Salesforce-Targeted Data Breaches Impacting Google, Workday, and Others via Social Engineering
A coordinated wave of cyberattacks in 2025 targeted organizations using Salesforce’s CRM platform, resulting in significant data breaches at major companies including Google and Workday. Attackers exploited the inherent trust and connectivity of cloud-based CRM systems, focusing on social engineering rather than technical vulnerabilities. Workday confirmed that attackers accessed a database containing business contact information for up to 11,000 corporate customers and 70 million individual user records, with the breach discovered in early August 2025. Google also disclosed that its Salesforce instance used for Google Ads leads was compromised, leading to the theft of over 2.5 million customer records, including business contact details and sales notes for small and mid-sized clients. Cisco and other organizations were also listed among the victims of this campaign. The threat group responsible, identified as UNC6040 and associated with ShinyHunters, used telephone-based social engineering (vishing) to trick employees into granting access or sharing credentials. Attackers convinced targets to use a modified, unauthorized version of the Salesforce Data Loader app, which enabled them to exfiltrate sensitive data from Salesforce environments. Mandiant, working with Google, provided proactive defense recommendations, emphasizing that the attacks did not exploit Salesforce vulnerabilities but rather relied on manipulating end users. The attackers’ tactics included delayed extortion demands, sometimes occurring months after the initial compromise. The breaches highlighted the risks of interconnected cloud services and the importance of robust identity and access management. Security experts stressed the need for organizations to harden their Salesforce and other cloud assets against social engineering. The incidents underscored the growing trend of targeting SaaS platforms through human factors rather than technical flaws. Lessons from these breaches include the necessity of employee training, multi-factor authentication, and vigilant monitoring of third-party integrations. The scale and sophistication of the attacks demonstrated the evolving threat landscape for cloud-based business applications. Organizations are urged to review their incident response plans and ensure that all users are aware of the risks posed by social engineering campaigns. The breaches serve as a warning for enterprises to reassess their security posture around cloud CRM platforms and to implement layered defenses against both technical and human-centric threats.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
10 events from the most recent confirmed update back to the earliest known activity.
McGraw Hill discloses limited breach tied to Salesforce webpage misconfiguration
McGraw Hill said unauthorized access affected a webpage hosted on Salesforce as part of a broader misconfiguration impacting multiple organizations. The company said its Salesforce accounts, customer databases, internal systems, and sensitive data were not compromised, and that it secured the affected webpages and began an investigation with Salesforce.
Federal authorities shutter the Salesforce extortion site
U.S. federal authorities took down the ShinyHunters-linked extortion site used to pressure Salesforce customers. The action disrupted the group's public leak-and-ransom operation.
Salesforce says it will not pay extortion demands
Salesforce informed customers and the public that it would not negotiate with or pay the attackers behind the Salesforce-related extortion campaign. Reports said the leak site threatened publication if demands were not met by October 10.
Salesforce denies platform compromise and aids affected customers
Salesforce said its platform was not hacked and that it had no indication of a compromise or exploitation of a known vulnerability. The company began supporting customers named on the extortion site while emphasizing the intrusions affected customer environments, not Salesforce itself.
Group claims theft of nearly 1 billion Salesforce-linked records
The actor told reporters it had stolen almost 1 billion records tied to Salesforce customer environments, including personally identifiable information, and publicized the claim through its leak operation. Multiple outlets reported the same claim on October 3.
Extortion site launches listing about 39–40 alleged Salesforce victims
The threat actor launched a dark-web leak site naming roughly 39 to 40 alleged victim organizations and threatening to publish stolen Salesforce-related customer data unless ransoms were paid. The site marked a shift from covert intrusions to public extortion.
Google tracks Salesforce-focused vishing campaign as UNC6040
Google Threat Intelligence Group documented a social-engineering campaign targeting organizations that use Salesforce, in which attackers vished IT help desks and induced installation of a modified Salesforce Data Loader. Google linked the activity to UNC6040 and noted infrastructure overlaps with the wider 'The Com' cybercriminal ecosystem.
Attackers compromise Salesforce customers in wave spanning May to September
An actor using the names ShinyHunters and 'Scattered LAPSUS$ Hunters' breached multiple Salesforce customer environments through vishing rather than a Salesforce platform exploit. Victim listings later indicated intrusions occurred across May through September 2025.
FBI warns of two Salesforce-targeting campaigns and publishes IOCs
The FBI issued an alert warning that UNC6040 and UNC6395 were targeting Salesforce environments for data theft and extortion. The notice described UNC6040's vishing activity and UNC6395's abuse of Salesloft Drift OAuth tokens, and included indicators of compromise and defensive guidance for organizations.
UK police arrest four youths over retailer cyberattacks
UK police arrested four people under the age of 21 in connection with disruptive 2025 cyberattacks targeting British retailers including Marks & Spencer, Co-op, and Jaguar Land Rover. The same actor later claimed responsibility for those incidents as part of its broader extortion branding.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
18 references tracked. Mallory keeps watching after this page renders.
Educational company McGraw Hill says Salesforce misconfiguration led to data leak | The Record from Recorded Future News
therecord.media
Open source#phishing #scam #slack #cybersecurity #emailsecurity #onlinethreats | Vukašin Kalezić
linkedin.com
Open sourceFeds Shutter ShinyHunters Salesforce Extortion Site
darkreading.com
Open sourceSalesforce says it won’t pay extortion demand in 1 billion records breach
arstechnica.com
Open sourceSalesforce providing support to customers listed on Scattered Spider extortion site
therecord.media
Open sourceThe Salesforce Breach Wave Of 2025: Google, Workday, And Salesloft
blackfog.com
Open sourceGoogle Sheds Light on ShinyHunters' Salesforce Tactics
darkreading.com
Open sourceFBI warns about 2 campaigns targeting Salesforce instances | Cybersecurity Dive
cybersecuritydive.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Extortion Attacks Targeting Salesforce Customers
A series of extortion attacks have targeted organizations using Salesforce, resulting in the leakage of millions of records. Attackers have exploited vulnerabilities or misconfigurations in Salesforce environments to gain unauthorized access to sensitive customer and business data. Once inside, the threat actors exfiltrated large volumes of information, which they then used as leverage in extortion attempts against the affected companies. The attackers threatened to publicly release or sell the stolen data unless their demands were met, putting significant pressure on the victim organizations. Security experts have highlighted that these incidents demonstrate the growing risk of supply chain and third-party platform attacks, as Salesforce is widely used across industries for customer relationship management. The attacks have raised concerns about the adequacy of security controls and monitoring within cloud-based SaaS platforms, especially when organizations rely heavily on default configurations. In response, security professionals have urged companies to review their Salesforce security settings, implement robust access controls, and monitor for unusual activity. The incidents have also prompted calls for better incident response planning, as organizations must be prepared to act quickly in the event of a breach involving critical business platforms. The extortion group responsible for these attacks has demonstrated technical sophistication, leveraging both technical exploits and social engineering tactics to maximize their impact. The exposure of millions of records has potential regulatory and reputational consequences for the affected organizations, particularly in jurisdictions with strict data protection laws. Security podcasts and news outlets have discussed the technical details of the attacks, the methods used by the extortionists, and the broader implications for cloud security. Experts have also noted that these attacks may inspire copycat incidents targeting other SaaS providers. The events underscore the importance of regular security assessments and employee training to defend against evolving threats. Organizations are advised to stay informed about emerging attack techniques and to collaborate with their SaaS vendors to ensure comprehensive security coverage. The Salesforce extortion attacks serve as a stark reminder of the risks associated with cloud service dependencies and the need for proactive cybersecurity measures.
Mar 21, 2026
Salesforce Data Breach and Ransomware Group Data Leak Site Targeting Salesloft Drift Integrations
A ransomware group known as Scattered Lapsus$ Hunters, also referred to as ShinyHunters, has launched a darkweb data-leak site to pressure victims of a significant Salesforce data breach into paying extortion demands. The group claims to have stolen 1.5 billion Salesforce records from 760 companies that integrated their Salesforce customer relationship management (CRM) software with the Salesloft Drift artificial intelligence chatbot. The leak site, which debuted on a Friday, lists 39 victim organizations, including major brands such as Cisco, Disney, KFC, Ikea, Marriott, McDonald's, Walgreens, Albertsons, and Saks Fifth Avenue. The attackers are demanding separate ransoms from Salesforce itself to prevent the release of data pertaining to the remaining 721 affected companies. Samples of the stolen data published by the group include extensive personally identifiable information (PII), such as names, dates of birth, nationalities, passport numbers, full contact information, and employment histories. Cybersecurity researcher Milivoj Rajić has tested multiple samples of the leaked data and confirmed their validity, indicating the breach is authentic and the data is genuine. Additional compromised data includes shipping information, marketing lead data, customer support case records, chat transcripts, flight details, and car ownership records. The attack specifically targeted organizations that had integrated Salesforce with the Salesloft Drift AI chatbot, suggesting a possible exploitation of integration points or third-party application vulnerabilities. The public exposure of such a large volume of sensitive data significantly increases the risk of identity theft, fraud, and further targeted attacks against both individuals and organizations. The ransomware group’s strategy of publishing a leak site and naming high-profile victims is designed to maximize pressure and reputational damage, thereby increasing the likelihood of ransom payments. The incident highlights the risks associated with third-party integrations in cloud environments, especially when sensitive customer data is involved. Security teams at affected organizations are likely conducting forensic investigations, assessing the scope of the breach, and notifying impacted customers. The breach underscores the importance of robust access controls, regular security assessments of third-party integrations, and rapid incident response capabilities. Salesforce and Salesloft Drift users are advised to review their security configurations and monitor for suspicious activity. The event has drawn significant attention from the cybersecurity community due to the scale of the breach and the high-profile nature of the victims. Organizations are being urged to remain vigilant and to implement additional security measures to protect against similar attacks in the future.
Mar 21, 2026
Massive OAuth Abuse Exposes Salesforce Customer Data via Third-Party Integrations
A significant wave of OAuth-related breaches has recently impacted the Salesforce ecosystem, resulting in the exposure of sensitive data from over 700 organizations and affecting nearly 1.5 billion records. The breaches were not due to a direct compromise of Salesforce itself, but rather stemmed from attackers exploiting weaknesses in third-party OAuth integrations connected to Salesforce environments. At the recent Dreamforce conference, Salesforce emphasized security as a shared responsibility and introduced new AI-driven security and compliance agents, but notably did not address the recent OAuth breach incidents that have led to more than 70 lawsuits. Security experts highlighted this omission, noting that the lessons from these breaches are critical for the future of interconnected, AI-driven business platforms. According to Google Threat Intelligence Group, the attackers systematically exported large volumes of data from numerous corporate Salesforce instances by abusing OAuth tokens. These tokens, which are designed to allow secure, delegated access to cloud applications, were leveraged by threat actors to gain persistent, high-privilege access to customer data. Proofpoint researchers have further warned that attackers are increasingly abusing both external and internal OAuth-based applications to maintain access to cloud environments, even after password resets or the enforcement of multifactor authentication. Internal OAuth applications, which are registered within an organization’s own cloud tenant and typically trusted, can be particularly difficult to detect when compromised. Attackers have developed automated toolkits to register malicious OAuth applications with pre-configured permissions, using compromised admin accounts to escalate privileges and maintain persistence. The breaches underscore the risks inherent in SaaS supply chains, where third-party integrations can become a vector for large-scale data exfiltration. Security professionals stress the importance of monitoring OAuth app permissions, regularly auditing third-party integrations, and educating users about the risks of granting excessive access. The incident has prompted calls for greater transparency and proactive security measures from both SaaS providers and their customers. The scale of the breach and the sophistication of the attack methods highlight the evolving threat landscape facing cloud-based business platforms. Organizations are urged to review their OAuth security posture and implement robust controls to mitigate similar risks in the future. The incident serves as a stark reminder that even trusted cloud environments can be compromised through indirect attack vectors, necessitating a holistic approach to cloud security.
Mar 21, 2026