The latest wave of data breaches tied to Salesforce-integrated platforms has triggered widespread concern among cybersecurity professionals and enterprise IT leaders, exposing the fragility of cloud ecosystem integrations. A loosely allied extortion group calling itself “Scattered Lapsus$ Hunters”—composed of members from high-profile gangs including Lapsus$, Scattered Spider, and ShinyHunters—has claimed responsibility for breaching dozens of prominent organizations by exploiting OAuth token leaks and impersonation tactics. With massive amounts of customer data now circulating on the dark web, the attacks underscore the rising operational risks associated with third-party cloud integrations such as Salesloft and Salesforce.
Attackers Exploited Third-Party OAuth Flaws, Not Salesforce Directly
Although Salesforce was named by the attackers and in multiple media reports, the company itself has stated there is no evidence of a direct compromise of the core Salesforce platform.
Initial Access Originated From Compromised Salesloft Integrations
According to investigations, the threat campaign stemmed from attacks on Salesloft, a sales engagement platform widely integrated with Salesforce. Between March and June 2025, attackers breached Salesloft’s GitHub repositories, accessing cloud credentials and OAuth tokens embedded within code. These tokens, used to authenticate with Salesforce and other APIs, allowed the group unauthorized access to connected systems without triggering traditional login alerts.
OAuth tokens were then used in phishing and impersonation campaigns, enabling attackers to insert malicious integrations into enterprise Salesforce environments. Integration via the Drift chatbot—a feature utilized by Salesloft—played a key role in establishing deeper access through which attackers exfiltrated sensitive customer data.
“Our findings indicate these attempts relate to past or unsubstantiated incidents,” Salesforce emphasized in a statement. “There is no indication that the Salesforce platform has been compromised.”
Ransom Demands Precipitated Mass Data Leaks
The Scattered Lapsus$ Hunters group used a centralized leak platform on the dark web to pressure victims into ransom payments. After Qantas and others reportedly refused to pay, the stolen information was disclosed in bulk.
Qantas Data Leak Highlights Risks to Customer Privacy
The theft of Qantas customer data became one of the highest-profile breaches in the campaign. The attackers reportedly compromised data belonging to as many as 5 million individuals. According to statements from the airline and analysts, exposed information included:
- Names, email addresses, and phone numbers
- Birth dates and frequent flyer numbers
- Home addresses for approximately one million users
Despite assurances that no financial or passport data was obtained, cybersecurity experts have warned the exposed information is sufficient to fuel widespread phishing campaigns, identity theft, and fraud.
Qantas stated that it had secured a legal injunction to restrict redistribution of the data, though the efficacy of such legal measures remains limited once data has been leaked to darknet markets.
At Least 44 Major Companies Have Been Affected by the Salesforce Hack
The breach campaign impacted a broad array of global corporations, underscoring the gravity of Salesforce ecosystem vulnerabilities. Victims named by the attackers or confirmed through public disclosures include:
- Allianz Life
- Cisco
- Disney (through Hulu)
- Toyota Motors
- Kering
- TransUnion
- McDonald’s
- Workday
- FedEx
- Adidas
Not all organizations have confirmed the full extent of data loss, but most have acknowledged that attackers accessed integrated sales engagement or customer relationship systems.
Law Enforcement Crackdowns Disrupted But Did Not Stop Attacks
Just before several leaks were posted, U.S. and French authorities seized major infrastructure used by the threat actors, including BreachForums domain variants such as breachforums.hn. The FBI also reportedly destroyed backups and databases used for data escrow, limiting the threat group’s logistical foundation.
Nonetheless, the attackers quickly migrated operations to encrypted channel platforms like Telegram, abandoning centralized forums in favor of more resilient and secretive communication strategies. The group explicitly warned the cybercriminal community that new BreachForums variants may function as honeypots for law enforcement or cybersecurity researchers.
Cory Michal, Chief Security Officer at AppOmni, noted that repeated takedowns are beginning to undermine the viability of centralized leak platforms:
“With law enforcement pressure increasing, these groups are shifting to more private platforms to protect themselves, but this also makes their operations harder to manage and less scalable.”
Key Takeaways for Security Teams
As this multi-vector campaign unfolds, several lessons emerge for CISOs and security analysts tasked with safeguarding enterprise data residing in cloud platforms:
- Audit Third-Party Integrations Continuously – Sensitive data exposure often originates not from core platforms like Salesforce but from poorly secured integrations (e.g., Salesloft, Drift). Regular risk assessments of all connected services are essential.
- Harden OAuth and API Access Controls – Misconfigured or mishandled OAuth tokens enabled lateral movement and mass data exfiltration. Short-lived tokens and tighter scope limitations could reduce reusability in breach scenarios.
- Monitor for Unusual Integration Behavior – Behavioral analytics and integration-level logging can help detect unauthorized apps or automated data scraping via APIs.
- Prepare for Double Extortion Models – Groups like Scattered Lapsus$ Hunters combine data theft with aggressive extortion timelines. Legal responses, PR strategies, and incident response workflows should be pre-planned.
- Use Zero Trust Principles – Impersonation tactics remain effective due to implicit trust between users and services. Implement stricter identity verification and reduce human approval for newly installed integrations.
A Broader Reckoning for Cloud Ecosystems
The Salesforce-related extortion campaign illustrates the cascading effects weak integration hygiene can have in modern, SaaS-dependent enterprises. While Salesforce’s core systems appear uncompromised, the surrounding API and third-party ecosystem proved a fertile attack surface for determined adversaries.
With attacker groups now operating across traditional group lines and shifting to encrypted platforms, defenders must adopt more agile and comprehensive cloud security postures to detect and prevent the next wave of data exposures.
