Salesforce Blames Social Engineering for Ransomware Breaches
▼ Summary
– Hackers called Shiny Hunters claim to have stolen nearly 1 billion Salesforce records and are demanding a ransom from 39 companies and Salesforce, with a deadline of Oct. 10, 2025.
– The hackers published alleged data samples from major brands like Adidas, Cisco, FedEx, and Disney on a dark web site called Scattered Lapsus$ Hunters.
– Salesforce attributes the data loss to social engineering attacks on its users and third-party app vulnerabilities, not a breach of its own platform.
– Previous incidents include voice phishing attacks by Shiny Hunters in June 2025 and an exploited integration between Salesloft Drift and Salesforce that was disabled and reinstated in August-September 2025.
– By September 2025, 14 companies had sued Salesforce over unauthorized data access, and observers debate Salesforce’s accountability despite the social engineering methods used.
A significant cybersecurity incident involving Salesforce has emerged, with a hacker group known as Shiny Hunters claiming responsibility for accessing and exfiltrating close to one billion records. The group established a dark web portal named Scattered Lapsus$ Hunters, where they posted samples of data allegedly stolen from major corporations including Adidas, Cisco, FedEx, and Disney. They have issued a ransom demand to 39 affected companies and Salesforce itself, setting a final deadline of October 10, 2025, for payment before publicly releasing the stolen information.
Although the ransom site appeared only recently, many cybersecurity professionals view this event as the peak of an extended series of security breaches. One observer on LinkedIn likened the unfolding situation to watching a slow-motion train wreck, indicating that warning signs have been visible for some time.
Salesforce has officially stated that the platform itself was not compromised. Instead, the company attributes the data loss to social engineering attacks that successfully targeted its users. According to their security advisory, these incidents stem from what they describe as “past or unsubstantiated” events, primarily involving sophisticated social engineering and malicious third-party application attacks that have been reported over recent months.
The timeline of these attacks shows a clear escalation. In June 2025, Google Threat Intelligence documented voice phishing operations conducted by Shiny Hunters members. These attacks involved hackers making phone calls to trick individuals into installing harmful OAuth applications, granting unauthorized access. Later, in August 2025, the same research team identified a security vulnerability involving an integration between Salesloft Drift and Salesforce, which attackers exploited to obtain sensitive data. Salesforce temporarily disabled this integration on August 28, 2025, and restored it with enhanced security measures on September 7, 2025.
By September 2025, the situation had deteriorated to the point where fourteen companies filed lawsuits against Salesforce, citing repeated unauthorized access to their data. Last week’s ransom demand appears to represent the culmination of these persistent efforts to acquire and monetize Salesforce records.
On professional networks and forums such as LinkedIn and Reddit, many commentators argue that regardless of the social engineering methods used, Salesforce cannot be considered entirely blameless for these breaches. They suggest the company bears some responsibility for the security of its ecosystem. Meanwhile, another perspective gaining traction is that such attacks are an unavoidable aspect of digital business operations, leading some to advocate for eliminating intermediary platforms entirely to reduce vulnerability.
(Source: MarTech)
