Executive Summary

On October 3, 2025, a coalition of threat actors known as Scattered Lapsus$ Hunters—comprising members of the notorious ShinyHunters, Scattered Spider, and Lapsus$ groups—publicly launched a data leak site threatening to release approximately 1 billion records allegedly stolen from the Salesforce environments of 39 to 40 major organizations. The attackers are demanding a ransom from Salesforce and individual victim companies, with a deadline of October 10, 2025, to prevent public disclosure of the data. The affected organizations span critical sectors, including finance, technology, retail, transportation, entertainment, and luxury goods. The attackers exploited social engineering (voice phishing) and OAuth token abuse, particularly via the Salesloft Drift integration, to gain unauthorized access to Salesforce customer environments. Salesforce has stated that its core platform was not breached and that the incidents are related to third-party integrations and customer-side security lapses. Regulatory scrutiny, including threats of GDPR-related lawsuits, and significant reputational and operational risks have emerged for affected organizations. All information in this summary is directly sourced from The Register (https://www.theregister.com/2025/10/03/scattered_lapsus_hunters_latest_leak/), BleepingComputer (https://www.bleepingcomputer.com/news/security/shinyhunters-starts-leaking-data-stolen-in-salesforce-attacks/), and TechCrunch (https://techcrunch.com/2025/10/03/hacking-group-claims-theft-of-1-billion-records-from-salesforce-customer-databases/).

Technical Information

The Scattered Lapsus$ Hunters incident represents a complex, multi-stage supply chain attack targeting organizations using Salesforce and its third-party integrations. The attackers leveraged a combination of social engineering and technical abuse of OAuth tokens to gain persistent, privileged access to customer environments.

The primary attack vector was voice phishing (vishing), where employees were deceived into authorizing malicious OAuth applications. This allowed the attackers to bypass multi-factor authentication (MFA) and gain direct access to sensitive data within Salesforce environments. The abuse of OAuth tokens, particularly through the Salesloft Drift integration, enabled the attackers to maintain access and escalate privileges without deploying traditional malware. Instead, the attackers relied on the manipulation of legitimate integrations and the exploitation of trusted relationships between Salesforce and third-party applications.

Once access was established, the attackers used Salesforce APIs to automate the extraction and exfiltration of large datasets. The stolen data included personal information, passwords, AWS access keys, and Snowflake tokens, significantly increasing the impact of the breach. The attackers then used this data to extort victim organizations, threatening public disclosure unless ransoms were paid.

The technical methods employed by the attackers align with several MITRE ATT&CK techniques, including Phishing (T1566), Valid Accounts (T1078), Exploitation of Trusted Relationships (T1199), Access Token Manipulation (T1528), Data from Information Repositories (T1213), and Exfiltration Over Web Service (T1567). These techniques were confirmed by primary sources and mapped to MITRE ATT&CK by AppOmni (https://appomni.com/blog/saas-supply-chain-attacks-mitre-attck-mapping/).

No traditional malware was identified in this campaign. Instead, the attackers used malicious OAuth applications and abused legitimate integrations to achieve their objectives. The use of stolen OAuth tokens and API abuse allowed the attackers to operate with a high degree of stealth, evading traditional security controls and detection mechanisms.

The threat actors behind this campaign have a well-documented history of high-profile data breaches and extortion, including attacks on Snowflake, AT&T, PowerSchool, and multiple casino and transportation companies. Recent law enforcement actions, including arrests in the UK and US, have not deterred the group, which reemerged with the new leak site shortly after announcing a supposed "retirement."

The incident has had a broad impact across multiple sectors. In finance, organizations such as TransUnion and Allianz Life were affected. The technology sector saw breaches at Google, Cisco, Cloudflare, Palo Alto Networks, CyberArk, Rubrik, Elastic, BeyondTrust, Proofpoint, JFrog, Zscaler, Tenable, Nutanix, Qualys, and Cato Networks. Retailers including Home Depot, Gap, IKEA, McDonald's, Walgreens, and Instacart were also targeted. The transportation sector included Qantas, Air France & KLM, FedEx, UPS, Toyota, and Stellantis. Entertainment and luxury goods companies such as Disney/Hulu, HBO Max, Cartier, Chanel, and LVMH subsidiaries (Dior, Louis Vuitton, Tiffany & Co.) were also listed as victims.

The attackers' focus on organizations with large Salesforce environments and valuable customer data, often impacting both parent companies and subsidiaries, demonstrates a sophisticated understanding of SaaS supply chain vulnerabilities and integration sprawl.

Salesforce has maintained that its core platform was not compromised and that the incidents are related to third-party integrations and customer-side security lapses. The company has worked with external experts and authorities to investigate the extortion attempts and has engaged with affected customers to provide support. At this time, there is no evidence of a direct breach of the Salesforce platform or any known vulnerability in Salesforce technology.

The evidence supporting these findings includes technical artifacts such as OAuth token abuse, API logs, integration permissions, and published victim data. The pattern of social engineering, OAuth abuse, and extortion tactics is consistent across incidents and has been confirmed by Google Threat Intelligence and Mandiant. Attribution to the coalition of ShinyHunters, Scattered Spider, and Lapsus$ is based on direct claims by the actors, technical overlap in tactics, techniques, and procedures (TTPs), and confirmation by independent threat intelligence sources.

The incident has also led to regulatory scrutiny, with the attackers threatening to assist law firms in pursuing civil and commercial lawsuits against Salesforce for alleged failures to protect customer data under the European General Data Protection Regulation (GDPR). This has heightened the reputational and operational risks for affected organizations, many of which have not publicly disclosed the breaches.

In summary, the Scattered Lapsus$ Hunters incident is a sophisticated, multi-vector SaaS supply chain attack that exploited social engineering and OAuth token abuse via trusted integrations to exfiltrate massive datasets from a wide range of organizations. The attackers' use of legitimate integrations and tokens allowed them to evade detection and maximize the impact of the breach.

Affected Versions & Timeline

The incident primarily affected organizations using Salesforce with third-party integrations, particularly the Salesloft Drift integration. There is no evidence that the core Salesforce platform or any specific version was directly compromised. Instead, the attackers exploited customer-side security lapses and integration vulnerabilities.

The verified timeline of events is as follows:

In early 2025, Scattered Lapsus$ Hunters began targeting Salesforce customers with phishing and OAuth abuse. In August 2025, a campaign abusing OAuth tokens via Salesloft's Drift integration was discovered, compromising hundreds of organizations. On August 8, 2025, Google Threat Intelligence Group and Salesforce notified affected organizations and warned of an impending data leak site. In September 2025, Scattered Spider and Lapsus$ announced "retirement" following law enforcement arrests, but a new leak site appeared days later. On October 3, 2025, the leak site went live, listing 39 to 40 victim companies and threatening to leak 1 billion records unless a ransom is paid by October 10, 2025.

The affected organizations include, but are not limited to, FedEx, Disney/Hulu, Home Depot, Marriott, Google, Cisco, Toyota, Gap, McDonald's, Walgreens, Instacart, Cartier, Adidas, Sake Fifth Avenue, Air France & KLM, TransUnion, HBO Max, UPS, Chanel, IKEA, Allianz Life, Qantas, Stellantis, Workday, and LVMH subsidiaries (Dior, Louis Vuitton, Tiffany & Co.).

Threat Activity

The threat activity associated with the Scattered Lapsus$ Hunters incident is characterized by a combination of social engineering, technical exploitation, and extortion. The attackers used voice phishing to trick employees into authorizing malicious OAuth applications, enabling them to bypass MFA and gain persistent access to Salesforce environments. They exploited OAuth token abuse, particularly via the Salesloft Drift integration, to escalate privileges and exfiltrate data.

The attackers automated data extraction using Salesforce APIs and targeted organizations with large, interconnected Salesforce environments. The stolen data was used to extort victim organizations, with threats of public disclosure unless ransoms were paid. The attackers also threatened to assist law firms in pursuing GDPR-related lawsuits against Salesforce.

The group has a history of high-profile data breaches and extortion campaigns, including attacks on Snowflake, AT&T, PowerSchool, and multiple casino and transportation companies. Recent law enforcement actions have not deterred the group, which reemerged with the new leak site shortly after announcing a supposed "retirement."

The threat activity has had a broad impact across multiple sectors, including finance, technology, retail, transportation, entertainment, and luxury goods. The attackers' focus on organizations with valuable customer data and interconnected Salesforce environments demonstrates a sophisticated understanding of SaaS supply chain vulnerabilities.

Mitigation & Workarounds

The following mitigation and workaround recommendations are prioritized by severity:

Critical: Organizations using Salesforce with third-party integrations, particularly Salesloft Drift, should immediately review and audit all OAuth applications and integration permissions. Revoke any unauthorized or suspicious OAuth tokens and integrations. Implement strict access controls and least privilege principles for all integrations.

High: Conduct organization-wide security awareness training focused on social engineering and phishing, with an emphasis on the risks of authorizing third-party applications. Enforce multi-factor authentication (MFA) for all users and integrations, and monitor for attempts to bypass MFA via OAuth abuse.

High: Review and monitor Salesforce API logs for unusual or unauthorized data access and exfiltration activity. Establish automated alerts for anomalous integration behavior and large-scale data exports.

Medium: Engage with Salesforce and relevant third-party vendors to ensure all security advisories and recommended patches are applied. Collaborate with incident response teams and external experts to assess potential exposure and implement additional security controls.

Medium: Prepare for potential regulatory and legal actions by documenting all incident response activities and communications with affected customers and authorities. Review data protection and breach notification policies to ensure compliance with GDPR and other relevant regulations.

Low: Regularly review and update third-party integration inventories, removing unused or unnecessary applications. Consider implementing additional monitoring and segmentation for high-value data within Salesforce environments.

References

The Register: https://www.theregister.com/2025/10/03/scattered_lapsus_hunters_latest_leak/

BleepingComputer: https://www.bleepingcomputer.com/news/security/shinyhunters-starts-leaking-data-stolen-in-salesforce-attacks/

TechCrunch: https://techcrunch.com/2025/10/03/hacking-group-claims-theft-of-1-billion-records-from-salesforce-customer-databases/

AppOmni (MITRE ATT&CK mapping): https://appomni.com/blog/saas-supply-chain-attacks-mitre-attck-mapping/

MITRE ATT&CK Phishing (T1566): https://attack.mitre.org/techniques/T1566/

Anomali (Salesloft-Drift breach recap): https://www.anomali.com/blog/salesloft-drift-breach-recap

About Rescana

Rescana provides a Third-Party Risk Management (TPRM) platform designed to help organizations identify, assess, and monitor risks associated with their external vendors and SaaS integrations. Our platform enables continuous visibility into third-party security posture, supports integration inventory management, and facilitates rapid response to supply chain threats. For questions or further information, please contact us at ops@rescana.com.