Extortion Attacks Targeting Salesforce Customers
A series of extortion attacks have targeted organizations using Salesforce, resulting in the leakage of millions of records. Attackers have exploited vulnerabilities or misconfigurations in Salesforce environments to gain unauthorized access to sensitive customer and business data. Once inside, the threat actors exfiltrated large volumes of information, which they then used as leverage in extortion attempts against the affected companies. The attackers threatened to publicly release or sell the stolen data unless their demands were met, putting significant pressure on the victim organizations. Security experts have highlighted that these incidents demonstrate the growing risk of supply chain and third-party platform attacks, as Salesforce is widely used across industries for customer relationship management. The attacks have raised concerns about the adequacy of security controls and monitoring within cloud-based SaaS platforms, especially when organizations rely heavily on default configurations. In response, security professionals have urged companies to review their Salesforce security settings, implement robust access controls, and monitor for unusual activity. The incidents have also prompted calls for better incident response planning, as organizations must be prepared to act quickly in the event of a breach involving critical business platforms. The extortion group responsible for these attacks has demonstrated technical sophistication, leveraging both technical exploits and social engineering tactics to maximize their impact. The exposure of millions of records has potential regulatory and reputational consequences for the affected organizations, particularly in jurisdictions with strict data protection laws. Security podcasts and news outlets have discussed the technical details of the attacks, the methods used by the extortionists, and the broader implications for cloud security. Experts have also noted that these attacks may inspire copycat incidents targeting other SaaS providers. The events underscore the importance of regular security assessments and employee training to defend against evolving threats. Organizations are advised to stay informed about emerging attack techniques and to collaborate with their SaaS vendors to ensure comprehensive security coverage. The Salesforce extortion attacks serve as a stark reminder of the risks associated with cloud service dependencies and the need for proactive cybersecurity measures.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Extortion group leaks millions of records from Salesforce hacks
An extortion group published millions of records allegedly obtained through compromises involving Salesforce environments, marking a public escalation of the campaign.
Researchers uncover Oracle E-Business Suite zero-day chain
A new zero-day affecting Oracle E-Business Suite was identified after attackers were found chaining multiple low-severity flaws into a critical exploit path.
Discord discloses breach of customer support application
Discord experienced a breach involving its customer support application, creating the potential exposure of sensitive user information tied to support operations.
Wave of extortion attacks targets Salesforce customers
A campaign of extortion attacks began targeting organizations that use Salesforce, raising concerns about the security of cloud-based CRM environments and how attackers were exploiting access to customer data.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Salesforce-Targeted Data Breaches Impacting Google, Workday, and Others via Social Engineering
A coordinated wave of cyberattacks in 2025 targeted organizations using Salesforce’s CRM platform, resulting in significant data breaches at major companies including Google and Workday. Attackers exploited the inherent trust and connectivity of cloud-based CRM systems, focusing on social engineering rather than technical vulnerabilities. Workday confirmed that attackers accessed a database containing business contact information for up to 11,000 corporate customers and 70 million individual user records, with the breach discovered in early August 2025. Google also disclosed that its Salesforce instance used for Google Ads leads was compromised, leading to the theft of over 2.5 million customer records, including business contact details and sales notes for small and mid-sized clients. Cisco and other organizations were also listed among the victims of this campaign. The threat group responsible, identified as UNC6040 and associated with ShinyHunters, used telephone-based social engineering (vishing) to trick employees into granting access or sharing credentials. Attackers convinced targets to use a modified, unauthorized version of the Salesforce Data Loader app, which enabled them to exfiltrate sensitive data from Salesforce environments. Mandiant, working with Google, provided proactive defense recommendations, emphasizing that the attacks did not exploit Salesforce vulnerabilities but rather relied on manipulating end users. The attackers’ tactics included delayed extortion demands, sometimes occurring months after the initial compromise. The breaches highlighted the risks of interconnected cloud services and the importance of robust identity and access management. Security experts stressed the need for organizations to harden their Salesforce and other cloud assets against social engineering. The incidents underscored the growing trend of targeting SaaS platforms through human factors rather than technical flaws. Lessons from these breaches include the necessity of employee training, multi-factor authentication, and vigilant monitoring of third-party integrations. The scale and sophistication of the attacks demonstrated the evolving threat landscape for cloud-based business applications. Organizations are urged to review their incident response plans and ensure that all users are aware of the risks posed by social engineering campaigns. The breaches serve as a warning for enterprises to reassess their security posture around cloud CRM platforms and to implement layered defenses against both technical and human-centric threats.
May 6, 2026
Massive OAuth Abuse Exposes Salesforce Customer Data via Third-Party Integrations
A significant wave of OAuth-related breaches has recently impacted the Salesforce ecosystem, resulting in the exposure of sensitive data from over 700 organizations and affecting nearly 1.5 billion records. The breaches were not due to a direct compromise of Salesforce itself, but rather stemmed from attackers exploiting weaknesses in third-party OAuth integrations connected to Salesforce environments. At the recent Dreamforce conference, Salesforce emphasized security as a shared responsibility and introduced new AI-driven security and compliance agents, but notably did not address the recent OAuth breach incidents that have led to more than 70 lawsuits. Security experts highlighted this omission, noting that the lessons from these breaches are critical for the future of interconnected, AI-driven business platforms. According to Google Threat Intelligence Group, the attackers systematically exported large volumes of data from numerous corporate Salesforce instances by abusing OAuth tokens. These tokens, which are designed to allow secure, delegated access to cloud applications, were leveraged by threat actors to gain persistent, high-privilege access to customer data. Proofpoint researchers have further warned that attackers are increasingly abusing both external and internal OAuth-based applications to maintain access to cloud environments, even after password resets or the enforcement of multifactor authentication. Internal OAuth applications, which are registered within an organization’s own cloud tenant and typically trusted, can be particularly difficult to detect when compromised. Attackers have developed automated toolkits to register malicious OAuth applications with pre-configured permissions, using compromised admin accounts to escalate privileges and maintain persistence. The breaches underscore the risks inherent in SaaS supply chains, where third-party integrations can become a vector for large-scale data exfiltration. Security professionals stress the importance of monitoring OAuth app permissions, regularly auditing third-party integrations, and educating users about the risks of granting excessive access. The incident has prompted calls for greater transparency and proactive security measures from both SaaS providers and their customers. The scale of the breach and the sophistication of the attack methods highlight the evolving threat landscape facing cloud-based business platforms. Organizations are urged to review their OAuth security posture and implement robust controls to mitigate similar risks in the future. The incident serves as a stark reminder that even trusted cloud environments can be compromised through indirect attack vectors, necessitating a holistic approach to cloud security.
Mar 21, 2026
Salesforce Data Breach and Ransomware Group Data Leak Site Targeting Salesloft Drift Integrations
A ransomware group known as Scattered Lapsus$ Hunters, also referred to as ShinyHunters, has launched a darkweb data-leak site to pressure victims of a significant Salesforce data breach into paying extortion demands. The group claims to have stolen 1.5 billion Salesforce records from 760 companies that integrated their Salesforce customer relationship management (CRM) software with the Salesloft Drift artificial intelligence chatbot. The leak site, which debuted on a Friday, lists 39 victim organizations, including major brands such as Cisco, Disney, KFC, Ikea, Marriott, McDonald's, Walgreens, Albertsons, and Saks Fifth Avenue. The attackers are demanding separate ransoms from Salesforce itself to prevent the release of data pertaining to the remaining 721 affected companies. Samples of the stolen data published by the group include extensive personally identifiable information (PII), such as names, dates of birth, nationalities, passport numbers, full contact information, and employment histories. Cybersecurity researcher Milivoj Rajić has tested multiple samples of the leaked data and confirmed their validity, indicating the breach is authentic and the data is genuine. Additional compromised data includes shipping information, marketing lead data, customer support case records, chat transcripts, flight details, and car ownership records. The attack specifically targeted organizations that had integrated Salesforce with the Salesloft Drift AI chatbot, suggesting a possible exploitation of integration points or third-party application vulnerabilities. The public exposure of such a large volume of sensitive data significantly increases the risk of identity theft, fraud, and further targeted attacks against both individuals and organizations. The ransomware group’s strategy of publishing a leak site and naming high-profile victims is designed to maximize pressure and reputational damage, thereby increasing the likelihood of ransom payments. The incident highlights the risks associated with third-party integrations in cloud environments, especially when sensitive customer data is involved. Security teams at affected organizations are likely conducting forensic investigations, assessing the scope of the breach, and notifying impacted customers. The breach underscores the importance of robust access controls, regular security assessments of third-party integrations, and rapid incident response capabilities. Salesforce and Salesloft Drift users are advised to review their security configurations and monitor for suspicious activity. The event has drawn significant attention from the cybersecurity community due to the scale of the breach and the high-profile nature of the victims. Organizations are being urged to remain vigilant and to implement additional security measures to protect against similar attacks in the future.
Mar 21, 2026