For months now, journalists and cybersecurity specialists, together with Cybersecurity, have been following the actions of the hacker collective “Scattered Lapsus$ Hunters,” a form of supergroup of the already well-known cybercriminal entities ShinyHunters, Scattered Spider and Lapsus$. Now, this collective has launched a web site the place they will extort cost from entities in return for delisting and deleting their knowledge. The collective has particularly been focusing on Salesforce knowledge as priceless extortion leverage.
The scope and group of this operation represents the subsequent step in cybercrime, hinting on the potential ramifications of the group’s beforehand acknowledged intention of providing ransomware-as-a-service. But when we hint it again to the start, we are able to see that even refined assaults like this start with easy and typical digital inroads.
Late 2024
Attackers utilizing social engineering, significantly over the telephone (“vishing” for voice phishing), achieve entry to widespread company Salesforce knowledge. They accomplish this by tricking somebody with entry into including a fraudulent integration into their Salesforce system. As soon as this integration was added, the attackers had API degree entry to the goal Salesforce system and had been capable of exfiltrate knowledge. This affected many giant firms, together with Google and Cisco.
March 2025 – June 2025
Attackers achieve entry to Salesloft’s company Github account. Salesloft is a gross sales engagement platform with an AI chatbot known as “Drift” that integrates with Salesforce and different purposes. Utilizing this Github account, they obtain content material from a number of repositories, create their very own person within the group and arrange customized workflows. It seems that throughout this time the attackers additionally reconnoitered Salesloft’s software surroundings, however Salesloft claims no different actions had been taken there.The attackers entry Salesloft Drift’s AWS surroundings, presumably utilizing credentials discovered within the compromised Github repository.Throughout the AWS surroundings, attackers uncover the OAuth tokens of Salesloft Drift shoppers.
June 2025
Google publishes an article detailing how these attackers use social engineering telephone calls, through which they impersonate IT help or different approved customers, to achieve entry particularly to Salesforce associated knowledge by means of malicious integrations. It might have been via such a social engineering try, or the info gained from a profitable one, that the preliminary Github credentials for Salesloft had been compromised.
August 8-18 2025
Utilizing the legitimate OAuth integration tokens from Salesloft Drift, the attackers entry and exfiltrate knowledge from the built-in platforms, resembling Salesforce. At first, Salesloft claims that solely Salesforce integrations are affected, however it’s rapidly revealed that “Salesloft Drift customers were compromised en masse, potentially snagging any user that integrated the AI chat agent platform to another third-party service,” in keeping with Google’s August twenty sixth report.
August twentieth 2025
August twenty sixth 2025
September seventh 2025
Salesloft Drift goes again on-line.
September seventeenth 2025
Hacker collective Scattered Lapsus$ Hunters claims to be “going dark” and that operations will stop. Continued exercise, particularly round Salesforce associated knowledge, is famous by many cybersecurity specialists.
October third 2025
Scattered Lapsus$ Hunters launches their “extortionware” portal, threatening Salesforce and people organizations compromised by social engineering or within the Salesloft Drift breach with publicity of their knowledge ought to cost not be made. A deadline is posted of October tenth.Screenshot of leak web site
This incident can appear overwhelming, however the root causes are each recognized and preventable. Consumer threat, particularly that of social engineering, continues to be the commonest trigger of information exposures. Accounting for and addressing person threat is essential to operational safety. We don’t know for certain how attackers compromised Salesloft’s Github account, however we do know that in doing so, they gained entry to an unlimited quantity of information, together with additional credentials that permit them into different programs. Github sanitation has lengthy been referred to as a key think about stopping knowledge publicity. Often such breaches occur when a repository is made public, however even in a personal repository, care ought to be taken to restrict or utterly take away embedded credentials that might be used for additional entry.
Salesforce knowledge is efficacious leverage for a malicious actor as a result of it accommodates the essential enterprise parts that generate income, resembling buyer and lead knowledge, deal particulars, and different confidential data that may financially and reputationally harm an organization and their clients if it turns into public. One in every of Salesforce’s best purposeful strengths is the power to combine with virtually something, a flexibility that enables firms in numerous industries and of various scales to tailor it to their particular wants. Nevertheless, appearing as a platform into which many third-parties could be built-in additionally creates a big assault floor and a considerable improve in threat.
Within the first methodology of acquiring knowledge, the attackers used social engineering to trick individuals into permitting malicious Salesforce integrations. Within the second methodology, they had been capable of compromise a big respectable Salesforce integration itself and use that integration’s OAuth keys to exfiltrate Salesforce knowledge from its customers. In each instances, the power for integrations to learn the total Salesforce dataset led to the compromise of that knowledge.
In an official response, Salesforce has acknowledged that “At this time, there is no indication that the Salesforce platform has been compromised, nor is this activity related to any known vulnerability in our technology.” That is technically true. It is usually true that the Salesforce platform has been the one largest supply of stolen knowledge this yr.
