducting audits to identify and secure exposed secrets within Salesforce data., Rotating compromised credentials and enforcing least-privilege access for NHIs., Implementing IP restrictions to limit access to trusted locations., Monitoring for suspicious IP addresses/User-Agent strings associated with attackers., Creating an inventory of non-human identities (NHIs) to improve visibility and security.Hardening access controls by restricting Connected App scopes in Salesforce., Conducting audits to identify and secure exposed secrets within Salesforce data., Rotating compromised credentials and enforcing least-privilege access for NHIs., Implementing IP restrictions to limit access to trusted locations., Monitoring for suspicious IP addresses/User-Agent strings associated with attackers., Creating an inventory of non-human identities (NHIs) to improve visibility and security.Hardening access controls by restricting Connected App scopes in Salesforce., Conducting audits to identify and secure exposed secrets within Salesforce data., Rotating compromised credentials and enforcing least-privilege access for NHIs., Implementing IP restrictions to limit access to trusted locations., Monitoring for suspicious IP addresses/User-Agent strings associated with attackers., Creating an inventory of non-human identities (NHIs) to improve visibility and security.Hardening access controls by restricting Connected App scopes in Salesforce., Conducting audits to identify and secure exposed secrets within Salesforce data., Rotating compromised credentials and enforcing least-privilege access for NHIs., Implementing IP restrictions to limit access to trusted locations., Monitoring for suspicious IP addresses/User-Agent strings associated with attackers., Creating an inventory of non-human identities (NHIs) to improve visibility and security.Hardening access controls by restricting Connected App scopes in Salesforce., Conducting audits to identify and secure exposed secrets within Salesforce data., Rotating compromised credentials and enforcing least-privilege access for NHIs., Implementing IP restrictions to limit access to trusted locations., Monitoring for suspicious IP addresses/User-Agent strings associated with attackers., Creating an inventory of non-human identities (NHIs) to improve visibility and security.Hardening access controls by restricting Connected App scopes in Salesforce., Conducting audits to identify and secure exposed secrets within Salesforce data., Rotating compromised credentials and enforcing least-privilege access for NHIs., Implementing IP restrictions to limit access to trusted locations., Monitoring for suspicious IP addresses/User-Agent strings associated with attackers., Creating an inventory of non-human identities (NHIs) to improve visibility and security.
Incident : Social Engineering SAL815090225
Recommendations: Implement Zero Trust Principles for API Access (Least Privilege, Continuous Authentication), Deploy WAF Rules to Detect Bulk API Queries (e.g., SOQL via REST Endpoints), Enforce Multi-Factor Authentication (MFA) for OAuth App Authorizations, Monitor for Anomalous OAuth Token Usage (e.g., Geographically Inconsistent Access), Restrict Connected Apps to Pre-Approved IP Ranges/Device Postures, Conduct Regular Red Team Exercises Simulating Vishing + OAuth Abuse, Adopt Hardware-Backed Key Storage (HSM) for Critical API Credentials, Prepare Incident Response Playbooks for CRM-Specific Extortion ScenariosImplement Zero Trust Principles for API Access (Least Privilege, Continuous Authentication), Deploy WAF Rules to Detect Bulk API Queries (e.g., SOQL via REST Endpoints), Enforce Multi-Factor Authentication (MFA) for OAuth App Authorizations, Monitor for Anomalous OAuth Token Usage (e.g., Geographically Inconsistent Access), Restrict Connected Apps to Pre-Approved IP Ranges/Device Postures, Conduct Regular Red Team Exercises Simulating Vishing + OAuth Abuse, Adopt Hardware-Backed Key Storage (HSM) for Critical API Credentials, Prepare Incident Response Playbooks for CRM-Specific Extortion ScenariosImplement Zero Trust Principles for API Access (Least Privilege, Continuous Authentication), Deploy WAF Rules to Detect Bulk API Queries (e.g., SOQL via REST Endpoints), Enforce Multi-Factor Authentication (MFA) for OAuth App Authorizations, Monitor for Anomalous OAuth Token Usage (e.g., Geographically Inconsistent Access), Restrict Connected Apps to Pre-Approved IP Ranges/Device Postures, Conduct Regular Red Team Exercises Simulating Vishing + OAuth Abuse, Adopt Hardware-Backed Key Storage (HSM) for Critical API Credentials, Prepare Incident Response Playbooks for CRM-Specific Extortion ScenariosImplement Zero Trust Principles for API Access (Least Privilege, Continuous Authentication), Deploy WAF Rules to Detect Bulk API Queries (e.g., SOQL via REST Endpoints), Enforce Multi-Factor Authentication (MFA) for OAuth App Authorizations, Monitor for Anomalous OAuth Token Usage (e.g., Geographically Inconsistent Access), Restrict Connected Apps to Pre-Approved IP Ranges/Device Postures, Conduct Regular Red Team Exercises Simulating Vishing + OAuth Abuse, Adopt Hardware-Backed Key Storage (HSM) for Critical API Credentials, Prepare Incident Response Playbooks for CRM-Specific Extortion ScenariosImplement Zero Trust Principles for API Access (Least Privilege, Continuous Authentication), Deploy WAF Rules to Detect Bulk API Queries (e.g., SOQL via REST Endpoints), Enforce Multi-Factor Authentication (MFA) for OAuth App Authorizations, Monitor for Anomalous OAuth Token Usage (e.g., Geographically Inconsistent Access), Restrict Connected Apps to Pre-Approved IP Ranges/Device Postures, Conduct Regular Red Team Exercises Simulating Vishing + OAuth Abuse, Adopt Hardware-Backed Key Storage (HSM) for Critical API Credentials, Prepare Incident Response Playbooks for CRM-Specific Extortion ScenariosImplement Zero Trust Principles for API Access (Least Privilege, Continuous Authentication), Deploy WAF Rules to Detect Bulk API Queries (e.g., SOQL via REST Endpoints), Enforce Multi-Factor Authentication (MFA) for OAuth App Authorizations, Monitor for Anomalous OAuth Token Usage (e.g., Geographically Inconsistent Access), Restrict Connected Apps to Pre-Approved IP Ranges/Device Postures, Conduct Regular Red Team Exercises Simulating Vishing + OAuth Abuse, Adopt Hardware-Backed Key Storage (HSM) for Critical API Credentials, Prepare Incident Response Playbooks for CRM-Specific Extortion ScenariosImplement Zero Trust Principles for API Access (Least Privilege, Continuous Authentication), Deploy WAF Rules to Detect Bulk API Queries (e.g., SOQL via REST Endpoints), Enforce Multi-Factor Authentication (MFA) for OAuth App Authorizations, Monitor for Anomalous OAuth Token Usage (e.g., Geographically Inconsistent Access), Restrict Connected Apps to Pre-Approved IP Ranges/Device Postures, Conduct Regular Red Team Exercises Simulating Vishing + OAuth Abuse, Adopt Hardware-Backed Key Storage (HSM) for Critical API Credentials, Prepare Incident Response Playbooks for CRM-Specific Extortion ScenariosImplement Zero Trust Principles for API Access (Least Privilege, Continuous Authentication), Deploy WAF Rules to Detect Bulk API Queries (e.g., SOQL via REST Endpoints), Enforce Multi-Factor Authentication (MFA) for OAuth App Authorizations, Monitor for Anomalous OAuth Token Usage (e.g., Geographically Inconsistent Access), Restrict Connected Apps to Pre-Approved IP Ranges/Device Postures, Conduct Regular Red Team Exercises Simulating Vishing + OAuth Abuse, Adopt Hardware-Backed Key Storage (HSM) for Critical API Credentials, Prepare Incident Response Playbooks for CRM-Specific Extortion Scenarios
Incident : Data Breach SAL5732257091825
Recommendations: Enforce MFA for all user and service accounts, especially those with access to sensitive data., Audit and monitor OAuth applications and connected apps for suspicious activity., Implement the principle of least privilege to limit access to CRM data and APIs., Regularly scan repositories (e.g., GitHub) for exposed secrets using tools like TruffleHog., Monitor for unusual data access patterns, especially in Salesforce environments., Educate employees on social engineering tactics, particularly phishing and malicious OAuth app requests., Isolate high-value systems (e.g., CRM) from less secure environments to limit lateral movement., Develop and test incident response plans for extortion and data breach scenarios.Enforce MFA for all user and service accounts, especially those with access to sensitive data., Audit and monitor OAuth applications and connected apps for suspicious activity., Implement the principle of least privilege to limit access to CRM data and APIs., Regularly scan repositories (e.g., GitHub) for exposed secrets using tools like TruffleHog., Monitor for unusual data access patterns, especially in Salesforce environments., Educate employees on social engineering tactics, particularly phishing and malicious OAuth app requests., Isolate high-value systems (e.g., CRM) from less secure environments to limit lateral movement., Develop and test incident response plans for extortion and data breach scenarios.Enforce MFA for all user and service accounts, especially those with access to sensitive data., Audit and monitor OAuth applications and connected apps for suspicious activity., Implement the principle of least privilege to limit access to CRM data and APIs., Regularly scan repositories (e.g., GitHub) for exposed secrets using tools like TruffleHog., Monitor for unusual data access patterns, especially in Salesforce environments., Educate employees on social engineering tactics, particularly phishing and malicious OAuth app requests., Isolate high-value systems (e.g., CRM) from less secure environments to limit lateral movement., Develop and test incident response plans for extortion and data breach scenarios.Enforce MFA for all user and service accounts, especially those with access to sensitive data., Audit and monitor OAuth applications and connected apps for suspicious activity., Implement the principle of least privilege to limit access to CRM data and APIs., Regularly scan repositories (e.g., GitHub) for exposed secrets using tools like TruffleHog., Monitor for unusual data access patterns, especially in Salesforce environments., Educate employees on social engineering tactics, particularly phishing and malicious OAuth app requests., Isolate high-value systems (e.g., CRM) from less secure environments to limit lateral movement., Develop and test incident response plans for extortion and data breach scenarios.Enforce MFA for all user and service accounts, especially those with access to sensitive data., Audit and monitor OAuth applications and connected apps for suspicious activity., Implement the principle of least privilege to limit access to CRM data and APIs., Regularly scan repositories (e.g., GitHub) for exposed secrets using tools like TruffleHog., Monitor for unusual data access patterns, especially in Salesforce environments., Educate employees on social engineering tactics, particularly phishing and malicious OAuth app requests., Isolate high-value systems (e.g., CRM) from less secure environments to limit lateral movement., Develop and test incident response plans for extortion and data breach scenarios.Enforce MFA for all user and service accounts, especially those with access to sensitive data., Audit and monitor OAuth applications and connected apps for suspicious activity., Implement the principle of least privilege to limit access to CRM data and APIs., Regularly scan repositories (e.g., GitHub) for exposed secrets using tools like TruffleHog., Monitor for unusual data access patterns, especially in Salesforce environments., Educate employees on social engineering tactics, particularly phishing and malicious OAuth app requests., Isolate high-value systems (e.g., CRM) from less secure environments to limit lateral movement., Develop and test incident response plans for extortion and data breach scenarios.Enforce MFA for all user and service accounts, especially those with access to sensitive data., Audit and monitor OAuth applications and connected apps for suspicious activity., Implement the principle of least privilege to limit access to CRM data and APIs., Regularly scan repositories (e.g., GitHub) for exposed secrets using tools like TruffleHog., Monitor for unusual data access patterns, especially in Salesforce environments., Educate employees on social engineering tactics, particularly phishing and malicious OAuth app requests., Isolate high-value systems (e.g., CRM) from less secure environments to limit lateral movement., Develop and test incident response plans for extortion and data breach scenarios.Enforce MFA for all user and service accounts, especially those with access to sensitive data., Audit and monitor OAuth applications and connected apps for suspicious activity., Implement the principle of least privilege to limit access to CRM data and APIs., Regularly scan repositories (e.g., GitHub) for exposed secrets using tools like TruffleHog., Monitor for unusual data access patterns, especially in Salesforce environments., Educate employees on social engineering tactics, particularly phishing and malicious OAuth app requests., Isolate high-value systems (e.g., CRM) from less secure environments to limit lateral movement., Develop and test incident response plans for extortion and data breach scenarios.
Incident : Data Breach SAL5403154092725
Recommendations: Implement strict character limits and input sanitization for all AI prompt fields., Enforce allow-lists for all external URLs called by AI agents., Monitor domain registrations for expired trusted domains., Conduct regular red-team exercises for AI systems to test prompt injection resilience., Integrate AI-specific security controls into traditional SOC workflows., Educate developers on secure AI prompt design patterns.Implement strict character limits and input sanitization for all AI prompt fields., Enforce allow-lists for all external URLs called by AI agents., Monitor domain registrations for expired trusted domains., Conduct regular red-team exercises for AI systems to test prompt injection resilience., Integrate AI-specific security controls into traditional SOC workflows., Educate developers on secure AI prompt design patterns.Implement strict character limits and input sanitization for all AI prompt fields., Enforce allow-lists for all external URLs called by AI agents., Monitor domain registrations for expired trusted domains., Conduct regular red-team exercises for AI systems to test prompt injection resilience., Integrate AI-specific security controls into traditional SOC workflows., Educate developers on secure AI prompt design patterns.Implement strict character limits and input sanitization for all AI prompt fields., Enforce allow-lists for all external URLs called by AI agents., Monitor domain registrations for expired trusted domains., Conduct regular red-team exercises for AI systems to test prompt injection resilience., Integrate AI-specific security controls into traditional SOC workflows., Educate developers on secure AI prompt design patterns.Implement strict character limits and input sanitization for all AI prompt fields., Enforce allow-lists for all external URLs called by AI agents., Monitor domain registrations for expired trusted domains., Conduct regular red-team exercises for AI systems to test prompt injection resilience., Integrate AI-specific security controls into traditional SOC workflows., Educate developers on secure AI prompt design patterns.Implement strict character limits and input sanitization for all AI prompt fields., Enforce allow-lists for all external URLs called by AI agents., Monitor domain registrations for expired trusted domains., Conduct regular red-team exercises for AI systems to test prompt injection resilience., Integrate AI-specific security controls into traditional SOC workflows., Educate developers on secure AI prompt design patterns.
Incident : Data Breach SAL5592855100325
Recommendations: **For Salesforce/Salesloft Customers:**, - Immediately **revoke and rotate OAuth tokens** for all third-party integrations., - Enforce **multi-factor authentication (2FA) for all OAuth applications** and admin accounts., - Conduct a **full audit of third-party app permissions** in Salesforce and disable unused integrations., - Implement **network segmentation** to limit lateral movement between cloud platforms (e.g., Salesforce, Google Workspace, Okta)., - Deploy **behavioral analytics and anomaly detection** to identify suspicious access patterns., **For All Organizations:**, - **Assess third-party vendor security** with penetration testing and contractually enforce security standards., - **Train employees on social engineering tactics**, especially vishing and IT impersonation scams., - **Monitor dark web forums** for leaked credentials or mentions of your organization., - **Develop a third-party breach response plan** with legal, PR, and technical playbooks., - **Patch promptly**—unpatched software (e.g., Oracle E-Business Suite) is a common attack vector.**For Salesforce/Salesloft Customers:**, - Immediately **revoke and rotate OAuth tokens** for all third-party integrations., - Enforce **multi-factor authentication (2FA) for all OAuth applications** and admin accounts., - Conduct a **full audit of third-party app permissions** in Salesforce and disable unused integrations., - Implement **network segmentation** to limit lateral movement between cloud platforms (e.g., Salesforce, Google Workspace, Okta)., - Deploy **behavioral analytics and anomaly detection** to identify suspicious access patterns., **For All Organizations:**, - **Assess third-party vendor security** with penetration testing and contractually enforce security standards., - **Train employees on social engineering tactics**, especially vishing and IT impersonation scams., - **Monitor dark web forums** for leaked credentials or mentions of your organization., - **Develop a third-party breach response plan** with legal, PR, and technical playbooks., - **Patch promptly**—unpatched software (e.g., Oracle E-Business Suite) is a common attack vector.**For Salesforce/Salesloft Customers:**, - Immediately **revoke and rotate OAuth tokens** for all third-party integrations., - Enforce **multi-factor authentication (2FA) for all OAuth applications** and admin accounts., - Conduct a **full audit of third-party app permissions** in Salesforce and disable unused integrations., - Implement **network segmentation** to limit lateral movement between cloud platforms (e.g., Salesforce, Google Workspace, Okta)., - Deploy **behavioral analytics and anomaly detection** to identify suspicious access patterns., **For All Organizations:**, - **Assess third-party vendor security** with penetration testing and contractually enforce security standards., - **Train employees on social engineering tactics**, especially vishing and IT impersonation scams., - **Monitor dark web forums** for leaked credentials or mentions of your organization., - **Develop a third-party breach response plan** with legal, PR, and technical playbooks., - **Patch promptly**—unpatched software (e.g., Oracle E-Business Suite) is a common attack vector.**For Salesforce/Salesloft Customers:**, - Immediately **revoke and rotate OAuth tokens** for all third-party integrations., - Enforce **multi-factor authentication (2FA) for all OAuth applications** and admin accounts., - Conduct a **full audit of third-party app permissions** in Salesforce and disable unused integrations., - Implement **network segmentation** to limit lateral movement between cloud platforms (e.g., Salesforce, Google Workspace, Okta)., - Deploy **behavioral analytics and anomaly detection** to identify suspicious access patterns., **For All Organizations:**, - **Assess third-party vendor security** with penetration testing and contractually enforce security standards., - **Train employees on social engineering tactics**, especially vishing and IT impersonation scams., - **Monitor dark web forums** for leaked credentials or mentions of your organization., - **Develop a third-party breach response plan** with legal, PR, and technical playbooks., - **Patch promptly**—unpatched software (e.g., Oracle E-Business Suite) is a common attack vector.**For Salesforce/Salesloft Customers:**, - Immediately **revoke and rotate OAuth tokens** for all third-party integrations., - Enforce **multi-factor authentication (2FA) for all OAuth applications** and admin accounts., - Conduct a **full audit of third-party app permissions** in Salesforce and disable unused integrations., - Implement **network segmentation** to limit lateral movement between cloud platforms (e.g., Salesforce, Google Workspace, Okta)., - Deploy **behavioral analytics and anomaly detection** to identify suspicious access patterns., **For All Organizations:**, - **Assess third-party vendor security** with penetration testing and contractually enforce security standards., - **Train employees on social engineering tactics**, especially vishing and IT impersonation scams., - **Monitor dark web forums** for leaked credentials or mentions of your organization., - **Develop a third-party breach response plan** with legal, PR, and technical playbooks., - **Patch promptly**—unpatched software (e.g., Oracle E-Business Suite) is a common attack vector.**For Salesforce/Salesloft Customers:**, - Immediately **revoke and rotate OAuth tokens** for all third-party integrations., - Enforce **multi-factor authentication (2FA) for all OAuth applications** and admin accounts., - Conduct a **full audit of third-party app permissions** in Salesforce and disable unused integrations., - Implement **network segmentation** to limit lateral movement between cloud platforms (e.g., Salesforce, Google Workspace, Okta)., - Deploy **behavioral analytics and anomaly detection** to identify suspicious access patterns., **For All Organizations:**, - **Assess third-party vendor security** with penetration testing and contractually enforce security standards., - **Train employees on social engineering tactics**, especially vishing and IT impersonation scams., - **Monitor dark web forums** for leaked credentials or mentions of your organization., - **Develop a third-party breach response plan** with legal, PR, and technical playbooks., - **Patch promptly**—unpatched software (e.g., Oracle E-Business Suite) is a common attack vector.**For Salesforce/Salesloft Customers:**, - Immediately **revoke and rotate OAuth tokens** for all third-party integrations., - Enforce **multi-factor authentication (2FA) for all OAuth applications** and admin accounts., - Conduct a **full audit of third-party app permissions** in Salesforce and disable unused integrations., - Implement **network segmentation** to limit lateral movement between cloud platforms (e.g., Salesforce, Google Workspace, Okta)., - Deploy **behavioral analytics and anomaly detection** to identify suspicious access patterns., **For All Organizations:**, - **Assess third-party vendor security** with penetration testing and contractually enforce security standards., - **Train employees on social engineering tactics**, especially vishing and IT impersonation scams., - **Monitor dark web forums** for leaked credentials or mentions of your organization., - **Develop a third-party breach response plan** with legal, PR, and technical playbooks., - **Patch promptly**—unpatched software (e.g., Oracle E-Business Suite) is a common attack vector.**For Salesforce/Salesloft Customers:**, - Immediately **revoke and rotate OAuth tokens** for all third-party integrations., - Enforce **multi-factor authentication (2FA) for all OAuth applications** and admin accounts., - Conduct a **full audit of third-party app permissions** in Salesforce and disable unused integrations., - Implement **network segmentation** to limit lateral movement between cloud platforms (e.g., Salesforce, Google Workspace, Okta)., - Deploy **behavioral analytics and anomaly detection** to identify suspicious access patterns., **For All Organizations:**, - **Assess third-party vendor security** with penetration testing and contractually enforce security standards., - **Train employees on social engineering tactics**, especially vishing and IT impersonation scams., - **Monitor dark web forums** for leaked credentials or mentions of your organization., - **Develop a third-party breach response plan** with legal, PR, and technical playbooks., - **Patch promptly**—unpatched software (e.g., Oracle E-Business Suite) is a common attack vector.**For Salesforce/Salesloft Customers:**, - Immediately **revoke and rotate OAuth tokens** for all third-party integrations., - Enforce **multi-factor authentication (2FA) for all OAuth applications** and admin accounts., - Conduct a **full audit of third-party app permissions** in Salesforce and disable unused integrations., - Implement **network segmentation** to limit lateral movement between cloud platforms (e.g., Salesforce, Google Workspace, Okta)., - Deploy **behavioral analytics and anomaly detection** to identify suspicious access patterns., **For All Organizations:**, - **Assess third-party vendor security** with penetration testing and contractually enforce security standards., - **Train employees on social engineering tactics**, especially vishing and IT impersonation scams., - **Monitor dark web forums** for leaked credentials or mentions of your organization., - **Develop a third-party breach response plan** with legal, PR, and technical playbooks., - **Patch promptly**—unpatched software (e.g., Oracle E-Business Suite) is a common attack vector.**For Salesforce/Salesloft Customers:**, - Immediately **revoke and rotate OAuth tokens** for all third-party integrations., - Enforce **multi-factor authentication (2FA) for all OAuth applications** and admin accounts., - Conduct a **full audit of third-party app permissions** in Salesforce and disable unused integrations., - Implement **network segmentation** to limit lateral movement between cloud platforms (e.g., Salesforce, Google Workspace, Okta)., - Deploy **behavioral analytics and anomaly detection** to identify suspicious access patterns., **For All Organizations:**, - **Assess third-party vendor security** with penetration testing and contractually enforce security standards., - **Train employees on social engineering tactics**, especially vishing and IT impersonation scams., - **Monitor dark web forums** for leaked credentials or mentions of your organization., - **Develop a third-party breach response plan** with legal, PR, and technical playbooks., - **Patch promptly**—unpatched software (e.g., Oracle E-Business Suite) is a common attack vector.**For Salesforce/Salesloft Customers:**, - Immediately **revoke and rotate OAuth tokens** for all third-party integrations., - Enforce **multi-factor authentication (2FA) for all OAuth applications** and admin accounts., - Conduct a **full audit of third-party app permissions** in Salesforce and disable unused integrations., - Implement **network segmentation** to limit lateral movement between cloud platforms (e.g., Salesforce, Google Workspace, Okta)., - Deploy **behavioral analytics and anomaly detection** to identify suspicious access patterns., **For All Organizations:**, - **Assess third-party vendor security** with penetration testing and contractually enforce security standards., - **Train employees on social engineering tactics**, especially vishing and IT impersonation scams., - **Monitor dark web forums** for leaked credentials or mentions of your organization., - **Develop a third-party breach response plan** with legal, PR, and technical playbooks., - **Patch promptly**—unpatched software (e.g., Oracle E-Business Suite) is a common attack vector.**For Salesforce/Salesloft Customers:**, - Immediately **revoke and rotate OAuth tokens** for all third-party integrations., - Enforce **multi-factor authentication (2FA) for all OAuth applications** and admin accounts., - Conduct a **full audit of third-party app permissions** in Salesforce and disable unused integrations., - Implement **network segmentation** to limit lateral movement between cloud platforms (e.g., Salesforce, Google Workspace, Okta)., - Deploy **behavioral analytics and anomaly detection** to identify suspicious access patterns., **For All Organizations:**, - **Assess third-party vendor security** with penetration testing and contractually enforce security standards., - **Train employees on social engineering tactics**, especially vishing and IT impersonation scams., - **Monitor dark web forums** for leaked credentials or mentions of your organization., - **Develop a third-party breach response plan** with legal, PR, and technical playbooks., - **Patch promptly**—unpatched software (e.g., Oracle E-Business Suite) is a common attack vector.
Incident : Extortion SAL4932949100625
Recommendations: Limit rights for Data Loader use, Enforce strict control of connected apps in Salesforce, Implement IP-based access restrictions, Mandate multi-factor authentication (MFA), Educate employees on social engineering tactics (e.g., vishing), Monitor for unauthorized API access or data exports, Restrict permissions for third-party applicationsLimit rights for Data Loader use, Enforce strict control of connected apps in Salesforce, Implement IP-based access restrictions, Mandate multi-factor authentication (MFA), Educate employees on social engineering tactics (e.g., vishing), Monitor for unauthorized API access or data exports, Restrict permissions for third-party applicationsLimit rights for Data Loader use, Enforce strict control of connected apps in Salesforce, Implement IP-based access restrictions, Mandate multi-factor authentication (MFA), Educate employees on social engineering tactics (e.g., vishing), Monitor for unauthorized API access or data exports, Restrict permissions for third-party applicationsLimit rights for Data Loader use, Enforce strict control of connected apps in Salesforce, Implement IP-based access restrictions, Mandate multi-factor authentication (MFA), Educate employees on social engineering tactics (e.g., vishing), Monitor for unauthorized API access or data exports, Restrict permissions for third-party applicationsLimit rights for Data Loader use, Enforce strict control of connected apps in Salesforce, Implement IP-based access restrictions, Mandate multi-factor authentication (MFA), Educate employees on social engineering tactics (e.g., vishing), Monitor for unauthorized API access or data exports, Restrict permissions for third-party applicationsLimit rights for Data Loader use, Enforce strict control of connected apps in Salesforce, Implement IP-based access restrictions, Mandate multi-factor authentication (MFA), Educate employees on social engineering tactics (e.g., vishing), Monitor for unauthorized API access or data exports, Restrict permissions for third-party applicationsLimit rights for Data Loader use, Enforce strict control of connected apps in Salesforce, Implement IP-based access restrictions, Mandate multi-factor authentication (MFA), Educate employees on social engineering tactics (e.g., vishing), Monitor for unauthorized API access or data exports, Restrict permissions for third-party applications
Incident : Data Breach SAL0693606100625
Recommendations: Enhance OAuth App Vetting Processes, Implement Multi-Factor Authentication (MFA) for Third-Party Integrations, Conduct Regular Security Audits of Partner Apps, Improve User Training on Social Engineering Tactics, Establish Clearer Incident Communication ProtocolsEnhance OAuth App Vetting Processes, Implement Multi-Factor Authentication (MFA) for Third-Party Integrations, Conduct Regular Security Audits of Partner Apps, Improve User Training on Social Engineering Tactics, Establish Clearer Incident Communication ProtocolsEnhance OAuth App Vetting Processes, Implement Multi-Factor Authentication (MFA) for Third-Party Integrations, Conduct Regular Security Audits of Partner Apps, Improve User Training on Social Engineering Tactics, Establish Clearer Incident Communication ProtocolsEnhance OAuth App Vetting Processes, Implement Multi-Factor Authentication (MFA) for Third-Party Integrations, Conduct Regular Security Audits of Partner Apps, Improve User Training on Social Engineering Tactics, Establish Clearer Incident Communication ProtocolsEnhance OAuth App Vetting Processes, Implement Multi-Factor Authentication (MFA) for Third-Party Integrations, Conduct Regular Security Audits of Partner Apps, Improve User Training on Social Engineering Tactics, Establish Clearer Incident Communication Protocols
Incident : Data Breach SAL0962109100825
Recommendations: Enhance OAuth application security and monitoring, Implement stricter access controls for third-party integrations, Conduct regular security awareness training for social engineering risks, Monitor for unauthorized data exfiltration in CRM environments, Review supply chain security for third-party SaaS providersEnhance OAuth application security and monitoring, Implement stricter access controls for third-party integrations, Conduct regular security awareness training for social engineering risks, Monitor for unauthorized data exfiltration in CRM environments, Review supply chain security for third-party SaaS providersEnhance OAuth application security and monitoring, Implement stricter access controls for third-party integrations, Conduct regular security awareness training for social engineering risks, Monitor for unauthorized data exfiltration in CRM environments, Review supply chain security for third-party SaaS providersEnhance OAuth application security and monitoring, Implement stricter access controls for third-party integrations, Conduct regular security awareness training for social engineering risks, Monitor for unauthorized data exfiltration in CRM environments, Review supply chain security for third-party SaaS providersEnhance OAuth application security and monitoring, Implement stricter access controls for third-party integrations, Conduct regular security awareness training for social engineering risks, Monitor for unauthorized data exfiltration in CRM environments, Review supply chain security for third-party SaaS providers
Incident : Data Breach SAL0562205100825
Recommendations: Implement MFA for OAuth Integrations (Salesforce), Audit Third-Party Vendor Security (Discord, Salesloft), Isolate GitLab/Sensitive Repos (Red Hat), Monitor Dark Web for Stolen Data (All Victims), Enhance Employee Training on Vishing (Salesforce Customers), Apply Zero-Day Patches Immediately (Oracle), Coordinate with Law Enforcement (FBI, INTERPOL for Cross-Border Cases)Implement MFA for OAuth Integrations (Salesforce), Audit Third-Party Vendor Security (Discord, Salesloft), Isolate GitLab/Sensitive Repos (Red Hat), Monitor Dark Web for Stolen Data (All Victims), Enhance Employee Training on Vishing (Salesforce Customers), Apply Zero-Day Patches Immediately (Oracle), Coordinate with Law Enforcement (FBI, INTERPOL for Cross-Border Cases)Implement MFA for OAuth Integrations (Salesforce), Audit Third-Party Vendor Security (Discord, Salesloft), Isolate GitLab/Sensitive Repos (Red Hat), Monitor Dark Web for Stolen Data (All Victims), Enhance Employee Training on Vishing (Salesforce Customers), Apply Zero-Day Patches Immediately (Oracle), Coordinate with Law Enforcement (FBI, INTERPOL for Cross-Border Cases)Implement MFA for OAuth Integrations (Salesforce), Audit Third-Party Vendor Security (Discord, Salesloft), Isolate GitLab/Sensitive Repos (Red Hat), Monitor Dark Web for Stolen Data (All Victims), Enhance Employee Training on Vishing (Salesforce Customers), Apply Zero-Day Patches Immediately (Oracle), Coordinate with Law Enforcement (FBI, INTERPOL for Cross-Border Cases)Implement MFA for OAuth Integrations (Salesforce), Audit Third-Party Vendor Security (Discord, Salesloft), Isolate GitLab/Sensitive Repos (Red Hat), Monitor Dark Web for Stolen Data (All Victims), Enhance Employee Training on Vishing (Salesforce Customers), Apply Zero-Day Patches Immediately (Oracle), Coordinate with Law Enforcement (FBI, INTERPOL for Cross-Border Cases)Implement MFA for OAuth Integrations (Salesforce), Audit Third-Party Vendor Security (Discord, Salesloft), Isolate GitLab/Sensitive Repos (Red Hat), Monitor Dark Web for Stolen Data (All Victims), Enhance Employee Training on Vishing (Salesforce Customers), Apply Zero-Day Patches Immediately (Oracle), Coordinate with Law Enforcement (FBI, INTERPOL for Cross-Border Cases)Implement MFA for OAuth Integrations (Salesforce), Audit Third-Party Vendor Security (Discord, Salesloft), Isolate GitLab/Sensitive Repos (Red Hat), Monitor Dark Web for Stolen Data (All Victims), Enhance Employee Training on Vishing (Salesforce Customers), Apply Zero-Day Patches Immediately (Oracle), Coordinate with Law Enforcement (FBI, INTERPOL for Cross-Border Cases)
Incident : Data Breach SAL3132231100825
Recommendations: Conduct third-party security audits for all integrated apps, especially those with OAuth access., Implement automated token rotation and anomaly detection for cloud environments., Enhance GitHub security with mandatory MFA, IP restrictions, and regular access reviews., Develop a unified incident response plan for supply chain attacks involving multiple vendors., Proactively communicate with customers about breach scope and mitigation steps to maintain trust.Conduct third-party security audits for all integrated apps, especially those with OAuth access., Implement automated token rotation and anomaly detection for cloud environments., Enhance GitHub security with mandatory MFA, IP restrictions, and regular access reviews., Develop a unified incident response plan for supply chain attacks involving multiple vendors., Proactively communicate with customers about breach scope and mitigation steps to maintain trust.Conduct third-party security audits for all integrated apps, especially those with OAuth access., Implement automated token rotation and anomaly detection for cloud environments., Enhance GitHub security with mandatory MFA, IP restrictions, and regular access reviews., Develop a unified incident response plan for supply chain attacks involving multiple vendors., Proactively communicate with customers about breach scope and mitigation steps to maintain trust.Conduct third-party security audits for all integrated apps, especially those with OAuth access., Implement automated token rotation and anomaly detection for cloud environments., Enhance GitHub security with mandatory MFA, IP restrictions, and regular access reviews., Develop a unified incident response plan for supply chain attacks involving multiple vendors., Proactively communicate with customers about breach scope and mitigation steps to maintain trust.Conduct third-party security audits for all integrated apps, especially those with OAuth access., Implement automated token rotation and anomaly detection for cloud environments., Enhance GitHub security with mandatory MFA, IP restrictions, and regular access reviews., Develop a unified incident response plan for supply chain attacks involving multiple vendors., Proactively communicate with customers about breach scope and mitigation steps to maintain trust.
Incident : Law Enforcement Takedown SAL4232242101025
Recommendations: Companies should proactively monitor dark web leak sites for exposed data., Enhance third-party risk management to mitigate supply chain attacks (e.g., Salesforce breaches)., Law enforcement should continue targeting cybercrime infrastructure to disrupt operations., Organizations should prepare for potential data leaks even after ransomware attacks are 'resolved.'Companies should proactively monitor dark web leak sites for exposed data., Enhance third-party risk management to mitigate supply chain attacks (e.g., Salesforce breaches)., Law enforcement should continue targeting cybercrime infrastructure to disrupt operations., Organizations should prepare for potential data leaks even after ransomware attacks are 'resolved.'Companies should proactively monitor dark web leak sites for exposed data., Enhance third-party risk management to mitigate supply chain attacks (e.g., Salesforce breaches)., Law enforcement should continue targeting cybercrime infrastructure to disrupt operations., Organizations should prepare for potential data leaks even after ransomware attacks are 'resolved.'Companies should proactively monitor dark web leak sites for exposed data., Enhance third-party risk management to mitigate supply chain attacks (e.g., Salesforce breaches)., Law enforcement should continue targeting cybercrime infrastructure to disrupt operations., Organizations should prepare for potential data leaks even after ransomware attacks are 'resolved.'
Incident : Forum Takedown SAL4432144101325
Recommendations: Monitor dark web/Telegram channels for leaked data or extortion attempts., Enhance SaaS and enterprise tenant security to prevent unauthorized access., Collaborate with law enforcement to disrupt cybercriminal infrastructure proactively., Educate employees on phishing and credential theft risks to mitigate initial access brokers.Monitor dark web/Telegram channels for leaked data or extortion attempts., Enhance SaaS and enterprise tenant security to prevent unauthorized access., Collaborate with law enforcement to disrupt cybercriminal infrastructure proactively., Educate employees on phishing and credential theft risks to mitigate initial access brokers.Monitor dark web/Telegram channels for leaked data or extortion attempts., Enhance SaaS and enterprise tenant security to prevent unauthorized access., Collaborate with law enforcement to disrupt cybercriminal infrastructure proactively., Educate employees on phishing and credential theft risks to mitigate initial access brokers.Monitor dark web/Telegram channels for leaked data or extortion attempts., Enhance SaaS and enterprise tenant security to prevent unauthorized access., Collaborate with law enforcement to disrupt cybercriminal infrastructure proactively., Educate employees on phishing and credential theft risks to mitigate initial access brokers.
Incident : Social Engineering SAL4493244102125
Recommendations: Implement defense-in-depth strategies for caller verification (e.g., callback procedures using trusted contacts)., Train employees to recognize and report unsolicited access requests, especially via phone or email., Restrict elevated SaaS access to minimal necessary personnel and enforce multi-factor authentication (MFA)., Monitor for anomalous access patterns in SaaS applications (e.g., unexpected logins from new locations)., Conduct regular phishing simulations, including vishing scenarios, to test employee awareness., Integrate AI-driven threat detection to identify phishing content generated with AI tools., Educate HR and recruiting teams on red flags for fake identities (e.g., AI-generated profiles, inconsistent resumes).Implement defense-in-depth strategies for caller verification (e.g., callback procedures using trusted contacts)., Train employees to recognize and report unsolicited access requests, especially via phone or email., Restrict elevated SaaS access to minimal necessary personnel and enforce multi-factor authentication (MFA)., Monitor for anomalous access patterns in SaaS applications (e.g., unexpected logins from new locations)., Conduct regular phishing simulations, including vishing scenarios, to test employee awareness., Integrate AI-driven threat detection to identify phishing content generated with AI tools., Educate HR and recruiting teams on red flags for fake identities (e.g., AI-generated profiles, inconsistent resumes).Implement defense-in-depth strategies for caller verification (e.g., callback procedures using trusted contacts)., Train employees to recognize and report unsolicited access requests, especially via phone or email., Restrict elevated SaaS access to minimal necessary personnel and enforce multi-factor authentication (MFA)., Monitor for anomalous access patterns in SaaS applications (e.g., unexpected logins from new locations)., Conduct regular phishing simulations, including vishing scenarios, to test employee awareness., Integrate AI-driven threat detection to identify phishing content generated with AI tools., Educate HR and recruiting teams on red flags for fake identities (e.g., AI-generated profiles, inconsistent resumes).Implement defense-in-depth strategies for caller verification (e.g., callback procedures using trusted contacts)., Train employees to recognize and report unsolicited access requests, especially via phone or email., Restrict elevated SaaS access to minimal necessary personnel and enforce multi-factor authentication (MFA)., Monitor for anomalous access patterns in SaaS applications (e.g., unexpected logins from new locations)., Conduct regular phishing simulations, including vishing scenarios, to test employee awareness., Integrate AI-driven threat detection to identify phishing content generated with AI tools., Educate HR and recruiting teams on red flags for fake identities (e.g., AI-generated profiles, inconsistent resumes).Implement defense-in-depth strategies for caller verification (e.g., callback procedures using trusted contacts)., Train employees to recognize and report unsolicited access requests, especially via phone or email., Restrict elevated SaaS access to minimal necessary personnel and enforce multi-factor authentication (MFA)., Monitor for anomalous access patterns in SaaS applications (e.g., unexpected logins from new locations)., Conduct regular phishing simulations, including vishing scenarios, to test employee awareness., Integrate AI-driven threat detection to identify phishing content generated with AI tools., Educate HR and recruiting teams on red flags for fake identities (e.g., AI-generated profiles, inconsistent resumes).Implement defense-in-depth strategies for caller verification (e.g., callback procedures using trusted contacts)., Train employees to recognize and report unsolicited access requests, especially via phone or email., Restrict elevated SaaS access to minimal necessary personnel and enforce multi-factor authentication (MFA)., Monitor for anomalous access patterns in SaaS applications (e.g., unexpected logins from new locations)., Conduct regular phishing simulations, including vishing scenarios, to test employee awareness., Integrate AI-driven threat detection to identify phishing content generated with AI tools., Educate HR and recruiting teams on red flags for fake identities (e.g., AI-generated profiles, inconsistent resumes).Implement defense-in-depth strategies for caller verification (e.g., callback procedures using trusted contacts)., Train employees to recognize and report unsolicited access requests, especially via phone or email., Restrict elevated SaaS access to minimal necessary personnel and enforce multi-factor authentication (MFA)., Monitor for anomalous access patterns in SaaS applications (e.g., unexpected logins from new locations)., Conduct regular phishing simulations, including vishing scenarios, to test employee awareness., Integrate AI-driven threat detection to identify phishing content generated with AI tools., Educate HR and recruiting teams on red flags for fake identities (e.g., AI-generated profiles, inconsistent resumes).
Incident : Vulnerability Exploitation TIN0344703102825
Recommendations: Slack should update its link-rendering logic to validate domains before generating previews., Wikipedia should implement safeguards against malicious reference footnote edits targeting external platforms., Organizations should educate users on verifying links in previews, even from trusted sources., Enable stricter third-party app integration policies in Slack to mitigate similar risks., Use URL reputation services to block known malicious domains in real-time.Slack should update its link-rendering logic to validate domains before generating previews., Wikipedia should implement safeguards against malicious reference footnote edits targeting external platforms., Organizations should educate users on verifying links in previews, even from trusted sources., Enable stricter third-party app integration policies in Slack to mitigate similar risks., Use URL reputation services to block known malicious domains in real-time.Slack should update its link-rendering logic to validate domains before generating previews., Wikipedia should implement safeguards against malicious reference footnote edits targeting external platforms., Organizations should educate users on verifying links in previews, even from trusted sources., Enable stricter third-party app integration policies in Slack to mitigate similar risks., Use URL reputation services to block known malicious domains in real-time.Slack should update its link-rendering logic to validate domains before generating previews., Wikipedia should implement safeguards against malicious reference footnote edits targeting external platforms., Organizations should educate users on verifying links in previews, even from trusted sources., Enable stricter third-party app integration policies in Slack to mitigate similar risks., Use URL reputation services to block known malicious domains in real-time.Slack should update its link-rendering logic to validate domains before generating previews., Wikipedia should implement safeguards against malicious reference footnote edits targeting external platforms., Organizations should educate users on verifying links in previews, even from trusted sources., Enable stricter third-party app integration policies in Slack to mitigate similar risks., Use URL reputation services to block known malicious domains in real-time.
Incident : Cybercriminal Alliance Formation SAL5402554110625
Recommendations: Monitor dark web/Telegram channels for SLH activity and zero-day exploit discussions., Enhance AI-driven phishing/vishing detection for credential harvesting campaigns., Implement zero-trust architectures to mitigate lateral movement risks in cloud/SaaS environments., Collaborate with vulnerability brokerage programs to preempt exploit proliferation., Develop counter-narrative strategies to disrupt threat actor branding and psychological operations.Monitor dark web/Telegram channels for SLH activity and zero-day exploit discussions., Enhance AI-driven phishing/vishing detection for credential harvesting campaigns., Implement zero-trust architectures to mitigate lateral movement risks in cloud/SaaS environments., Collaborate with vulnerability brokerage programs to preempt exploit proliferation., Develop counter-narrative strategies to disrupt threat actor branding and psychological operations.Monitor dark web/Telegram channels for SLH activity and zero-day exploit discussions., Enhance AI-driven phishing/vishing detection for credential harvesting campaigns., Implement zero-trust architectures to mitigate lateral movement risks in cloud/SaaS environments., Collaborate with vulnerability brokerage programs to preempt exploit proliferation., Develop counter-narrative strategies to disrupt threat actor branding and psychological operations.Monitor dark web/Telegram channels for SLH activity and zero-day exploit discussions., Enhance AI-driven phishing/vishing detection for credential harvesting campaigns., Implement zero-trust architectures to mitigate lateral movement risks in cloud/SaaS environments., Collaborate with vulnerability brokerage programs to preempt exploit proliferation., Develop counter-narrative strategies to disrupt threat actor branding and psychological operations.Monitor dark web/Telegram channels for SLH activity and zero-day exploit discussions., Enhance AI-driven phishing/vishing detection for credential harvesting campaigns., Implement zero-trust architectures to mitigate lateral movement risks in cloud/SaaS environments., Collaborate with vulnerability brokerage programs to preempt exploit proliferation., Develop counter-narrative strategies to disrupt threat actor branding and psychological operations.
Incident : Data Breach SAL5090350110725
Recommendations: Enhance third-party vendor security assessments, Implement multi-factor authentication (MFA) for OAuth token access, Conduct regular social engineering awareness training, Monitor dark web for stolen credentials/tokens, Improve incident communication to affected customersEnhance third-party vendor security assessments, Implement multi-factor authentication (MFA) for OAuth token access, Conduct regular social engineering awareness training, Monitor dark web for stolen credentials/tokens, Improve incident communication to affected customersEnhance third-party vendor security assessments, Implement multi-factor authentication (MFA) for OAuth token access, Conduct regular social engineering awareness training, Monitor dark web for stolen credentials/tokens, Improve incident communication to affected customersEnhance third-party vendor security assessments, Implement multi-factor authentication (MFA) for OAuth token access, Conduct regular social engineering awareness training, Monitor dark web for stolen credentials/tokens, Improve incident communication to affected customersEnhance third-party vendor security assessments, Implement multi-factor authentication (MFA) for OAuth token access, Conduct regular social engineering awareness training, Monitor dark web for stolen credentials/tokens, Improve incident communication to affected customers
What are the key lessons learned from past incidents ?
Key Lessons Learned: The key lessons learned from past incidents are Non-human identities (NHIs) are persistent, high-privilege targets for attackers.,OAuth token abuse can bypass MFA, highlighting the need for stricter access controls.,Organizations often lack visibility into NHIs, increasing risk of exploitation.,Proactive measures (e.g., IP restrictions, secret scanning) are critical to mitigate NHI-based attacks.OAuth 2.0 Connected Apps Require Stricter Permission Scoping and Monitoring,API Security Must Extend Beyond Authentication to Include Behavioral Analysis,VoIP/Tor-Based Vishing Attacks Bypass Traditional Phishing Defenses,Segmented C2 Infrastructure (Tor + VPN) Complicates Attribution and TakedownOAuth tokens and connected applications are high-value targets for attackers.,Social engineering and malicious OAuth apps can bypass traditional security controls.,Exposed secrets in repositories (e.g., GitHub) enable supply chain attacks.,Extortion groups increasingly target CRM data for its sensitivity and leverage in negotiations.,Multi-factor authentication (MFA) and least privilege principles are critical for mitigating such breaches.The incident highlights the need for: (1) Proactive AI security governance, (2) Strict input validation for AI prompts, (3) Domain lifecycle management to prevent expired domain exploitation, (4) Human oversight for AI-agent interactions, and (5) Defense-in-depth for AI-integrated business tools against prompt injection attacks.Third-party integrations (e.g., Salesloft Drift) introduce significant supply-chain risks; rigorous vendor security assessments are critical.,OAuth tokens and API keys must be protected with **2FA and strict access controls** to prevent abuse.,Social engineering (vishing/phishing) remains a highly effective attack vector; **employee training and verification protocols** are essential.,Lateral movement to cloud platforms (Google Workspace, Microsoft 365, Okta) underscores the need for **zero-trust architecture and segmentation**.,Proactive threat hunting and **dark web monitoring** can help detect stolen data early.,Incident response plans must include **third-party breach scenarios** with clear escalation paths.Financially motivated cyber groups can reemerge despite arrests or disbandment claims. Social engineering (e.g., vishing) remains a critical attack vector, bypassing technical safeguards by exploiting human trust. Organizations must enforce stricter access controls, including MFA, IP restrictions, and app permissions.Social engineering and third-party app vulnerabilities can bypass platform-level security. Proactive monitoring of OAuth app installations and third-party integrations is critical. User education on phishing/vishing attacks is essential to mitigate human-error risks.Vishing Remains Effective for OAuth Abuse (Salesforce),Third-Party Vendors Are Critical Attack Vectors (Discord, Salesloft),GitLab Server Hardening Needed (Red Hat),Zero-Day Patching Urgency (Oracle CVE-2025-61882),Extortion Groups Evolve Tactics (Victim-Shaming Blogs, Malware Threats),Cross-Group Collaboration (Scattered Spider + Lapsus$ + ShinyHunters)Third-party app integrations introduce significant risk; rigorous vetting and monitoring are critical.,OAuth token management requires stricter controls (e.g., rotation, least-privilege access).,GitHub account security is a high-value target for attackers; MFA and access logging are essential.,Public refusal to pay ransom can deter attackers but may escalate data leak risks.Cybercrime forums are vulnerable to law enforcement takedowns, especially with international cooperation.,Data backups can be compromised if stored within seized infrastructure.,High-profile data leak threats can accelerate law enforcement action.,The 'era of forums' for cybercriminals may be ending due to increased scrutiny and takedowns.Repeated takedowns erode trust in cybercriminal forums, making them less sustainable.,Cybercriminals adapt by shifting to encrypted platforms (e.g., Telegram) for resilience.,Coordinated international law enforcement actions can disrupt high-profile cybercrime hubs.,The 'era of forums' may be ending, but extortion and data monetization tactics persist.Social engineering attacks bypass technical vulnerabilities by exploiting human trust.,Voice phishing (vishing) is highly effective when attackers impersonate trusted entities (e.g., IT support, vendors).,Employees with elevated SaaS access are prime targets for credential theft.,Verification protocols for third-party requests must be rigorously enforced.,AI tools (e.g., ChatGPT) can enhance the sophistication of phishing content, increasing attack success rates.Trust in authoritative sources (e.g., Wikipedia) can be weaponized in social engineering attacks.,Third-party platform integrations (e.g., Slack's link preview) can introduce unintended attack vectors.,Attackers exploit human behavior (e.g., missing spaces in text) to bypass technical controls.,Proactive monitoring of public platforms (e.g., Wikipedia edits) is critical for early threat detection.Cybercriminal consolidation enhances operational resilience and technical sophistication.,Telegram’s role as both a coordination and performative marketing tool amplifies psychological impact.,Exploit brokerage and zero-day vulnerabilities are critical force multipliers for modern threat actors.,Extortion-as-a-Service (EaaS) models lower the barrier to entry for affiliate-driven attacks.,Theatrical branding and narrative control are strategic assets equivalent to technical capabilities.Third-party integrations (e.g., OAuth tokens) can be critical attack vectors; social engineering remains a potent threat; proactive customer support and transparency are essential during incidents.
References
Where can I find more information about each incident ?
Incident : Vishing SAL633060625
Source: Google Threat Intelligence Group (GTIG)
Incident : Data Breach SAL729082725
Source: Google Threat Intelligence Group (GTIG) and Mandiant Advisory
Date Accessed: 2025-08-20
Incident : Data Breach SAL729082725
Source: Hackread.com (Jonathan Sander interview)
URL: https://hackread.com
Date Accessed: 2025-08-20
Incident : Social Engineering SAL815090225
Source: Article on UNC6040 Vishing Campaigns
Incident : Data Breach SAL5732257091825
Source: Google Mandiant Threat Intelligence Report on UNC6040/UNC6395
Incident : Data Breach SAL5732257091825
Source: FBI Advisory on ShinyHunters/Scattered Spider Campaigns
Incident : Data Breach SAL5732257091825
Source: Salesforce Customer Advisory on Mitigation Measures
Incident : Data Breach SAL5732257091825
Source: ShinyHunters Telegram/Leak Site (Evidence of Breach)
Incident : Data Breach SAL5732257091825
Source: Media Reports on Breach (e.g., BleepingComputer, KrebsOnSecurity)
Incident : Data Breach SAL5403154092725
Source: The Register
URL: https://www.theregister.com/2023/09/08/salesforce_agentforce_prompt_injection/
Date Accessed: 2023-09-08
Incident : Data Breach SAL5592855100325
Source: Information Security Media Group (ISMG)
URL: https://www.ismg.com
Date Accessed: 2023-09-15
Incident : Data Breach SAL5592855100325
Source: FBI Cyber Division Advisory (UNC6040)
URL: https://www.fbi.gov
Date Accessed: 2023-09-12
Incident : Data Breach SAL5592855100325
Source: Google Mandiant Defensive Framework
Date Accessed: 2023-09-12
Incident : Data Breach SAL5592855100325
Source: Resecurity Report on 'The Com' Cybercrime Collective
URL: https://www.resecurity.com
Date Accessed: 2023-09-10
Incident : Extortion SAL2102121100425
Source: The Register
URL: https://www.theregister.com/2024/09/27/salesforce_extortion_scattered_lapsus_hunters/
Date Accessed: 2024-09-27
Incident : Extortion SAL2102121100425
Source: Google Threat Intelligence Group
Date Accessed: 2024-08-08
Incident : Extortion SAL4932949100625
Source: The Register
Incident : Extortion SAL4932949100625
Source: Google Threat Intelligence Group (GTIG)
Incident : Data Breach SAL0693606100625
Source: Google Threat Intelligence Report (June 2025)
Incident : Data Breach SAL0693606100625
Source: Google Threat Intelligence Report (August 2025)
Incident : Data Breach SAL0693606100625
Source: Salesforce Security Alert (2025)
Incident : Data Breach SAL0693606100625
Source: LinkedIn/Reddit Observations (2025)
Incident : Data Breach SAL0962109100825
Source: BleepingComputer
URL: https://www.bleepingcomputer.com
Date Accessed: 2025-09-17T00:00:00Z
Incident : Data Breach SAL0962109100825
Source: Bloomberg
URL: https://www.bloomberg.com
Date Accessed: 2025-09-17T00:00:00Z
Incident : Data Breach SAL0562205100825
Source: KrebsOnSecurity
URL: https://krebsonsecurity.com
Date Accessed: 2025-10
Incident : Data Breach SAL0562205100825
Source: Google Threat Intelligence Group (GTIG)
URL: https://blog.google/threat-analysis-group/
Date Accessed: 2025-06
Incident : Data Breach SAL0562205100825
Source: Mandiant (Charles Carmichael LinkedIn)
URL: https://www.linkedin.com/in/charles-carmichael-mandiant
Date Accessed: 2025-10-05
Incident : Data Breach SAL0562205100825
Source: Red Hat Security Advisory
URL: https://access.redhat.com/security
Date Accessed: 2025-10-02
Incident : Data Breach SAL0562205100825
Source: US Department of Justice (Noah Urban Sentencing)
Date Accessed: 2025-08
Incident : Data Breach SAL0562205100825
Source: UK National Crime Agency (Scattered Spider Charges)
URL: https://www.nationalcrimeagency.gov.uk/news
Date Accessed: 2025-09
Incident : Data Breach SAL3132231100825
Source: Bloomberg
Incident : Data Breach SAL3132231100825
Source: Google Threat Intelligence Group
Date Accessed: August 2024
Incident : Law Enforcement Takedown SAL4232242101025
Source: BleepingComputer
URL: https://www.bleepingcomputer.com
Date Accessed: 2025-10-09
Incident : data breach SAL5602056101125
Source: BreachForums extortion site
Incident : Forum Takedown SAL4432144101325
Source: FBI Press Release (hypothetical)
Incident : Social Engineering SAL4493244102125
Source: Mandiant (Google) Blog Post
URL: https://blog.knowbe4.com/protect-yourself-from-voice-phishing-attacks-targeting-salesforce-instances
Date Accessed: 2025-10-21
Incident : Social Engineering SAL4493244102125
Source: CyberheistNews Vol 15 #42
Date Accessed: 2025-10-21
Incident : Social Engineering SAL4493244102125
Source: OpenAI Report on AI-Assisted Phishing
URL: https://openai.com/global-affairs/disrupting-malicious-uses-of-ai-october-2025/
Date Accessed: 2025-10-21
Incident : Vulnerability Exploitation TIN0344703102825
Source: TechRadar Pro
Incident : Vulnerability Exploitation TIN0344703102825
Source: eSentire Research
Incident : Cybercriminal Alliance Formation SAL5402554110625
Source: GBHackers (GBH)
Incident : Cybercriminal Alliance Formation SAL5402554110625
Source: SLH Telegram Channels (e.g., 'scattered LAPSUS$ hunters 7.0')
Incident : Cybercriminal Alliance Formation SAL5402554110625
Source: GitHub Repository (Yukari/Cvsp - BlackLotus/Medusa)
Incident : Data Breach SAL5090350110725
Source: The Register
Incident : Data Breach SAL5090350110725
Source: Staci Johnson v. Salesforce (Class Action Complaint)
Incident : Data Breach SAL5090350110725
Source: Google Threat Intelligence Group Analysis
Incident : Data Breach SAL5090350110725
Source: Salesforce Trust Page
Where can stakeholders find additional resources on cybersecurity best practices ?
Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: Google Threat Intelligence Group (GTIG), and Source: Google Threat Intelligence Group (GTIG) and Mandiant AdvisoryDate Accessed: 2025-08-20, and Source: Astrix Security Blog PostDate Accessed: 2025-08-20, and Source: Hackread.com (Jonathan Sander interview)Url: https://hackread.comDate Accessed: 2025-08-20, and Source: Article on UNC6040 Vishing Campaigns, and Source: Google Mandiant Threat Intelligence Report on UNC6040/UNC6395, and Source: FBI Advisory on ShinyHunters/Scattered Spider Campaigns, and Source: Salesforce Customer Advisory on Mitigation Measures, and Source: ShinyHunters Telegram/Leak Site (Evidence of Breach), and Source: Media Reports on Breach (e.g., BleepingComputer, KrebsOnSecurity), and Source: The RegisterUrl: https://www.theregister.com/2023/09/08/salesforce_agentforce_prompt_injection/Date Accessed: 2023-09-08, and Source: Noma Security BlogDate Accessed: 2023-09-07, and Source: Information Security Media Group (ISMG)Url: https://www.ismg.comDate Accessed: 2023-09-15, and Source: BleepingComputerUrl: https://www.bleepingcomputer.com/news/security/shinyhunters-ransomware-group-leaks-salesforce-customer-data/Date Accessed: 2023-09-15, and Source: FBI Cyber Division Advisory (UNC6040)Url: https://www.fbi.govDate Accessed: 2023-09-12, and Source: Google Mandiant Defensive FrameworkUrl: https://www.mandiant.comDate Accessed: 2023-09-12, and Source: Resecurity Report on 'The Com' Cybercrime CollectiveUrl: https://www.resecurity.comDate Accessed: 2023-09-10, and Source: The RegisterUrl: https://www.theregister.com/2024/09/27/salesforce_extortion_scattered_lapsus_hunters/Date Accessed: 2024-09-27, and Source: Salesforce Security AdvisoryDate Accessed: 2024-09-26, and Source: Google Threat Intelligence GroupDate Accessed: 2024-08-08, and Source: Cloudflare (OAuth Abuse Report)Date Accessed: 2024-08, and Source: The Register, and Source: Google Threat Intelligence Group (GTIG), and Source: Google Threat Intelligence Report (June 2025), and Source: Google Threat Intelligence Report (August 2025), and Source: Salesforce Security Alert (2025), and Source: LinkedIn/Reddit Observations (2025), and Source: BleepingComputerUrl: https://www.bleepingcomputer.comDate Accessed: 2025-09-17T00:00:00Z, and Source: BloombergUrl: https://www.bloomberg.comDate Accessed: 2025-09-17T00:00:00Z, and Source: KrebsOnSecurityUrl: https://krebsonsecurity.comDate Accessed: 2025-10, and Source: Google Threat Intelligence Group (GTIG)Url: https://blog.google/threat-analysis-group/Date Accessed: 2025-06, and Source: BleepingComputerUrl: https://www.bleepingcomputer.com/news/security/oracle-rushes-patch-for-zero-day-exploited-by-clop-ransomware/Date Accessed: 2025-10, and Source: Mandiant (Charles Carmichael LinkedIn)Url: https://www.linkedin.com/in/charles-carmichael-mandiantDate Accessed: 2025-10-05, and Source: Red Hat Security AdvisoryUrl: https://access.redhat.com/securityDate Accessed: 2025-10-02, and Source: US Department of Justice (Noah Urban Sentencing)Url: https://www.justice.gov/opa/pr/florida-man-sentenced-10-years-prison-his-role-international-cybercrime-groupDate Accessed: 2025-08, and Source: UK National Crime Agency (Scattered Spider Charges)Url: https://www.nationalcrimeagency.gov.uk/newsDate Accessed: 2025-09, and Source: Bloomberg, and Source: Google Threat Intelligence GroupDate Accessed: August 2024, and Source: Mandiant (Google-owned)Date Accessed: 2024-06-01, and Source: Salesforce Public StatementDate Accessed: 2024-07-10, and Source: BleepingComputerUrl: https://www.bleepingcomputer.comDate Accessed: 2025-10-09, and Source: BreachForums extortion site, and Source: ITProUrl: https://www.itpro.com/, and Source: FBI Press Release (hypothetical), and Source: Mandiant (Google) Blog PostUrl: https://blog.knowbe4.com/protect-yourself-from-voice-phishing-attacks-targeting-salesforce-instancesDate Accessed: 2025-10-21, and Source: CyberheistNews Vol 15 #42Url: https://blog.knowbe4.com/cyberheistnews-vol-15-42-heads-up-fake-support-calls-used-to-breach-your-salesforce-accountsDate Accessed: 2025-10-21, and Source: OpenAI Report on AI-Assisted PhishingUrl: https://openai.com/global-affairs/disrupting-malicious-uses-of-ai-october-2025/Date Accessed: 2025-10-21, and Source: TechRadar Pro, and Source: eSentire Research, and Source: GBHackers (GBH), and Source: SLH Telegram Channels (e.g., 'scattered LAPSUS$ hunters 7.0'), and Source: GitHub Repository (Yukari/Cvsp - BlackLotus/Medusa), and Source: The Register, and Source: Staci Johnson v. Salesforce (Class Action Complaint), and Source: Google Threat Intelligence Group Analysis, and Source: Salesforce Trust PageUrl: https://trust.salesforce.com.
Investigation Status
What is the current status of the investigation for each incident ?
Incident : Data Breach SAL729082725
Investigation Status: Ongoing (as of August 20, 2025)
Incident : Social Engineering SAL815090225
Investigation Status: Ongoing (Threat Actor Infrastructure Still Active)
Incident : Data Breach SAL5732257091825
Investigation Status: Ongoing (FBI and Private Sector Investigations)
Incident : Data Breach SAL5403154092725
Investigation Status: Resolved (Vulnerability patched; no evidence of malicious exploitation)
Incident : Data Breach SAL5592855100325
Investigation Status: Ongoing (FBI, Mandiant, Salesforce, and Affected Companies)
Incident : Extortion SAL2102121100425
Investigation Status: Ongoing (Salesforce, Mandiant, law enforcement)
Incident : Extortion SAL4932949100625
Investigation Status: Ongoing (Salesforce working with external specialists and authorities)
Incident : Data Breach SAL0693606100625
Investigation Status: Ongoing (as of October 2025)
Incident : Data Breach SAL0962109100825
Investigation Status: Ongoing (domain seizure suggests active law enforcement involvement)
Incident : Data Breach SAL0562205100825
Investigation Status: Ongoing (Law Enforcement, Forensic Analysis by Victim Companies)
Incident : Data Breach SAL3132231100825
Investigation Status: Ongoing (SalesLoft has not publicly responded; Salesforce supporting customers)
Incident : Data Breach SAL5002150100925
Investigation Status: Ongoing (Mandiant tracking as UNC6040)
Incident : Law Enforcement Takedown SAL4232242101025
Investigation Status: Ongoing (FBI and French authorities)
Incident : data breach SAL5602056101125
Investigation Status: ongoing (allegations not confirmed by Salesforce or affected companies as of report)
Incident : Forum Takedown SAL4432144101325
Investigation Status: Ongoing (FBI-led, with potential follow-up actions)
Incident : Social Engineering SAL4493244102125
Investigation Status: Ongoing (Mandiant Active Guidance)
Incident : Vulnerability Exploitation TIN0344703102825
Investigation Status: Disclosed by eSentire; no public updates on patching or mitigation
Incident : Cybercriminal Alliance Formation SAL5402554110625
Investigation Status: Ongoing (as of 2025-2026)
Incident : Data Breach SAL5090350110725
Investigation Status: Ongoing (lawsuits pending; Salesforce denies platform compromise)
How does the company communicate the status of incident investigations to stakeholders ?
Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Advisories Issued By Gtig/Mandiant, Notifications To Affected Organizations, Public Blog Post By Astrix Security, Salesforce Customer Advisories, Fbi Public Advisory On Unc6040/6395, Public Statement To The Register, Blog Post By Noma Security, Public Disclosure Via Media (Ismg, Bleepingcomputer), Customer Advisories (Pending), Regulatory Notifications, Public Security Advisory, Media Statements, Public Denial Of Platform Hack, Advisories To Customers, Public Security Alert Issued, Denial Of Direct Platform Compromise, Public statements and customer emails, Salesforce: Customer Advisories (No Negotiation Policy), Red Hat: Public Disclosure (October 2, 2025), Discord: Direct Emails To Affected Users, Oracle: Security Advisory For Cve-2025-61882, Internal Memo (Bloomberg-Leaked), Public Statement On Non-Payment Of Ransom, Customer Advisories, Public refusal of ransom demand (email statement), Public Announcement Via Bleepingcomputer, Pgp-Signed Message From Shinyhunters On Telegram, Public Announcement By Fbi, Media Coverage (E.G., Itpro), Mandiant Blog Post, Knowbe4 Advisory, Public Notices, Media Statements and Trust Page Updates.
Stakeholder and Customer Advisories
Were there any advisories issued to stakeholders or customers for each incident ?
Incident : Data Breach SAL729082725
Stakeholder Advisories: Gtig/Mandiant Advisory, Salesforce/Salesloft Notifications To Affected Organizations.
Customer Advisories: Recommendations for credential rotation and access control hardening
Incident : Social Engineering SAL815090225
Customer Advisories: Warn Users About Unsolicited IT Support Calls Requesting OAuth Approvals
Incident : Data Breach SAL5732257091825
Stakeholder Advisories: Salesforce Urgent Security Advisory, Fbi Private Industry Notification (Pin).
Customer Advisories: Salesforce Recommendations for Customers to Secure Environments
Incident : Data Breach SAL5403154092725
Stakeholder Advisories: Salesforce notified customers via public statement and enforced security controls.
Customer Advisories: Customers advised to review AI agent configurations and trusted URL settings.
Incident : Data Breach SAL5592855100325
Stakeholder Advisories: Salesforce Security Bulletin (Pending), Vendor Notifications To Affected Customers, Regulatory Disclosures (E.G., Sec Filings For Public Companies).
Customer Advisories: Recommended: Password Resets for Affected AccountsCredit Monitoring for Exposed PIIPhishing Awareness Alerts
Incident : Extortion SAL2102121100425
Stakeholder Advisories: Salesforce security advisory (2024-09-26)
Customer Advisories: Notifications sent to affected organizations (via Salesforce and Google)
Incident : Extortion SAL4932949100625
Stakeholder Advisories: Salesforce Denies Platform Hack; Claims Are Based On Previous/Unconfirmed Incidents, Google Confirmed A Resolved Breach In June Affecting Basic Smb Data.
Customer Advisories: Salesforce is supporting potentially affected customersOrganizations urged to tighten Salesforce security settings
Incident : Data Breach SAL0693606100625
Stakeholder Advisories: Salesforce issued alerts to customers and disabled vulnerable integrations.
Customer Advisories: Customers advised to review OAuth app permissions and monitor for suspicious activity.
Incident : Data Breach SAL0962109100825
Stakeholder Advisories: Salesforce emailed customers on 2025-09-17 to warn about extortion threats and refusal to pay ransom.
Customer Advisories: Customers advised of potential data leaks and encouraged to monitor for unauthorized access.
Incident : Data Breach SAL0562205100825
Stakeholder Advisories: Salesforce: 'Will Not Negotiate Or Pay Extortion' (October 2025), Red Hat: 'Notify Affected Customers' (October 2, 2025), Discord: 'Limited User Impact, Password Resets Advised' (September 2025).
Customer Advisories: Salesforce: Monitor for Phishing, Enable MFADiscord: Reset Passwords, Watch for Identity TheftRed Hat: Audit GitLab Access, Rotate Compromised Tokens
Incident : Data Breach SAL3132231100825
Stakeholder Advisories: Salesforce Internal Memo (Leaked To Bloomberg), Customer Notifications For Token Renewal.
Customer Advisories: Token renewal instructionsSupport channels for affected organizations
Incident : Law Enforcement Takedown SAL4232242101025
Customer Advisories: Companies affected by the Salesforce campaign (e.g., FedEx, Disney, Google) may need to notify customers of potential data exposure.
Incident : Forum Takedown SAL4432144101325
Stakeholder Advisories: Fbi Warnings To Potential Victims, Cybersecurity Community Alerts.
Customer Advisories: Companies targeted (e.g., Salesforce, Google) likely issued internal advisories
Incident : Social Engineering SAL4493244102125
Stakeholder Advisories: Verify All Third-Party Support Calls Via Trusted Channels., Report Suspicious Calls To It/Security Teams Immediately., Avoid Clicking Links Or Sharing Credentials In Unsolicited Communications..
Customer Advisories: Customers of affected organizations should monitor for unauthorized access to their data.Reset passwords if potentially exposed to phishing attempts.
Incident : Data Breach SAL5090350110725
Stakeholder Advisories: Salesforce advised customers to review security practices via its Trust page.
Customer Advisories: Customers (e.g., TransUnion, Farmers Insurance) notified their affected users separately.
What advisories does the company provide to stakeholders and customers following an incident ?
Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Gtig/Mandiant Advisory, Salesforce/Salesloft Notifications To Affected Organizations, Recommendations For Credential Rotation And Access Control Hardening, , Warn Users About Unsolicited It Support Calls Requesting Oauth Approvals, , Salesforce Urgent Security Advisory, Fbi Private Industry Notification (Pin), Salesforce Recommendations For Customers To Secure Environments, , Salesforce notified customers via public statement and enforced security controls., Customers advised to review AI agent configurations and trusted URL settings., Salesforce Security Bulletin (Pending), Vendor Notifications To Affected Customers, Regulatory Disclosures (E.G., Sec Filings For Public Companies), Recommended: Password Resets For Affected Accounts, Credit Monitoring For Exposed Pii, Phishing Awareness Alerts, , Salesforce security advisory (2024-09-26), Notifications sent to affected organizations (via Salesforce and Google), Salesforce Denies Platform Hack; Claims Are Based On Previous/Unconfirmed Incidents, Google Confirmed A Resolved Breach In June Affecting Basic Smb Data, Salesforce Is Supporting Potentially Affected Customers, Organizations Urged To Tighten Salesforce Security Settings, , Salesforce issued alerts to customers and disabled vulnerable integrations., Customers advised to review OAuth app permissions and monitor for suspicious activity., Salesforce emailed customers on 2025-09-17 to warn about extortion threats and refusal to pay ransom., Customers advised of potential data leaks and encouraged to monitor for unauthorized access., Salesforce: 'Will Not Negotiate Or Pay Extortion' (October 2025), Red Hat: 'Notify Affected Customers' (October 2, 2025), Discord: 'Limited User Impact, Password Resets Advised' (September 2025), Salesforce: Monitor For Phishing, Enable Mfa, Discord: Reset Passwords, Watch For Identity Theft, Red Hat: Audit Gitlab Access, Rotate Compromised Tokens, , Salesforce Internal Memo (Leaked To Bloomberg), Customer Notifications For Token Renewal, Token Renewal Instructions, Support Channels For Affected Organizations, , Companies Affected By The Salesforce Campaign (E.G., Fedex, Disney, Google) May Need To Notify Customers Of Potential Data Exposure., , Fbi Warnings To Potential Victims, Cybersecurity Community Alerts, Companies Targeted (E.G., Salesforce, Google) Likely Issued Internal Advisories, , Verify All Third-Party Support Calls Via Trusted Channels., Report Suspicious Calls To It/Security Teams Immediately., Avoid Clicking Links Or Sharing Credentials In Unsolicited Communications., Customers Of Affected Organizations Should Monitor For Unauthorized Access To Their Data., Reset Passwords If Potentially Exposed To Phishing Attempts., , Salesforce advised customers to review security practices via its Trust page., Customers (e.g., TransUnion and Farmers Insurance) notified their affected users separately..
Initial Access Broker
How did the initial access broker gain entry for each incident ?
Incident : Data Breach SLA1946123
Entry Point: Stolen Employee Tokens
Incident : Vishing SAL633060625
Entry Point: Telephone-based social engineering
Incident : Data Breach SAL729082725
Entry Point: Compromised OAuth tokens from Salesloft Drift application
Reconnaissance Period: Likely conducted prior to August 8, 2025 (exact duration undisclosed)
High Value Targets: Aws Access Keys, Snowflake Tokens, Customer/Opportunity Data,
Data Sold on Dark Web: Aws Access Keys, Snowflake Tokens, Customer/Opportunity Data,
Incident : Social Engineering SAL815090225
Entry Point: Vishing Calls Spoofing It Support, Sip Spoofing Via Voip/Tor,
Reconnaissance Period: ['Likely Extended (Targeted CRM Platform Mapping)']
Backdoors Established: ['Persistent API Access via Malicious Connected Apps']
High Value Targets: Salesforce Crm Data, Customer Relationship Records,
Data Sold on Dark Web: Salesforce Crm Data, Customer Relationship Records,
Incident : Data Breach SAL5732257091825
Entry Point: Compromised Salesloft Github Repository (Secrets Exposure), Malicious Oauth Applications (Drift/Salesforce Integration),
Reconnaissance Period: ['At Least 1 Year (Ongoing Campaigns)']
High Value Targets: Salesforce Crm Data, Aws/Snowflake Credentials In Case Records, Source Code Repositories,
Data Sold on Dark Web: Salesforce Crm Data, Aws/Snowflake Credentials In Case Records, Source Code Repositories,
Incident : Data Breach SAL5403154092725
Entry Point: Web-to-Lead Form (Description Field)
High Value Targets: Crm Lead Data, Customer Email Addresses,
Data Sold on Dark Web: Crm Lead Data, Customer Email Addresses,
Incident : Data Breach SAL5592855100325
Entry Point: Salesloft GitHub Repository (Stolen OAuth Tokens)
Reconnaissance Period: 2023-08-08 to 2023-08-18 (Per Google’s Threat Intelligence)
Backdoors Established: ['Persistent Access via Compromised OAuth Tokens', 'Lateral Movement to Google Workspace/Microsoft 365']
High Value Targets: Salesforce Crm Data, Customer Pii, Corporate Support Case Records,
Data Sold on Dark Web: Salesforce Crm Data, Customer Pii, Corporate Support Case Records,
Incident : Extortion SAL2102121100425
Entry Point: OAuth tokens via Salesloft's Drift integration
High Value Targets: Salesforce Customer Data, Crm Environments,
Data Sold on Dark Web: Salesforce Customer Data, Crm Environments,
Incident : Extortion SAL4932949100625
Entry Point: Telephone social engineering (vishing) to trick users into authorizing malicious Salesforce apps
High Value Targets: Salesforce Crm Data, Customer Records,
Data Sold on Dark Web: Salesforce Crm Data, Customer Records,
Incident : Data Breach SAL0693606100625
Entry Point: Voice Phishing (Vishing) Calls, Malicious Oauth Apps, Exploited Third-Party Integrations (E.G., Salesloft Drift),
Reconnaissance Period: Several months (attacks reported since June 2025)
High Value Targets: Salesforce User Credentials, Corporate Data From 39 Targeted Companies,
Data Sold on Dark Web: Salesforce User Credentials, Corporate Data From 39 Targeted Companies,
Incident : Data Breach SAL0962109100825
Entry Point: Malicious Oauth Applications, Stolen Salesloft Drift Oauth Tokens,
Reconnaissance Period: Late 2024 (first campaign), Early August 2025 (second campaign)
High Value Targets: Crm Databases, Support Tickets, Credentials/Tokens,
Data Sold on Dark Web: Crm Databases, Support Tickets, Credentials/Tokens,
Incident : Data Breach SAL0562205100825
Entry Point: Voice Phishing Calls (Salesforce), Compromised Third-Party Vendor (Discord), Exploited Gitlab Misconfiguration (Red Hat), Zero-Day Exploit (Oracle Cve-2025-61882), Malicious Oauth App (Salesforce),
Reconnaissance Period: Months (Salesforce Campaign Planned Since Early 2025)
Backdoors Established: ['ASYNCRAT Trojan (Targeted Security Researchers)', 'Persistent GitLab Access (Red Hat)']
High Value Targets: Fortune 500 Salesforce Data, Red Hat Customer Engagement Reports (Cers), Oracle E-Business Suite Servers, Discord Government Id Images,
Data Sold on Dark Web: Fortune 500 Salesforce Data, Red Hat Customer Engagement Reports (Cers), Oracle E-Business Suite Servers, Discord Government Id Images,
Incident : Data Breach SAL3132231100825
Entry Point: SalesLoft GitHub Account (Compromised March–June 2024)
Reconnaissance Period: Likely conducted prior to March 2024 (exact duration unknown)
Backdoors Established: ['Stolen OAuth Tokens (Persistent Access)']
High Value Targets: Salesforce Integrations, Drift App Aws Environment, Customer Crm Data,
Data Sold on Dark Web: Salesforce Integrations, Drift App Aws Environment, Customer Crm Data,
Incident : Data Breach SAL5002150100925
Entry Point: Voice Phishing (Vishing) Calls
Reconnaissance Period: Likely conducted prior to May 2024
Backdoors Established: Attacker-controlled app integrated into Salesforce portals
High Value Targets: Salesforce Customer Data,
Data Sold on Dark Web: Salesforce Customer Data,
Incident : Law Enforcement Takedown SAL4232242101025
High Value Targets: Salesforce Customer Data, Corporate Databases,
Data Sold on Dark Web: Salesforce Customer Data, Corporate Databases,
Incident : data breach SAL5602056101125
High Value Targets: Salesforce Customer Data (39 Large Corporations),
Data Sold on Dark Web: Salesforce Customer Data (39 Large Corporations),
Incident : Forum Takedown SAL4432144101325
Entry Point: Breachforums (For Data Trading), Compromised Saas/Enterprise Accounts (For Extortion),
High Value Targets: Saas Platforms (E.G., Salesforce), Enterprise Tenants (E.G., Google, Disney),
Data Sold on Dark Web: Saas Platforms (E.G., Salesforce), Enterprise Tenants (E.G., Google, Disney),
Incident : Social Engineering SAL4493244102125
Entry Point: Voice Phishing (Vishing) Calls, Malicious Links,
High Value Targets: Employees With Elevated Saas Access,
Data Sold on Dark Web: Employees With Elevated Saas Access,
Incident : Vulnerability Exploitation TIN0344703102825
Entry Point: Compromised Slack account or social engineering to join workspace
High Value Targets: Slack Users With Access To Sensitive Data, Organizations Relying On Wikipedia As A Trusted Source,
Data Sold on Dark Web: Slack Users With Access To Sensitive Data, Organizations Relying On Wikipedia As A Trusted Source,
Incident : Cybercriminal Alliance Formation SAL5402554110625
Entry Point: Ai-Automated Vishing, Spearphishing, Credential Harvesting,
High Value Targets: Salesforce, Saas Providers, Cloud Infrastructure, Database Systems,
Data Sold on Dark Web: Salesforce, Saas Providers, Cloud Infrastructure, Database Systems,
Incident : Data Breach SAL5090350110725
Entry Point: Salesloft Drift GitHub repository (compromised in March 2025)
High Value Targets: Aws Access Keys, Snowflake Tokens, Salesforce Oauth Tokens,
Data Sold on Dark Web: Aws Access Keys, Snowflake Tokens, Salesforce Oauth Tokens,
Post-Incident Analysis
What were the root causes and corrective actions taken for each incident ?
Incident : Cyber Attack SAL215719323
Root Causes: Inadvertent Permissions,
Corrective Actions: Blocked Access To Orgs With Inadvertent Permissions,
Incident : Data Breach SAL729082725
Root Causes: Overprivileged Non-Human Identities (Nhis) With Persistent Access., Lack Of Visibility/Management Of Oauth Tokens And Connected Apps., Insufficient Restrictions On Connected App Scopes In Salesforce.,
Corrective Actions: Revoke And Rotate Compromised Oauth Tokens., Enforce Ip Restrictions And User-Agent Monitoring., Audit And Secure Exposed Secrets In Salesforce Environments., Implement Inventory And Governance For Nhis.,
Incident : Social Engineering SAL815090225
Root Causes: Over-Permissive Oauth Scopes For Connected Apps, Lack Of Api-Specific Anomaly Detection (E.G., Bulk Soql Queries), Insufficient User Training On Vishing + Oauth Risks, Gaps In Conditional Access Policies For High-Risk Auth Flows,
Corrective Actions: Redesign Oauth App Permission Model (Least Privilege By Default), Deploy Dedicated Api Security Gateways With Behavioral Analysis, Mandate Mfa For All Oauth App Authorizations, Integrate Threat Intelligence Feeds For Tor/Vpn-Based Call Origins, Establish Cross-Functional Incident Response For Crm Compromises,
Incident : Data Breach SAL5732257091825
Root Causes: Weak Oauth Token Management In Drift/Salesloft Integrations, Lack Of Mfa For High-Risk Accounts/Applications, Excessive Privileges Granted To Connected Apps, Exposed Secrets In Public/Private Repositories (Github), Inadequate Monitoring For Anomalous Oauth App Activity,
Corrective Actions: Salesforce: Enforced Mfa And Least Privilege Guidelines For Customers, Drift/Salesloft: Revoked Compromised Oauth Tokens And Audited Integrations, Affected Companies: Initiated Credential Rotation And Access Reviews, Fbi: Shared Indicators Of Compromise (Iocs) For Detection,
Incident : Data Breach SAL5403154092725
Root Causes: Dns Misconfiguration Allowing Expired Domain (My-Salesforce-Cms.Com) To Be Purchased By Attackers., Lack Of Input Validation For Ai Prompt Fields (E.G., 42,000-Character Description Field)., Over-Trust In Ai Agent Interactions With External Data Sources., Insufficient Url Allow-Listing For Ai-Generated Outputs.,
Corrective Actions: Enforced Trusted Url Allow-Lists For Agentforce And Einstein Ai Agents., Re-Secured Expired Domain And Implemented Domain Monitoring., Released Patches To Block Data Exfiltration Via Untrusted Urls., Public Disclosure To Raise Awareness Of Ai Prompt Injection Risks.,
Incident : Data Breach SAL5592855100325
Root Causes: 1. **Weak Oauth Security**: Salesloft’S Github Repository Lacked Protection For Oauth Tokens, Enabling Initial Access., 2. **Third-Party Risk**: Salesloft Drift Integration Was Not Adequately Vetted For Security Vulnerabilities., 3. **Social Engineering Gaps**: Support Staff Were Tricked Into Granting Access Via Vishing/Phishing (Unc6040 Tactics)., 4. **Lack Of 2Fa**: Oauth Applications And Admin Accounts Did Not Enforce Multi-Factor Authentication., 5. **Lateral Movement Opportunities**: Poor Segmentation Allowed Attackers To Pivot To Google Workspace, Microsoft 365, And Okta.,
Corrective Actions: **Immediate:**, - Revoke All Compromised Oauth Tokens And Enforce 2Fa For New Tokens., - Isolate And Audit All Third-Party Integrations With Salesforce., - Reset Credentials For Affected Employees/Customers., **Short-Term:**, - Deploy **Behavioral Analytics** To Detect Anomalous Access Patterns., - Conduct **Phishing/Vishing Simulations** To Test Employee Awareness., - Implement **Network Segmentation** Between Cloud Platforms., **Long-Term:**, - Establish A **Third-Party Risk Management Program** With Regular Vendor Audits., - Adopt A **Zero-Trust Architecture** To Limit Lateral Movement., - Develop A **Supply-Chain Breach Playbook** For Future Incidents.,
Incident : Extortion SAL2102121100425
Root Causes: Oauth Token Misuse, Third-Party Integration Vulnerabilities (Drift), Potential Insider Threats Or Credential Theft,
Incident : Extortion SAL4932949100625
Root Causes: Successful Vishing Attacks Exploiting Human Trust, Lack Of Strict Controls On Salesforce App Authorizations, Insufficient Employee Awareness Of Social Engineering Tactics,
Corrective Actions: Enhanced Mfa And Access Controls For Salesforce, Stricter Monitoring Of Api Data Exports, Employee Training On Vishing And Social Engineering,
Incident : Data Breach SAL0693606100625
Root Causes: Successful Social Engineering (Vishing/Oauth App Tricks), Inadequate Security For Third-Party Integrations, Lack Of Real-Time Monitoring For Unauthorized Data Access,
Corrective Actions: Disabled Vulnerable Integrations Temporarily, Public Awareness Campaigns On Phishing Risks, Legal Defense Against Lawsuits,
Incident : Data Breach SAL0962109100825
Root Causes: Insufficient Oauth Application Security, Lack Of Monitoring For Anomalous Data Access, Supply Chain Vulnerability (Salesloft Drift Tokens), Successful Social Engineering Attacks,
Incident : Data Breach SAL0562205100825
Root Causes: Lack Of Mfa On Salesforce Oauth Integrations, Insufficient Third-Party Vendor Security (Discord), Gitlab Server Misconfiguration (Red Hat), Delayed Patching (Oracle Cve-2025-61882), Social Engineering Susceptibility (Vishing Success),
Corrective Actions: Salesforce: Stricter Oauth App Review Process, Discord: Vendor Security Audits, Red Hat: Gitlab Hardening, Token Rotation, Oracle: Emergency Patch Deployment, Cross-Industry: Shared Threat Intelligence On Shinyhunters Tactics,
Incident : Data Breach SAL3132231100825
Root Causes: Inadequate Security Controls For Salesloft’S Github Account (E.G., Lack Of Mfa, Monitoring)., Overprivileged Oauth Tokens With Prolonged Validity., Lack Of Segmentation Between Drift App And Salesforce Customer Environments., Delayed Detection Of Github Account Compromise (March–June 2024).,
Corrective Actions: Salesforce Disabled Drift App And Mandated Token Renewal., Salesloft Likely Reviewing Github Security And Token Management (Unconfirmed)., Affected Customers Advised To Rotate Credentials And Audit Integrations.,
Incident : Data Breach SAL5002150100925
Root Causes: Human Error (Compliance With Fraudulent Calls), Lack Of Multi-Factor Authentication For App Integrations,
Incident : Law Enforcement Takedown SAL4232242101025
Root Causes: Centralized Infrastructure (Breachforums) Created A Single Point Of Failure For Cybercriminal Operations., Underestimation Of Law Enforcement'S Ability To Seize Backups And Escrow Databases., Over-Reliance On Forum-Based Models For Data Extortion Campaigns.,
Corrective Actions: Shinyhunters Declared No Further Reboots Of Breachforums, Suggesting A Shift To Decentralized Or Darker Web-Only Operations., Increased Caution Among Cybercriminals Regarding Forum-Based Activities (Perceived As 'Honeypots')., Potential Migration Of Data Leak Operations To More Secure, Less Detectable Platforms.,
Incident : Forum Takedown SAL4432144101325
Root Causes: Lack Of Sustainable Infrastructure For Cybercriminal Forums Under Law Enforcement Pressure., Over-Reliance On Centralized Platforms (E.G., Breachforums) Vulnerable To Seizures., High Monetization Incentives Driving Persistent Cybercriminal Activity.,
Corrective Actions: Law Enforcement: Continue Disruptive Operations Against Successor Forums., Companies: Strengthen Access Controls And Monitoring For Saas/Enterprise Environments., Cybersecurity Community: Share Threat Intelligence On Emerging Extortion Tactics.,
Incident : Social Engineering SAL4493244102125
Root Causes: Lack Of Robust Verification For Unsolicited Support Calls., Over-Reliance On Employee Trust In Voice Communications., Insufficient Training On Social Engineering Tactics (E.G., Vishing)., Ai-Assisted Phishing Content Increasing Attack Credibility.,
Corrective Actions: Implement Mandatory Verification Steps For All Support/Vendor Calls., Deploy Ai-Driven Phishing Detection For Email And Voice Channels., Expand Security Awareness Training To Include Vishing Simulations., Enforce Mfa For All Saas Applications, Especially Salesforce., Audit Third-Party Vendor Access And Communication Protocols.,
Incident : Vulnerability Exploitation TIN0344703102825
Root Causes: Slack'S Overly Permissive Link-Rendering Logic, Lack Of Input Validation For Wikipedia Reference Footnotes In External Previews, Trust In Platform Integrations Without Sufficient Security Controls,
Incident : Cybercriminal Alliance Formation SAL5402554110625
Root Causes: Exploitation Of Zero-Day Vulnerabilities (E.G., Cve-2025-61882)., Lack Of Adaptive Defenses Against Ai-Driven Social Engineering., Fragmented Cybercriminal Ecosystems Enabling Consolidation (E.G., Post-Breachforums Vacuum)., Over-Reliance On Traditional Perimeter Security In Cloud/Saas Environments.,
Corrective Actions: Proactive Zero-Day Patch Management And Exploit Mitigation., Behavioral Analytics For Credential-Based Attacks., Dark Web Monitoring For Emerging Threat Actor Alliances., Cross-Sector Collaboration To Disrupt Eaas Models.,
Incident : Data Breach SAL5090350110725
Root Causes: Social Engineering (It Support Impersonation), Inadequate Protection Of Third-Party Oauth Tokens (Salesloft Drift), Lack Of Mfa Or Token Rotation Policies,
What is the company's process for conducting post-incident analysis ?
Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Google Threat Intelligence Group (Gtig), Mandiant, Astrix Security, , Checking For Specific Ip Addresses/User-Agent Strings Linked To Attackers, , Real-Time Api Call Anomaly Detection, Geofencing For Oauth Authorizations, , Google Mandiant (Threat Intelligence), Fbi (Advisory & Investigation), , Mandiant (Google’S Incident Response), Salesforce Security Team, Fbi Cyber Division, , Salesforce Instance Logs, Cloud Platform (Google Workspace, Microsoft 365, Okta) Activity, , Mandiant (Google), External Cybersecurity Experts, , External Specialists, Authorities, , Google Threat Intelligence (Reported Attacks In June And August 2025), , Google Threat Intelligence Group (Gtig), Mandiant (Malware Analysis), Law Enforcement (Fbi, Uk Nca), , Salesforce: Increased Logging For Oauth Integrations, Red Hat: Gitlab Access Audits, , Google Threat Intelligence Group (Warnings), , Likely (Implied By Google Threat Intelligence Collaboration), , Mandiant (Google-Owned Threat Intelligence), , French Law Enforcement (Bl2C Unit), , Europol (In Prior Operations), , Mandiant (Google), , Monitoring For Unauthorized Saas Access, , Esentire (Research/Disclosure), .
What corrective actions has the company taken based on post-incident analysis ?
Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Blocked Access To Orgs With Inadvertent Permissions, , Revoke And Rotate Compromised Oauth Tokens., Enforce Ip Restrictions And User-Agent Monitoring., Audit And Secure Exposed Secrets In Salesforce Environments., Implement Inventory And Governance For Nhis., , Redesign Oauth App Permission Model (Least Privilege By Default), Deploy Dedicated Api Security Gateways With Behavioral Analysis, Mandate Mfa For All Oauth App Authorizations, Integrate Threat Intelligence Feeds For Tor/Vpn-Based Call Origins, Establish Cross-Functional Incident Response For Crm Compromises, , Salesforce: Enforced Mfa And Least Privilege Guidelines For Customers, Drift/Salesloft: Revoked Compromised Oauth Tokens And Audited Integrations, Affected Companies: Initiated Credential Rotation And Access Reviews, Fbi: Shared Indicators Of Compromise (Iocs) For Detection, , Enforced Trusted Url Allow-Lists For Agentforce And Einstein Ai Agents., Re-Secured Expired Domain And Implemented Domain Monitoring., Released Patches To Block Data Exfiltration Via Untrusted Urls., Public Disclosure To Raise Awareness Of Ai Prompt Injection Risks., , **Immediate:**, - Revoke All Compromised Oauth Tokens And Enforce 2Fa For New Tokens., - Isolate And Audit All Third-Party Integrations With Salesforce., - Reset Credentials For Affected Employees/Customers., **Short-Term:**, - Deploy **Behavioral Analytics** To Detect Anomalous Access Patterns., - Conduct **Phishing/Vishing Simulations** To Test Employee Awareness., - Implement **Network Segmentation** Between Cloud Platforms., **Long-Term:**, - Establish A **Third-Party Risk Management Program** With Regular Vendor Audits., - Adopt A **Zero-Trust Architecture** To Limit Lateral Movement., - Develop A **Supply-Chain Breach Playbook** For Future Incidents., , Enhanced Mfa And Access Controls For Salesforce, Stricter Monitoring Of Api Data Exports, Employee Training On Vishing And Social Engineering, , Disabled Vulnerable Integrations Temporarily, Public Awareness Campaigns On Phishing Risks, Legal Defense Against Lawsuits, , Salesforce: Stricter Oauth App Review Process, Discord: Vendor Security Audits, Red Hat: Gitlab Hardening, Token Rotation, Oracle: Emergency Patch Deployment, Cross-Industry: Shared Threat Intelligence On Shinyhunters Tactics, , Salesforce Disabled Drift App And Mandated Token Renewal., Salesloft Likely Reviewing Github Security And Token Management (Unconfirmed)., Affected Customers Advised To Rotate Credentials And Audit Integrations., , Shinyhunters Declared No Further Reboots Of Breachforums, Suggesting A Shift To Decentralized Or Darker Web-Only Operations., Increased Caution Among Cybercriminals Regarding Forum-Based Activities (Perceived As 'Honeypots')., Potential Migration Of Data Leak Operations To More Secure, Less Detectable Platforms., , Law Enforcement: Continue Disruptive Operations Against Successor Forums., Companies: Strengthen Access Controls And Monitoring For Saas/Enterprise Environments., Cybersecurity Community: Share Threat Intelligence On Emerging Extortion Tactics., , Implement Mandatory Verification Steps For All Support/Vendor Calls., Deploy Ai-Driven Phishing Detection For Email And Voice Channels., Expand Security Awareness Training To Include Vishing Simulations., Enforce Mfa For All Saas Applications, Especially Salesforce., Audit Third-Party Vendor Access And Communication Protocols., , Proactive Zero-Day Patch Management And Exploit Mitigation., Behavioral Analytics For Credential-Based Attacks., Dark Web Monitoring For Emerging Threat Actor Alliances., Cross-Sector Collaboration To Disrupt Eaas Models., .
Additional Questions
General Information
Has the company ever paid ransoms ?
Ransom Payment History: The company has Paid ransoms in the past.
What was the amount of the last ransom demanded ?
Last Ransom Demanded: The amount of the last ransom demanded was ['Extortion Threats (No Specific Ransom Amount Disclosed)'].
Who was the attacking group in the last incident ?
Last Attacking Group: The attacking group in the last incident were an UNC6040, UNC6395, UNC6040UNC6240 (associated extortion specialists), ShinyHuntersScattered SpiderLapsus$UNC6040 (Google Mandiant)UNC6395 (Google Mandiant)Scattered Lapsus$ Hunters, Security Researchers (Noma Security), Scattered Lapsus$ Hunters (aka ShinyHunters)UNC6040The Com (English-speaking cybercrime collective), Scattered LAPSUS$ Hunters (SLH)Scattered SpiderShinyHuntersLapsus$, Scattered LAPSUS$ HuntersUNC6040UNC6240, Shiny Hunters, Scattered Lapsus$ HuntersShinyHunters, Name: ShinyHunters (UNC6040)Aliases: Scattered LAPSUS$ Hunters, Aliases: UNC6240, Aliases: UNC6395, Affiliation: Scattered Spider, Affiliation: Lapsus$, Affiliation: The Com (Cybercriminal Community), Nationality: English-speaking (Multinational)Name: Crimson CollectiveRole: Claimed Responsibility for Red Hat BreachName: Clop Ransomware GangRole: Exploited CVE-2025-61882 Prior to Public Disclosure, ShinyHunters, Scattered LAPSUS$ HuntersUNC6040 (Mandiant designation), ShinyHuntersScattered Lapsus$ Hunters, ShinyHuntersScattered SpiderLAPSUS$Scattered Lapsus$ Hunters, BaphometIntelBrokerShinyHuntersScattered Lapsus$ Hunters, UNC6040 (Organized Criminal Gang), Name: Scattered LAPSUS$ Hunters (SLH)Aliases: SLH, Aliases: scattered LAPSUS$ hunters 7.0, Affiliated Groups: Scattered Spider, Affiliated Groups: ShinyHunters, Affiliated Groups: LAPSUS$, Affiliated Groups: The Com, Alias: shinycorp, Handles: ['@sp1d3rhunters', '@shinyc0rp'], Role: Principal Orchestrator, Alias: yuka, Handles: None, Role: Exploit Developer, Associated Malware: ['BlackLotus UEFI bootkit', 'Medusa rootkit'], Alias: Alg0d, Handles: None, Role: Auxiliary Operator, Alias: UNC5537, Handles: None, Role: Auxiliary Operator, Operational Model: Extortion-as-a-Service (EaaS), Operational Model: Crowdsourced Extortion, Operational Model: Vulnerability Brokerage and .
Incident Details
What was the most recent incident detected ?
Most Recent Incident Detected: The most recent incident detected was on 2022-12-31.
What was the most recent incident publicly disclosed ?
Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2025-07.
What was the most recent incident resolved ?
Most Recent Incident Resolved: The most recent incident resolved was on 2025-08-20.
Impact of the Incidents
What was the most significant data compromised in an incident ?
Most Significant Data Compromised: The most significant data compromised in an incident were Private GitHub Code Repositories, , Customer account data, User data, Opportunities data, AWS access keys, Snowflake tokens, High-value secrets, , CRM Data (Salesforce), Customer Records, Sensitive Business Information, Salesforce Account: 250 million records, Salesforce Contact: 579 million records, Salesforce Opportunity: 171 million records, Salesforce User: 60 million records, Salesforce Case: 459 million records, Total: 1.5 billion records, , Salesforce Account: 250 million records, Salesforce Contact: 579 million records, Salesforce Opportunity: 171 million records, Salesforce User: 60 million records, Salesforce Case: 459 million records, Total: 1.5 billion records, , Customer Lead Data, Email Addresses, Potentially Other CRM Records, , Personally Identifiable Information (PII), Shipping Information, Marketing Lead Data, Customer Support Case Records, Chat Transcripts, Flight Details, Car Ownership Records, Employment Histories, Passport Numbers, Full Contact Information, , 1 billion records (claimed by threat actors), Customer records (~1 billion), Sensitive customer information, , Nearly 1 billion records (claimed), Customer Data, Support Tickets, Credentials, API Tokens, Authentication Tokens, , Salesforce Customer Records (>1B), Discord User Data (Usernames, Emails, IP Addresses, Payment Card Last 4 Digits, Government IDs), Red Hat GitLab Repositories (28,000+ Repos, 5,000+ Customer Engagement Reports, API Tokens, Infrastructure Details), Oracle E-Business Suite Data (Via CVE-2025-61882), Salesloft Authentication Tokens (Cloud Services: Snowflake, AWS), , Customer Contact Details, IT Support Information, Access Tokens, IT Configurations, CRM Fields, Support Cases, Integration Data, , ~1 billion records, Corporate Data, Customer Records (1+ billion), Escrow Databases, Database Backups (since 2023), , one billion records (alleged), Hacked/Stolen Data (Traded on BreachForums), Leaked Corporate Data (e.g., Salesforce, Google, Disney, etc.), , Salesforce Data, Sensitive Credentials, , Potential CRM/SaaS/Database Records (Salesforce and other high-value enterprises), , Personally Identifiable Information (PII), AWS access keys, Passwords, Snowflake-related access tokens and .
What was the most significant system affected in an incident ?
Most Significant System Affected: The most significant system affected in an incident were Customer Instances and Salesforce corporate accountsSalesloft Drift application and Salesforce CRM PlatformsConnected Apps InfrastructureVoIP/Tor Communication Channels and Salesforce CRMDrift AI Chat/Email ServicesSalesloft PlatformGitHub Repository (Salesloft)Connected Applications (AWS, Snowflake, etc.) and Salesforce AgentforceEinstein Generative AI AgentsWeb-to-Lead Feature and Salesforce CRM InstancesSalesloft Drift AI ChatbotGoogle WorkspaceMicrosoft 365Okta PlatformsGitHub Repository (Salesloft) and Salesforce environments of ~40 companiesCustomer data via OAuth abuse and Salesforce CRM environments of ~40 companies and Salesforce User AccountsThird-Party Integrations (e.g., Salesloft Drift) and Salesforce CRM InstancesSalesLoft Drift Environments and Salesforce Instances (Multiple Fortune 500 Companies)Discord Third-Party Customer Service ProviderRed Hat GitLab ServerOracle E-Business Suite ServersSalesloft AI Chatbot Platform and SalesLoft Drift AppSalesforce IntegrationsDrift’s AWS EnvironmentGitHub Account (SalesLoft) and Salesforce Customer Portals and BreachForums DomainsBackend ServersDatabase Backups and BreachForums Domain Infrastructure and Salesforce InstancesSaaS Applications and Slack WorkspacesUser Endpoints (via Malware) and Cloud InfrastructureSaaS Platforms (e.g., Salesforce)Database Systems and Salesforce CRM (via third-party integration)Salesloft DriftGitHub repositories.
Response to the Incidents
What third-party assistance was involved in the most recent incident ?
Third-Party Assistance in Most Recent Incident: The third-party assistance involved in the most recent incident was google threat intelligence group (gtig), mandiant, astrix security, , google mandiant (threat intelligence), fbi (advisory & investigation), , mandiant (google’s incident response), salesforce security team, fbi cyber division, , mandiant (google), external cybersecurity experts, , external specialists, authorities, , google threat intelligence (reported attacks in june and august 2025), , google threat intelligence group (gtig), mandiant (malware analysis), law enforcement (fbi, uk nca), , google threat intelligence group (warnings), , mandiant (google-owned threat intelligence), , french law enforcement (bl2c unit), , europol (in prior operations), , mandiant (google), , esentire (research/disclosure), .
What containment measures were taken in the most recent incident ?
Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident were Blocked access to affected instances, Revoked all active access tokens for Drift app (August 20, 2025)Temporarily removed Drift from Salesforce AppExchange, Web Application Firewall (WAF) with Rate-Limiting for API CallsSIEM Correlation of OAuth Events with API UsageUser and Entity Behavior Analytics (UEBA) DeploymentConditional Access Policies for OAuth Apps (IP/Device/Risk-Based), Enforced Trusted URL Allow-Lists for Agentforce/Einstein AIRe-secured Expired Domain (my-salesforce-cms.com), Revoking Compromised OAuth TokensIsolating Affected Salesforce InstancesDisabling Salesloft Drift Integrations, Supporting potentially affected customersInvestigating claims, Disabled Salesloft Drift Integration (Aug 28–Sep 7, 2025), Salesforce: Disabled Malicious OAuth AppsRed Hat: Isolated Compromised GitLab ServerDiscord: Terminated Third-Party Vendor AccessOracle: Emergency Patch for CVE-2025-61882, Disabled Drift App IntegrationToken Renewal Mandate for Customers, Domain SeizureBackend Server SeizureNameserver Redirection to FBI, Domain seizureDisruption of forum operations, End unsolicited support calls without providing access/informationVerify callers via trusted and on-file contact informationRequire explicit verification from account managers before fulfilling requests.
Data Breach Information
What was the most sensitive data compromised in a breach ?
Most Sensitive Data Compromised: The most sensitive data compromised in a breach were Chat Transcripts, Sensitive Credentials, Snowflake-related access tokens, Passwords, Customer Records, Potentially Other CRM Records, Customer Data, Red Hat GitLab Repositories (28,000+ Repos, 5,000+ Customer Engagement Reports, API Tokens, Infrastructure Details), Sensitive customer information, Marketing Lead Data, API Tokens, Snowflake tokens, Leaked Corporate Data (e.g., Salesforce, Google, Disney, etc.), Access Tokens, Database Backups (since 2023), Oracle E-Business Suite Data (Via CVE-2025-61882), Car Ownership Records, ~1 billion records, Opportunities data, Email Addresses, Credentials, Corporate Data, Potential CRM/SaaS/Database Records (Salesforce and other high-value enterprises), Employment Histories, User data, Support Tickets, Nearly 1 billion records (claimed), Customer Contact Details, Shipping Information, Full Contact Information, Integration Data, Escrow Databases, Customer Records (1+ billion), Customer account data, Flight Details, CRM Data (Salesforce), IT Configurations, Authentication Tokens, Customer records (~1 billion), High-value secrets, Hacked/Stolen Data (Traded on BreachForums), Private GitHub Code Repositories, Salesforce Customer Records (>1B), Salesloft Authentication Tokens (Cloud Services: Snowflake, AWS), Sensitive Business Information, Passport Numbers, CRM Fields, Personally Identifiable Information (PII), Discord User Data (Usernames, Emails, IP Addresses, Payment Card Last 4 Digits, Government IDs), Support Cases, Salesforce Data, one billion records (alleged), AWS access keys, 1 billion records (claimed by threat actors), IT Support Information, Customer Lead Data and Customer Support Case Records.
What was the number of records exposed in the most significant breach ?
Number of Records Exposed in Most Significant Breach: The number of records exposed in the most significant breach was 10.5B.
Ransomware Information
What was the highest ransom demanded in a ransomware incident ?
Highest Ransom Demanded: The highest ransom demanded in a ransomware incident was $989 million.
Regulatory Compliance
What was the most significant legal action taken for a regulatory violation ?
Most Significant Legal Action: The most significant legal action taken for a regulatory violation was Pending (Potential Class-Action Lawsuits), Regulatory Investigations, , Arrests of UK teens (Scattered Spider members), Ongoing investigations, , 14 Lawsuits Filed by Affected Companies (September 2025), , UK Charges Against Scattered Spider Members (September 2025), US Charges Against Thalha Jubair (MGM, Caesars, Harrods Attacks), Extradition of Tyler Buchanan (Spain to US, April 2025), Noah Urban Sentencing (10 Years, August 2025), , Arrests of BreachForums Admins (France), Charges Against Kai West ('IntelBroker') in U.S., , Domain seizures, Arrest of forum founder (Conor Brian Fitzpatrick in 2023), , Class action lawsuits (e.g., Staci Johnson v. Salesforce), .
Lessons Learned and Recommendations
What was the most significant lesson learned from past incidents ?
Most Significant Lesson Learned: The most significant lesson learned from past incidents was Theatrical branding and narrative control are strategic assets equivalent to technical capabilities., Third-party integrations (e.g., OAuth tokens) can be critical attack vectors; social engineering remains a potent threat; proactive customer support and transparency are essential during incidents.
What was the most significant recommendation implemented to improve cybersecurity ?
Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was - **Patch promptly**—unpatched software (e.g., Oracle E-Business Suite) is a common attack vector., Monitor for unusual data access patterns, especially in Salesforce environments., **For All Organizations:**, Conduct third-party security audits for all integrated apps, especially those with OAuth access., Slack should update its link-rendering logic to validate domains before generating previews., Enhance OAuth application security and monitoring, Enforce Multi-Factor Authentication (MFA) for OAuth App Authorizations, Collaborate with vulnerability brokerage programs to preempt exploit proliferation., Educate employees on social engineering tactics (e.g., vishing), - Enforce **multi-factor authentication (2FA) for all OAuth applications** and admin accounts., Wikipedia should implement safeguards against malicious reference footnote edits targeting external platforms., Implement automated token rotation and anomaly detection for cloud environments., - Implement **network segmentation** to limit lateral movement between cloud platforms (e.g., Salesforce, Google Workspace, Okta)., Enforce MFA for all user and service accounts, especially those with access to sensitive data., Conducting audits to identify and secure exposed secrets within Salesforce data., Isolate high-value systems (e.g., CRM) from less secure environments to limit lateral movement., Implement the principle of least privilege to limit access to CRM data and APIs., Law enforcement should continue targeting cybercrime infrastructure to disrupt operations., Conduct regular red-team exercises for AI systems to test prompt injection resilience., Implement MFA for OAuth Integrations (Salesforce), Improve incident communication to affected customers, Monitor dark web/Telegram channels for leaked data or extortion attempts., Conduct regular security awareness training for social engineering risks, Enhance GitHub security with mandatory MFA, IP restrictions, and regular access reviews., Audit and monitor OAuth applications and connected apps for suspicious activity., Isolate GitLab/Sensitive Repos (Red Hat), - **Develop a third-party breach response plan** with legal, PR, and technical playbooks., Educate HR and recruiting teams on red flags for fake identities (e.g., AI-generated profiles, inconsistent resumes)., Creating an inventory of non-human identities (NHIs) to improve visibility and security., Enhance SaaS and enterprise tenant security to prevent unauthorized access., Restrict elevated SaaS access to minimal necessary personnel and enforce multi-factor authentication (MFA)., - **Assess third-party vendor security** with penetration testing and contractually enforce security standards., Enforce allow-lists for all external URLs called by AI agents., Mandate multi-factor authentication (MFA), Monitor Dark Web for Stolen Data (All Victims), Implement defense-in-depth strategies for caller verification (e.g., callback procedures using trusted contacts)., Restrict Connected Apps to Pre-Approved IP Ranges/Device Postures, Enhance Employee Training on Vishing (Salesforce Customers), Use URL reputation services to block known malicious domains in real-time., Develop counter-narrative strategies to disrupt threat actor branding and psychological operations., **For Salesforce/Salesloft Customers:**, Implement multi-factor authentication (MFA) for OAuth token access, - Immediately **revoke and rotate OAuth tokens** for all third-party integrations., Monitor for unauthorized data exfiltration in CRM environments, Companies should proactively monitor dark web leak sites for exposed data., Limit rights for Data Loader use, Establish Clearer Incident Communication Protocols, Enhance AI-driven phishing/vishing detection for credential harvesting campaigns., Enable stricter third-party app integration policies in Slack to mitigate similar risks., Organizations should educate users on verifying links in previews, even from trusted sources., Prepare Incident Response Playbooks for CRM-Specific Extortion Scenarios, Implement stricter access controls for third-party integrations, - Conduct a **full audit of third-party app permissions** in Salesforce and disable unused integrations., Monitor for anomalous access patterns in SaaS applications (e.g., unexpected logins from new locations)., Integrate AI-specific security controls into traditional SOC workflows., Educate employees on social engineering tactics, particularly phishing and malicious OAuth app requests., Monitor for Anomalous OAuth Token Usage (e.g., Geographically Inconsistent Access), Review supply chain security for third-party SaaS providers, Collaborate with law enforcement to disrupt cybercriminal infrastructure proactively., Enforce strict control of connected apps in Salesforce, Integrate AI-driven threat detection to identify phishing content generated with AI tools., Educate employees on phishing and credential theft risks to mitigate initial access brokers., Develop and test incident response plans for extortion and data breach scenarios., Monitor domain registrations for expired trusted domains., Implement IP-based access restrictions, Conduct regular phishing simulations, including vishing scenarios, to test employee awareness., Monitoring for suspicious IP addresses/User-Agent strings associated with attackers., Conduct Regular Security Audits of Partner Apps, Restrict permissions for third-party applications, Monitor dark web for stolen credentials/tokens, Implementing IP restrictions to limit access to trusted locations., Apply Zero-Day Patches Immediately (Oracle), - **Monitor dark web forums** for leaked credentials or mentions of your organization., Audit Third-Party Vendor Security (Discord, Salesloft), - **Train employees on social engineering tactics**, especially vishing and IT impersonation scams., Conduct regular social engineering awareness training, Enhance third-party vendor security assessments, Enhance OAuth App Vetting Processes, Develop a unified incident response plan for supply chain attacks involving multiple vendors., Adopt Hardware-Backed Key Storage (HSM) for Critical API Credentials, Rotating compromised credentials and enforcing least-privilege access for NHIs., Educate developers on secure AI prompt design patterns., Implement Multi-Factor Authentication (MFA) for Third-Party Integrations, Implement strict character limits and input sanitization for all AI prompt fields., Monitor for unauthorized API access or data exports, Hardening access controls by restricting Connected App scopes in Salesforce., Conduct Regular Red Team Exercises Simulating Vishing + OAuth Abuse, Enhance third-party risk management to mitigate supply chain attacks (e.g., Salesforce breaches)., Implement zero-trust architectures to mitigate lateral movement risks in cloud/SaaS environments., Proactively communicate with customers about breach scope and mitigation steps to maintain trust., Train employees to recognize and report unsolicited access requests, especially via phone or email., Coordinate with Law Enforcement (FBI, INTERPOL for Cross-Border Cases), Implement Zero Trust Principles for API Access (Least Privilege, Continuous Authentication), Deploy WAF Rules to Detect Bulk API Queries (e.g., SOQL via REST Endpoints), - Deploy **behavioral analytics and anomaly detection** to identify suspicious access patterns., Improve User Training on Social Engineering Tactics, Regularly scan repositories (e.g., GitHub) for exposed secrets using tools like TruffleHog., Organizations should prepare for potential data leaks even after ransomware attacks are 'resolved.' and Monitor dark web/Telegram channels for SLH activity and zero-day exploit discussions..
References
What is the most recent source of information about an incident ?
Most Recent Source: The most recent source of information about an incident are GBHackers (GBH), Information Security Media Group (ISMG), GitHub Repository (Yukari/Cvsp - BlackLotus/Medusa), FBI Advisory on ShinyHunters/Scattered Spider Campaigns, ITPro, Salesforce Security Advisory, OpenAI Report on AI-Assisted Phishing, CyberheistNews Vol 15 #42, Resecurity Report on 'The Com' Cybercrime Collective, Hackread.com (Jonathan Sander interview), ShinyHunters Telegram/Leak Site (Evidence of Breach), Google Threat Intelligence Group, Staci Johnson v. Salesforce (Class Action Complaint), Salesforce Public Statement, BreachForums extortion site, Google Threat Intelligence Group Analysis, FBI Press Release (hypothetical), BleepingComputer, Google Threat Intelligence Report (August 2025), TechRadar Pro, Mandiant (Charles Carmichael LinkedIn), Article on UNC6040 Vishing Campaigns, Google Threat Intelligence Report (June 2025), Google Mandiant Threat Intelligence Report on UNC6040/UNC6395, SLH Telegram Channels (e.g., 'scattered LAPSUS$ hunters 7.0'), KrebsOnSecurity, Cloudflare (OAuth Abuse Report), US Department of Justice (Noah Urban Sentencing), The Register, Salesforce Trust Page, Astrix Security Blog Post, Red Hat Security Advisory, Media Reports on Breach (e.g., BleepingComputer, KrebsOnSecurity), Bloomberg, LinkedIn/Reddit Observations (2025), Google Threat Intelligence Group (GTIG), Noma Security Blog, Google Threat Intelligence Group (GTIG) and Mandiant Advisory, Mandiant (Google-owned), Google Mandiant Defensive Framework, eSentire Research, UK National Crime Agency (Scattered Spider Charges), FBI Cyber Division Advisory (UNC6040), Salesforce Security Alert (2025), Salesforce Customer Advisory on Mitigation Measures and Mandiant (Google) Blog Post.
What is the most recent URL for additional resources on cybersecurity best practices ?
Most Recent URL for Additional Resources: The most recent URL for additional resources on cybersecurity best practices is https://hackread.com, https://www.theregister.com/2023/09/08/salesforce_agentforce_prompt_injection/, https://www.ismg.com, https://www.bleepingcomputer.com/news/security/shinyhunters-ransomware-group-leaks-salesforce-customer-data/, https://www.fbi.gov, https://www.mandiant.com, https://www.resecurity.com, https://www.theregister.com/2024/09/27/salesforce_extortion_scattered_lapsus_hunters/, https://www.bleepingcomputer.com, https://www.bloomberg.com, https://krebsonsecurity.com, https://blog.google/threat-analysis-group/, https://www.bleepingcomputer.com/news/security/oracle-rushes-patch-for-zero-day-exploited-by-clop-ransomware/, https://www.linkedin.com/in/charles-carmichael-mandiant, https://access.redhat.com/security, https://www.justice.gov/opa/pr/florida-man-sentenced-10-years-prison-his-role-international-cybercrime-group, https://www.nationalcrimeagency.gov.uk/news, https://www.bleepingcomputer.com, https://www.itpro.com/, https://blog.knowbe4.com/protect-yourself-from-voice-phishing-attacks-targeting-salesforce-instances, https://blog.knowbe4.com/cyberheistnews-vol-15-42-heads-up-fake-support-calls-used-to-breach-your-salesforce-accounts, https://openai.com/global-affairs/disrupting-malicious-uses-of-ai-october-2025/, https://trust.salesforce.com .
Investigation Status
What is the current status of the most recent investigation ?
Current Status of Most Recent Investigation: The current status of the most recent investigation is Ongoing (as of August 20, 2025).
Stakeholder and Customer Advisories
What was the most recent stakeholder advisory issued ?
Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was GTIG/Mandiant advisory, Salesforce/Salesloft notifications to affected organizations, Salesforce Urgent Security Advisory, FBI Private Industry Notification (PIN), Salesforce notified customers via public statement and enforced security controls., Salesforce Security Bulletin (Pending), Vendor Notifications to Affected Customers, Regulatory Disclosures (e.g., SEC Filings for Public Companies), Salesforce security advisory (2024-09-26), Salesforce denies platform hack; claims are based on previous/unconfirmed incidents, Google confirmed a resolved breach in June affecting basic SMB data, Salesforce issued alerts to customers and disabled vulnerable integrations., Salesforce emailed customers on 2025-09-17 to warn about extortion threats and refusal to pay ransom., Salesforce: 'Will Not Negotiate or Pay Extortion' (October 2025), Red Hat: 'Notify Affected Customers' (October 2, 2025), Discord: 'Limited User Impact, Password Resets Advised' (September 2025), Salesforce internal memo (leaked to Bloomberg), Customer notifications for token renewal, FBI warnings to potential victims, Cybersecurity community alerts, Verify all third-party support calls via trusted channels., Report suspicious calls to IT/security teams immediately., Avoid clicking links or sharing credentials in unsolicited communications., Salesforce advised customers to review security practices via its Trust page., .
What was the most recent customer advisory issued ?
Most Recent Customer Advisory: The most recent customer advisory issued were an Recommendations for credential rotation and access control hardening, Warn Users About Unsolicited IT Support Calls Requesting OAuth Approvals, Salesforce Recommendations for Customers to Secure Environments, Customers advised to review AI agent configurations and trusted URL settings., Recommended: Password Resets for Affected AccountsCredit Monitoring for Exposed PIIPhishing Awareness Alerts, Notifications sent to affected organizations (via Salesforce and Google), Salesforce is supporting potentially affected customersOrganizations urged to tighten Salesforce security settings, Customers advised to review OAuth app permissions and monitor for suspicious activity., Customers advised of potential data leaks and encouraged to monitor for unauthorized access., Salesforce: Monitor for Phishing, Enable MFADiscord: Reset Passwords, Watch for Identity TheftRed Hat: Audit GitLab Access, Rotate Compromised Tokens, Token renewal instructionsSupport channels for affected organizations, Companies affected by the Salesforce campaign (e.g., FedEx, Disney, Google) may need to notify customers of potential data exposure., Companies targeted (e.g., Salesforce, Google) likely issued internal advisories, Customers of affected organizations should monitor for unauthorized access to their data.Reset passwords if potentially exposed to phishing attempts., Customers (e.g., TransUnion and Farmers Insurance) notified their affected users separately.
Initial Access Broker
What was the most recent entry point used by an initial access broker ?
Most Recent Entry Point: The most recent entry point used by an initial access broker were an Telephone social engineering (vishing) to trick users into authorizing malicious Salesforce apps, OAuth tokens via Salesloft's Drift integration, Salesloft Drift GitHub repository (compromised in March 2025), SalesLoft GitHub Account (Compromised March–June 2024), Compromised OAuth tokens from Salesloft Drift application, Compromised Slack account or social engineering to join workspace, Stolen Employee Tokens, Voice Phishing (Vishing) Calls, Telephone-based social engineering, Web-to-Lead Form (Description Field) and Salesloft GitHub Repository (Stolen OAuth Tokens).
What was the most recent reconnaissance period for an incident ?
Most Recent Reconnaissance Period: The most recent reconnaissance period for an incident was Likely conducted prior to August 8, 2025 (exact duration undisclosed), Likely Extended (Targeted CRM Platform Mapping), At Least 1 Year (Ongoing Campaigns), 2023-08-08 to 2023-08-18 (Per Google’s Threat Intelligence), Several months (attacks reported since June 2025), Late 2024 (first campaign), Early August 2025 (second campaign), Months (Salesforce Campaign Planned Since Early 2025), Likely conducted prior to March 2024 (exact duration unknown), Likely conducted prior to May 2024.
Post-Incident Analysis
What was the most significant root cause identified in post-incident analysis ?
Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Inadvertent Permissions, Overprivileged non-human identities (NHIs) with persistent access.Lack of visibility/management of OAuth tokens and connected apps.Insufficient restrictions on Connected App scopes in Salesforce., Over-Permissive OAuth Scopes for Connected AppsLack of API-Specific Anomaly Detection (e.g., Bulk SOQL Queries)Insufficient User Training on Vishing + OAuth RisksGaps in Conditional Access Policies for High-Risk Auth Flows, Weak OAuth Token Management in Drift/Salesloft IntegrationsLack of MFA for High-Risk Accounts/ApplicationsExcessive Privileges Granted to Connected AppsExposed Secrets in Public/Private Repositories (GitHub)Inadequate Monitoring for Anomalous OAuth App Activity, DNS misconfiguration allowing expired domain (my-salesforce-cms.com) to be purchased by attackers.Lack of input validation for AI prompt fields (e.g., 42,000-character description field).Over-trust in AI agent interactions with external data sources.Insufficient URL allow-listing for AI-generated outputs., 1. **Weak OAuth Security**: Salesloft’s GitHub repository lacked protection for OAuth tokens, enabling initial access.2. **Third-Party Risk**: Salesloft Drift integration was not adequately vetted for security vulnerabilities.3. **Social Engineering Gaps**: Support staff were tricked into granting access via vishing/phishing (UNC6040 tactics).4. **Lack of 2FA**: OAuth applications and admin accounts did not enforce multi-factor authentication.5. **Lateral Movement Opportunities**: Poor segmentation allowed attackers to pivot to Google Workspace, Microsoft 365, and Okta., OAuth token misuseThird-party integration vulnerabilities (Drift)Potential insider threats or credential theft, Successful vishing attacks exploiting human trustLack of strict controls on Salesforce app authorizationsInsufficient employee awareness of social engineering tactics, Successful Social Engineering (Vishing/OAuth App Tricks)Inadequate Security for Third-Party IntegrationsLack of Real-Time Monitoring for Unauthorized Data Access, Insufficient OAuth application securityLack of monitoring for anomalous data accessSupply chain vulnerability (SalesLoft Drift tokens)Successful social engineering attacks, Lack of MFA on Salesforce OAuth IntegrationsInsufficient Third-Party Vendor Security (Discord)GitLab Server Misconfiguration (Red Hat)Delayed Patching (Oracle CVE-2025-61882)Social Engineering Susceptibility (Vishing Success), Inadequate security controls for SalesLoft’s GitHub account (e.g., lack of MFA, monitoring).Overprivileged OAuth tokens with prolonged validity.Lack of segmentation between Drift app and Salesforce customer environments.Delayed detection of GitHub account compromise (March–June 2024)., Human Error (Compliance with Fraudulent Calls)Lack of Multi-Factor Authentication for App Integrations, Centralized infrastructure (BreachForums) created a single point of failure for cybercriminal operations.Underestimation of law enforcement's ability to seize backups and escrow databases.Over-reliance on forum-based models for data extortion campaigns., Lack of sustainable infrastructure for cybercriminal forums under law enforcement pressure.Over-reliance on centralized platforms (e.g., BreachForums) vulnerable to seizures.High monetization incentives driving persistent cybercriminal activity., Lack of robust verification for unsolicited support calls.Over-reliance on employee trust in voice communications.Insufficient training on social engineering tactics (e.g., vishing).AI-assisted phishing content increasing attack credibility., Slack's overly permissive link-rendering logicLack of input validation for Wikipedia reference footnotes in external previewsTrust in platform integrations without sufficient security controls, Exploitation of zero-day vulnerabilities (e.g., CVE-2025-61882).Lack of adaptive defenses against AI-driven social engineering.Fragmented cybercriminal ecosystems enabling consolidation (e.g., post-BreachForums vacuum).Over-reliance on traditional perimeter security in cloud/SaaS environments., Social engineering (IT support impersonation)Inadequate protection of third-party OAuth tokens (Salesloft Drift)Lack of MFA or token rotation policies.
What was the most significant corrective action taken based on post-incident analysis ?
Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was Blocked access to orgs with inadvertent permissions, Revoke and rotate compromised OAuth tokens.Enforce IP restrictions and User-Agent monitoring.Audit and secure exposed secrets in Salesforce environments.Implement inventory and governance for NHIs., Redesign OAuth App Permission Model (Least Privilege by Default)Deploy Dedicated API Security Gateways with Behavioral AnalysisMandate MFA for All OAuth App AuthorizationsIntegrate Threat Intelligence Feeds for Tor/VPN-Based Call OriginsEstablish Cross-Functional Incident Response for CRM Compromises, Salesforce: Enforced MFA and Least Privilege Guidelines for CustomersDrift/Salesloft: Revoked Compromised OAuth Tokens and Audited IntegrationsAffected Companies: Initiated Credential Rotation and Access ReviewsFBI: Shared Indicators of Compromise (IOCs) for Detection, Enforced trusted URL allow-lists for Agentforce and Einstein AI agents.Re-secured expired domain and implemented domain monitoring.Released patches to block data exfiltration via untrusted URLs.Public disclosure to raise awareness of AI prompt injection risks., **Immediate:**- Revoke all compromised OAuth tokens and enforce 2FA for new tokens.- Isolate and audit all third-party integrations with Salesforce.- Reset credentials for affected employees/customers.**Short-Term:**- Deploy **behavioral analytics** to detect anomalous access patterns.- Conduct **phishing/vishing simulations** to test employee awareness.- Implement **network segmentation** between cloud platforms.**Long-Term:**- Establish a **third-party risk management program** with regular vendor audits.- Adopt a **zero-trust architecture** to limit lateral movement.- Develop a **supply-chain breach playbook** for future incidents., Enhanced MFA and access controls for SalesforceStricter monitoring of API data exportsEmployee training on vishing and social engineering, Disabled Vulnerable Integrations TemporarilyPublic Awareness Campaigns on Phishing RisksLegal Defense Against Lawsuits, Salesforce: Stricter OAuth App Review ProcessDiscord: Vendor Security AuditsRed Hat: GitLab Hardening, Token RotationOracle: Emergency Patch DeploymentCross-Industry: Shared Threat Intelligence on ShinyHunters Tactics, Salesforce disabled Drift app and mandated token renewal.SalesLoft likely reviewing GitHub security and token management (unconfirmed).Affected customers advised to rotate credentials and audit integrations., ShinyHunters declared no further reboots of BreachForums, suggesting a shift to decentralized or darker web-only operations.Increased caution among cybercriminals regarding forum-based activities (perceived as 'honeypots').Potential migration of data leak operations to more secure, less detectable platforms., Law enforcement: Continue disruptive operations against successor forums.Companies: Strengthen access controls and monitoring for SaaS/enterprise environments.Cybersecurity community: Share threat intelligence on emerging extortion tactics., Implement mandatory verification steps for all support/vendor calls.Deploy AI-driven phishing detection for email and voice channels.Expand security awareness training to include vishing simulations.Enforce MFA for all SaaS applications, especially Salesforce.Audit third-party vendor access and communication protocols., Proactive zero-day patch management and exploit mitigation.Behavioral analytics for credential-based attacks.Dark web monitoring for emerging threat actor alliances.Cross-sector collaboration to disrupt EaaS models..
.png)
Latest Global CVEs (Not Company-Specific)
Description
HedgeDoc is an open source, real-time, collaborative, markdown notes application. Prior to 1.10.4, some of HedgeDoc's OAuth2 endpoints for social login providers such as Google, GitHub, GitLab, Facebook or Dropbox lack CSRF protection, since they don't send a state parameter and verify the response using this parameter. This vulnerability is fixed in 1.10.4.
Risk Information
cvss3
Base: 3.7
Severity: HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
Description
Langflow versions up to and including 1.6.9 contain a chained vulnerability that enables account takeover and remote code execution. An overly permissive CORS configuration (allow_origins='*' with allow_credentials=True) combined with a refresh token cookie configured as SameSite=None allows a malicious webpage to perform cross-origin requests that include credentials and successfully call the refresh endpoint. An attacker-controlled origin can therefore obtain fresh access_token / refresh_token pairs for a victim session. Obtained tokens permit access to authenticated endpoints — including built-in code-execution functionality — allowing the attacker to execute arbitrary code and achieve full system compromise.
Risk Information
cvss4
Base: 9.4
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
A vulnerability was detected in xerrors Yuxi-Know up to 0.4.0. This vulnerability affects the function OtherEmbedding.aencode of the file /src/models/embed.py. Performing manipulation of the argument health_url results in server-side request forgery. The attack can be initiated remotely. The exploit is now public and may be used. The patch is named 0ff771dc1933d5a6b78f804115e78a7d8625c3f3. To fix this issue, it is recommended to deploy a patch. The vendor responded with a vulnerability confirmation and a list of security measures they have established already (e.g. disabled URL parsing, disabled URL upload mode, removed URL-to-markdown conversion).
Risk Information
cvss2
Base: 5.8
Severity: LOW
AV:N/AC:L/Au:M/C:P/I:P/A:P
cvss3
Base: 4.7
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
cvss4
Base: 5.1
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
A security vulnerability has been detected in Rarlab RAR App up to 7.11 Build 127 on Android. This affects an unknown part of the component com.rarlab.rar. Such manipulation leads to path traversal. It is possible to launch the attack remotely. Attacks of this nature are highly complex. It is indicated that the exploitability is difficult. The exploit has been disclosed publicly and may be used. Upgrading to version 7.20 build 128 is able to mitigate this issue. You should upgrade the affected component. The vendor responded very professional: "This is the real vulnerability affecting RAR for Android only. WinRAR and Unix RAR versions are not affected. We already fixed it in RAR for Android 7.20 build 128 and we publicly mentioned it in that version changelog. (...) To avoid confusion among users, it would be useful if such disclosure emphasizes that it is RAR for Android only issue and WinRAR isn't affected."
Risk Information
cvss2
Base: 5.1
Severity: HIGH
AV:N/AC:H/Au:N/C:P/I:P/A:P
cvss3
Base: 5.0
Severity: HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
cvss4
Base: 2.3
Severity: HIGH
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
A weakness has been identified in ZSPACE Q2C NAS up to 1.1.0210050. Affected by this issue is the function zfilev2_api.OpenSafe of the file /v2/file/safe/open of the component HTTP POST Request Handler. This manipulation of the argument safe_dir causes command injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
Risk Information
cvss2
Base: 9.0
Severity: LOW
AV:N/AC:L/Au:S/C:C/I:C/A:C
cvss3
Base: 8.8
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss4
Base: 7.4
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Access Data Using Our API
Get company history
curl -i -X GET 'https://api.rankiteo.com/underwriter-getcompany-history?linkedin_id=tiny-spec-inc' -H 'apikey: YOUR_API_KEY_HERE'
RapidWhat Do We Measure ?
Incident
Finding
Grade
Digital Assets
Every week, Rankiteo analyzes billions of signals to give organizations a sharper, faster view of emerging risks. With deeper, more actionable intelligence at their fingertips, security teams can outpace threat actors, respond instantly to Zero-Day attacks, and dramatically shrink their risk exposure window.
These are some of the factors we use to calculate the overall score:
Network Security
Identify exposed access points, detect misconfigured SSL certificates, and uncover vulnerabilities across the network infrastructure.
SBOM (Software Bill of Materials)
Gain visibility into the software components used within an organization to detect vulnerabilities, manage risk, and ensure supply chain security.
CMDB (Configuration Management Database)
Monitor and manage all IT assets and their configurations to ensure accurate, real-time visibility across the company's technology environment.
Threat Intelligence
Leverage real-time insights on active threats, malware campaigns, and emerging vulnerabilities to proactively defend against evolving cyberattacks.
Rankiteo is a unified scoring and risk platform that analyzes billions of signals weekly to help organizations gain faster, more actionable insights into emerging threats. Empowering teams to outpace adversaries and reduce exposure.
