Excerpt from Mint Article, Published on October 4, 2025
A coalition of cybercriminals known as Scattered LAPSUS$ Hunters has claimed responsibility for stealing nearly one billion records from organizations using Salesforce platforms. This extensive data theft reportedly targeted major companies in sectors such as retail, finance, transportation, entertainment, and luxury goods, including well-known names like Marks & Spencer, the Co-op, Jaguar Land Rover, FedEx, Disney, and Toyota.
The hackers did not breach Salesforce’s core systems directly. Instead, they exploited weaknesses in customer environments by employing sophisticated social engineering methods, mainly voice phishing—or “vishing”—to deceive employees of Salesforce customers. This tactic tricked help desk staff into granting unauthorized access. Additionally, the attackers reportedly installed malicious versions of Salesforce’s Data Loader tool, allowing them to extract data in bulk from these compromised accounts.
Salesforce has publicly stated it found no indications of a breach in its technology platform and that these incidents are related to third-party integrations and weaknesses on the customer side. The company is actively investigating the situation with the help of external experts and authorities, emphasizing its commitment to protecting customer environments. Meanwhile, the threat actors have launched a dark web leak site enumerating about 40 victim organizations and demanding ransom payments from both Salesforce and the affected companies, threatening to release stolen data publicly if their demands are not met.
This breach underscores the growing risks in SaaS supply chains, especially how attackers leverage trusted integrations and human vulnerabilities to access sensitive data. Security experts caution organizations to stay vigilant against phishing and OAuth token abuse, common tactics identified in these attacks. As Salesforce continues remediation efforts, this incident serves as a critical reminder for companies to strengthen user education and tighten access controls in cloud environments.
To delve deeper into this topic, visit the Mint article.
