How many records were stolen in the Salesforce breaches?

The threat actors claim to have stolen approximately one billion records from Salesforce customers. In a separate but related campaign discovered in August 2025, the attackers exploited stolen OAuth tokens from Salesloft's Drift AI chat integration with Salesforce, impacting approximately 760 companies and resulting in the theft of an estimated 1.5 billion Salesforce records.

Which companies were affected by the Salesforce breach?

The data leak site lists 39 confirmed victim organizations, including major global brands such as FedEx, Disney/Hulu, Home Depot, Marriott, Google, Cisco, Toyota, Gap, McDonald's, Walgreens, Instacart, Cartier, Adidas, Saks Fifth Avenue, Air France & KLM, TransUnion, HBO Max, UPS, Chanel, IKEA, KFC, and Albertsons. Several companies have confirmed breaches, including Allianz Life (1.1 million customers impacted), Farmers Insurance (1.1 million customers), TransUnion (4.4 million individuals), Google, Cisco, Qantas Airways, Adidas, Chanel, Pandora, Workday, and Stellantis.

Who is behind the Salesforce extortion campaign?

A coalition of cybercriminal groups calling themselves Scattered Lapsus$ Hunters is behind the campaign. ShinyHunters representatives have also communicated with media outlets about the attacks.

What are the attackers demanding from Salesforce?

The extortion demands include a ransom request to Salesforce CEO Marc Benioff for 20 Bitcoin, with the threat actors promising to withdraw all individual extortion attempts against Salesforce customers if the company pays. The attackers threatened that if Salesforce does not negotiate, all customer data will be leaked. They also warned they would assist law firms in pursuing civil and commercial lawsuits against Salesforce for alleged failures to protect customer data as required under GDPR.

What has Salesforce said about the breach?

Salesforce issued a statement declaring they are aware of recent extortion attempts by threat actors, which they have investigated in partnership with external experts and authorities. Their findings indicate these attempts relate to past or unsubstantiated incidents. At the time of their statement, there was no indication that the Salesforce platform has been compromised, nor is this activity related to any known vulnerability in their technology. The company emphasized that the breaches resulted from social engineering attacks targeting individual customer environments rather than from technical flaws in the Salesforce infrastructure.

Was the Salesforce platform itself compromised?

According to Salesforce, there is no indication that the Salesforce platform has been compromised, nor is this activity related to any known vulnerability in their technology. The breaches resulted from social engineering attacks targeting individual customer environments rather than from any technical flaws in the Salesforce infrastructure.

What is the deadline for the Salesforce ransom demands?

The threat actors set an October 10, 2025 deadline for their ransom demands, threatening to release stolen data publicly if the demands are not met.

How many customers were impacted at specific companies?

Several companies have disclosed specific impact numbers: Allianz Life reported 1.1 million customers impacted, Farmers Insurance reported 1.1 million customers affected, and TransUnion reported 4.4 million individuals impacted by the breach.

What is OAuth token exploitation?

In the August 2025 campaign, threat actors exploited stolen OAuth tokens from Salesloft's Drift AI chat integration with Salesforce. OAuth tokens are authentication credentials that allow applications to access user data. When these tokens are stolen, attackers can use them to gain unauthorized access to systems without needing usernames or passwords.

How much Bitcoin are the attackers demanding from Salesforce?

The extortion demands include a ransom request to Salesforce CEO Marc Benioff for 20 Bitcoin, with the promise that if Salesforce pays, all individual extortion attempts against Salesforce customers will be withdrawn.

What social engineering methods were used in the Salesforce attacks?

The breaches involved voice phishing (vishing) and malicious OAuth Connected Apps abuse. Voice phishing is a social engineering technique where attackers use phone calls to trick victims into revealing sensitive information or credentials.

Incident

Cybercrime gangs launches extortion campaign on Salesforce customers

Q: How did the attackers breach Salesforce customer data?

The breaches occurred through voice phishing and malicious OAuth Connected Apps abuse in September. In a separate campaign discovered in August 2025, threat actors exploited stolen OAuth tokens from Salesloft's Drift AI chat integration with Salesforce. The company emphasized that the breaches resulted from social engineering attacks targeting individual customer environments rather than from any technical flaws in the Salesforce infrastructure.

published: Oct. 6, 2025

Learn More

A coalition of cybercriminal groups calling themselves "Scattered Lapsus$ Hunters" has launched an extortion campaign targeting Salesforce customers, claiming to have stolen approximately one billion records from companies storing their customer and corporate data in Salesforce cloud databases.

On October 3, 2025, the threat actors published a dark web data leak site listing 39 victim organizations and threatening to release their stolen data publicly unless ransom demands are met by an October 10, 2025 deadline.

It seems that the threats relate to the breached Salesforce instances through voice phishing and malicious OAuth Connected Apps abuse in September.

In a separate but related campaign discovered in August 2025, the threat actors exploited stolen OAuth tokens from Salesloft's Drift AI chat integration with Salesforce. This attack impacted approximately 760 companies and resulted in the theft of an estimated 1.5 billion Salesforce records.

The data leak site launched on October 3, 2025, lists 39 confirmed victim organizations, including major global brands such as

FedEx,
Disney/Hulu,
Home Depot,
Marriott,
Google,
Cisco,
Toyota,
Gap,
McDonald's,
Walgreens,
Instacart,
Cartier,
Adidas,
Saks Fifth Avenue,
Air France & KLM,
TransUnion,
HBO Max,
UPS,
Chanel,
IKEA,
KFC,
Albertsons.

ShinyHunters representatives told media outlets that "there are numerous other companies that have not been listed," suggesting the actual number of victims significantly exceeds those publicly disclosed. Several companies have confirmed breaches, including Allianz Life (1.1 million customers impacted), Farmers Insurance (1.1 million customers), TransUnion (4.4 million individuals), Google, Cisco, Qantas Airways, Adidas, Chanel, Pandora, Workday, and automotive giant Stellantis.

The extortion demands include a ransom request to Salesforce CEO Marc Benioff for 20 Bitcoin, with the threat actors promising to withdraw all individual extortion attempts against Salesforce customers if the company pays. "Contact us to negociate [sic] this ransom or all your customers data will be leaked," the message on the leak site states. "If we come to a resolution all individual extortions again your customers will be withdrawn from. Nobody else will have to pay us, if you pay, Salesforce, Inc." The threat actors also warned they would assist law firms in pursuing civil and commercial lawsuits against Salesforce for alleged failures to protect customer data as required under the European General Data Protection Regulation (GDPR).

Salesforce issued a statement on its status update site declaring: "We are aware of recent extortion attempts by threat actors, which we have investigated in partnership with external experts and authorities. Our findings indicate these attempts relate to past or unsubstantiated incidents, and we remain engaged with affected customers to provide support. At this time, there is no indication that the Salesforce platform has been compromised, nor is this activity related to any known vulnerability in our technology."

The company emphasized that the breaches resulted from social engineering attacks targeting individual customer environments rather than from any technical flaws in the Salesforce infrastructure.

Update - as of 8th of October 2025, Salesforce notified customers it will not pay ransom to the hackers threatening to publish data stolen from customer instances. Per an internal memo seen by Bloomberg, Salesforce is aware that the hacker group ShinyHunters plans to publish some of the stolen information. Salesforce claims that it will not negotiate or comply with any form of extortion.

As of 10th of October 2025 Scattered Lapsus$ Hunters leaked some of the stolen Salesforce data.

Qantas Airways Limited - 153 GB
Vietnam Airlines - 63.62 GB
Albertsons Companies, Inc. - 2 GB
GAP, INC. - 1 GB
Fujifilm - 155MB
Engie Resources - 3 GB

Cybercrime gangs launches extortion campaign on Salesforce customers