Global automotive giant Stellantis has confirmed that attackers accessed a third-party service provider’s platform and stole customer data linked to its North American operations. The company emphasized that only customer contact information was exposed, not financial data or other highly sensitive personal information.
Stellantis, formed in 2021 after the merger of PSA Group and Fiat Chrysler Automobiles, is among the world’s largest automakers, operating in more than 130 countries and owning 14 well-known brands including Jeep, Dodge, Chrysler, Peugeot, and Maserati.
Incident Response and Customer Advisory
In a statement, Stellantis said it had “detected unauthorized access” to a platform supporting its North American customer service operations. Upon discovery, the company activated its incident response protocols, launched an investigation, and notified the appropriate authorities. Affected customers are also being informed directly.
Stellantis has urged customers to remain vigilant against phishing attempts and to avoid clicking on suspicious links or sharing personal data through unexpected emails, text messages, or phone calls.
Link to Salesforce Breach and ShinyHunters
While Stellantis did not disclose the specific platform involved, cybersecurity outlet BleepingComputer reported that the attack is part of a recent wave of Salesforce data breaches tied to the notorious ShinyHunters extortion group.
ShinyHunters claims to have stolen more than 18 million Salesforce records containing names and contact information from Stellantis’ Salesforce environment. This breach is one of many affecting high-profile companies including Google, Cisco, Qantas, Adidas, Allianz Life, Workday, and LVMH subsidiaries such as Louis Vuitton and Tiffany & Co.
Attack Methodology and Broader Campaign
According to the group, they used stolen OAuth tokens for Salesloft’s Drift AI chat integration with Salesforce to access sensitive information such as passwords, AWS keys, Snowflake tokens, and customer data. Similar attacks have reportedly compromised Salesforce instances at major cybersecurity vendors including Palo Alto Networks, CyberArk, Qualys, Proofpoint, and BeyondTrust.
The FBI recently issued a Flash alert warning organizations of this campaign, sharing IOCs and urging companies to review their Salesforce OAuth configurations and rotate credentials to prevent further exploitation.
The Bigger Picture
ShinyHunters told BleepingComputer they have stolen over 1.5 billion Salesforce records from more than 760 companies since the beginning of the year, making this one of the most significant data theft campaigns targeting cloud-based customer relationship management (CRM) platforms.
This breach highlights the growing risk of third-party and supply-chain compromises, pushing companies to strengthen their cloud security posture and monitor OAuth integrations more closely.
