Salesforce Data Breach and Ransomware Group Data Leak Site Targeting Salesloft Drift Integrations
A ransomware group known as Scattered Lapsus$ Hunters, also referred to as ShinyHunters, has launched a darkweb data-leak site to pressure victims of a significant Salesforce data breach into paying extortion demands. The group claims to have stolen 1.5 billion Salesforce records from 760 companies that integrated their Salesforce customer relationship management (CRM) software with the Salesloft Drift artificial intelligence chatbot. The leak site, which debuted on a Friday, lists 39 victim organizations, including major brands such as Cisco, Disney, KFC, Ikea, Marriott, McDonald's, Walgreens, Albertsons, and Saks Fifth Avenue. The attackers are demanding separate ransoms from Salesforce itself to prevent the release of data pertaining to the remaining 721 affected companies. Samples of the stolen data published by the group include extensive personally identifiable information (PII), such as names, dates of birth, nationalities, passport numbers, full contact information, and employment histories. Cybersecurity researcher Milivoj Rajić has tested multiple samples of the leaked data and confirmed their validity, indicating the breach is authentic and the data is genuine. Additional compromised data includes shipping information, marketing lead data, customer support case records, chat transcripts, flight details, and car ownership records. The attack specifically targeted organizations that had integrated Salesforce with the Salesloft Drift AI chatbot, suggesting a possible exploitation of integration points or third-party application vulnerabilities. The public exposure of such a large volume of sensitive data significantly increases the risk of identity theft, fraud, and further targeted attacks against both individuals and organizations. The ransomware group’s strategy of publishing a leak site and naming high-profile victims is designed to maximize pressure and reputational damage, thereby increasing the likelihood of ransom payments. The incident highlights the risks associated with third-party integrations in cloud environments, especially when sensitive customer data is involved. Security teams at affected organizations are likely conducting forensic investigations, assessing the scope of the breach, and notifying impacted customers. The breach underscores the importance of robust access controls, regular security assessments of third-party integrations, and rapid incident response capabilities. Salesforce and Salesloft Drift users are advised to review their security configurations and monitor for suspicious activity. The event has drawn significant attention from the cybersecurity community due to the scale of the breach and the high-profile nature of the victims. Organizations are being urged to remain vigilant and to implement additional security measures to protect against similar attacks in the future.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
9 events from the most recent confirmed update back to the earliest known activity.
Scattered Lapsus$ Hunters leaked stolen Salesforce customer data
Following the takedown of its leak site and victims' refusal to pay, the group released stolen data from Salesforce customers publicly. Reporting identified at least six affected companies, including Albertsons, Engie Resources, Fuji Film, The Gap, Qantas, and Vietnam Airlines.
Leak site was taken offline, possibly after FBI disruption
After the extortion campaign escalated, the group's data leak site was taken offline, with reporting suggesting possible law enforcement intervention. Later coverage explicitly described the disruption as an FBI action against the breach site.
Salesforce said it would not pay and denied platform compromise
Salesforce publicly stated it would not negotiate with or pay the extortionists. The company said it found no indication that the Salesforce platform itself had been compromised or that the activity stemmed from a known Salesforce vulnerability.
Threat actors set Oct. 10 deadline and crowdsourced harassment
The group threatened to publish all stolen data by October 10, 2025 unless its demands were met, and began offering small Bitcoin payments to supporters who harassed executives at alleged victim organizations. It also threatened to target listed customers if Salesforce did not engage.
Scattered Lapsus$ Hunters launched a Salesforce leak site
The extortion group reemerged with a dark web leak site listing 39 organizations allegedly affected in the Salesforce-related data theft campaign. The group claimed it had stolen up to roughly 1 to 1.5 billion records from hundreds of companies and used the site to pressure victims into paying.
Google and Salesforce published defensive guidance for the campaign
Google/Mandiant and Salesforce released a defensive framework to help organizations harden Salesforce environments, improve logging, and detect abuse tied to the ongoing intrusions. Guidance also emphasized stronger help-desk verification and protection against social engineering.
FBI and Google identified token abuse affecting Salesloft-linked customers
U.S. authorities and Google warned that attackers were using stolen OAuth tokens from the Salesloft Drift Email AI chatbot integration to access Salesforce instances. Reporting said the campaign affected hundreds of organizations, with Google estimating impact to roughly 700 Salesloft customers.
Salesforce customer intrusions began via social engineering and stolen tokens
Google threat intelligence reported that attacks against Salesforce customer environments began in early August 2025. The activity was linked to campaigns tracked as UNC6040 and UNC6395, involving vishing and abuse of stolen OAuth tokens associated with the Salesloft Drift app.
Salesloft GitHub compromise exposed secrets and OAuth tokens
Salesloft disclosed that its GitHub account was compromised between March and June 2025, allowing attackers to steal secrets from private source code, including OAuth tokens tied to the Drift Salesforce integration. Those stolen tokens were later used to access customer Salesforce environments.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
19 references tracked. Mallory keeps watching after this page renders.
Scattered Lapsus$ Hunters release stolen data from Salesforce customers
scworld.com
Open sourceHacker Alliance Demands Ransom: Scattered LAPSUS$ Hunters Claim 1 Billion Records Stolen from Salesforce
securityonline.info
Open sourceSalesforce Extortion Group Leaks Data After FBI Disruption
bankinfosecurity.com
Open sourceSalesforce Extortion Group Leaks Data After FBI Disruption
govinfosecurity.com
Open sourceRansomware Group Debuts Salesforce Customer Data Leak Site
govinfosecurity.com
Open sourceRansomware Group Debuts Salesforce Customer Data Leak Site
bankinfosecurity.com
Open sourceScattered Lapsus$ Hunters Returns With Salesforce Leak Site
darkreading.com
Open sourceShinyHunters Launches Data Leak Site: Trinity of Chaos Announces New Ransomware Victims
securityaffairs.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Scattered LAPSUS$ Hunters Target Salesforce via Gainsight Supply Chain Attack
The cybercriminal alliance known as Scattered LAPSUS$ Hunters (SLSH), an amalgamation of groups including Scattered Spider, LAPSUS$, and ShinyHunters, has intensified its campaign of data theft and extortion against major corporations. In November 2025, Salesforce detected unusual activity involving Gainsight-published applications, leading to the revocation of access tokens and removal of affected apps from its AppExchange. Salesforce determined that the incident was not due to a vulnerability in its platform, but rather unauthorized access to customer data through compromised app connections. The breach was traced back to a supply chain attack on Salesloft Drift in August 2025, which enabled attackers to obtain secrets used to access additional Salesforce instances. Gainsight confirmed that stolen OAuth tokens were used in the attack, and indicators of compromise were shared with affected customers. SLSH has leveraged this access to threaten public data leaks and extort both Salesforce and its customers, with a new extortion portal listing dozens of victim companies, including Toyota, FedEx, Disney/Hulu, and UPS. The group has also escalated its tactics by openly recruiting insiders from large organizations, offering rewards for internal access to facilitate further breaches. Recent reports indicate that SLSH's activities are coordinated through Telegram channels, and the group has been linked to high-profile incidents involving both data theft and attempted insider recruitment. Security advisories and ongoing investigations highlight the persistent threat posed by SLSH and the importance of monitoring supply chain risks and insider threats.
Mar 21, 2026
Scattered LAPSUS$ Hunters Data Leaks from Salesforce Breaches
A hacking group known as Scattered LAPSUS$ Hunters publicly released data stolen from the Salesforce environments of multiple companies, including Qantas and Vietnam Airlines. The group had previously threatened to leak data unless Salesforce or the affected companies paid a ransom, but the deadline passed without payment, prompting the attackers to publish data from six of the 39 companies they claimed to have compromised. The initial leaks included data from Qantas, Albertsons, GAP, Vietnam Airlines, Fujifilm, and Engie Resources. Qantas received significant media attention due to a court injunction it obtained in an attempt to prevent the use or dissemination of the stolen data, but the injunction proved ineffective as the data was still widely distributed. The attackers used multiple platforms to share the stolen information, including an onion site, a clear net forum, and a new clear net leak site, making the data accessible to a broad audience. For Vietnam Airlines, the breach resulted in the exposure of 7.5 million unique customer email addresses, along with names, phone numbers, dates of birth, and loyalty program membership numbers. The breach of Vietnam Airlines' Salesforce environment reportedly occurred in June 2025, but the data was not publicly released until October. The group’s leak strategy included charging for access to the data on some platforms, while later making it freely available on others. Despite initial claims of a massive leak affecting 39 companies, only six organizations' data was actually released, leading to speculation about the group’s motives and capabilities. The attackers communicated with followers via Telegram, providing updates and alternative download links when their primary leak site experienced technical issues. The incident highlighted the limitations of legal measures such as injunctions in preventing the spread of stolen data once it is in the hands of threat actors. Media and security experts, including Troy Hunt, provided commentary on the situation, emphasizing the inevitability of the data’s release and the challenges faced by affected organizations. The breach underscores the risks associated with third-party cloud platforms like Salesforce and the importance of robust security controls and incident response plans. Companies affected by the breach were advised to notify impacted customers, recommend password changes, and implement additional security measures such as two-factor authentication. The event also demonstrated the evolving tactics of cybercriminal groups in monetizing and publicizing stolen data, as well as the ongoing threat posed by supply chain and third-party breaches.
Mar 21, 2026
Salesforce-Targeted Data Breaches Impacting Google, Workday, and Others via Social Engineering
A coordinated wave of cyberattacks in 2025 targeted organizations using Salesforce’s CRM platform, resulting in significant data breaches at major companies including Google and Workday. Attackers exploited the inherent trust and connectivity of cloud-based CRM systems, focusing on social engineering rather than technical vulnerabilities. Workday confirmed that attackers accessed a database containing business contact information for up to 11,000 corporate customers and 70 million individual user records, with the breach discovered in early August 2025. Google also disclosed that its Salesforce instance used for Google Ads leads was compromised, leading to the theft of over 2.5 million customer records, including business contact details and sales notes for small and mid-sized clients. Cisco and other organizations were also listed among the victims of this campaign. The threat group responsible, identified as UNC6040 and associated with ShinyHunters, used telephone-based social engineering (vishing) to trick employees into granting access or sharing credentials. Attackers convinced targets to use a modified, unauthorized version of the Salesforce Data Loader app, which enabled them to exfiltrate sensitive data from Salesforce environments. Mandiant, working with Google, provided proactive defense recommendations, emphasizing that the attacks did not exploit Salesforce vulnerabilities but rather relied on manipulating end users. The attackers’ tactics included delayed extortion demands, sometimes occurring months after the initial compromise. The breaches highlighted the risks of interconnected cloud services and the importance of robust identity and access management. Security experts stressed the need for organizations to harden their Salesforce and other cloud assets against social engineering. The incidents underscored the growing trend of targeting SaaS platforms through human factors rather than technical flaws. Lessons from these breaches include the necessity of employee training, multi-factor authentication, and vigilant monitoring of third-party integrations. The scale and sophistication of the attacks demonstrated the evolving threat landscape for cloud-based business applications. Organizations are urged to review their incident response plans and ensure that all users are aware of the risks posed by social engineering campaigns. The breaches serve as a warning for enterprises to reassess their security posture around cloud CRM platforms and to implement layered defenses against both technical and human-centric threats.
May 6, 2026