ISO 27001 Certificate
SOC 1 Type I Certificate
SOC 2 Type II Certificate
PCI DSS
HIPAA
RGPD
Internal validation & live display
Multiple badges & continuous verification
Faster underwriting decisions

Salesforce Company CyberSecurity Posture

salesforce.com
ISOSOC2 Type 1SOC2 Type 2PCI DSSHIPAAGDPR

We're the #1 AI CRM—where humans with agents drive customer success together with AI, data, and Customer 360 apps on one platform. Privacy Statement: http://www.salesforce.com/company/privacy/

Salesforce A.I CyberSecurity Scoring

Salesforce

Company Details

Linkedin ID:

salesforce

Website:

http://www.salesforce.com

Employees number:

84,115

Number of followers:

6,028,213

NAICS:

5112

Industry Type:

Software Development

Homepage:

salesforce.com

IP Addresses:

4

Company ID:

SAL_2246365

Scan Status:

Completed

AI scoreSalesforce Risk Score (AI oriented)

Between 0 and 549

https://images.rankiteo.com/companyimages/salesforce.jpeg
Salesforce Software Development
Updated:
  • Powered by our proprietary A.I cyber incident model
  • Insurance preferes TPRM score to calculate premium
globalscoreSalesforce Global Score (TPRM)

XXXX

https://images.rankiteo.com/companyimages/salesforce.jpeg
Salesforce Software Development
  • Instant access to detailed risk factors
  • Benchmark vs. industry & size peers
  • Vulnerabilities
  • Findings

Salesforce Company CyberSecurity News & History

Past Incidents
12
Attack Types
3
EntityTypeSeverityImpactSeenBlog DetailsIncident DetailsView
SalesforceBreach8543/2025
SAL3132231100825
Rankiteo Explanation :
Attack with significant impact with customers data leaks

Description: Salesforce experienced a data breach originating from a third-party provider, **SalesLoft**, specifically via its **Drift app**—an integration used for automated customer communications. The breach was executed by the hacker group **ShinyHunters**, who exploited compromised **GitHub credentials** at SalesLoft between **March and June**, stealing tokens linking Drift to Salesforce environments. This allowed attackers to infiltrate **Drift’s AWS environment**, obtaining **OAuth tokens** from multiple customer organizations, including **Cloudflare, Zscaler, Palo Alto Networks, and others**.The stolen data primarily included **customer contact details, basic IT support information, access tokens, and IT configuration details**. While Salesforce confirmed no direct vulnerability in its own systems, the breach exposed **CRM fields, support cases, and integration data** across **hundreds of affected organizations**. Salesforce refused to pay ransom demands, emphasizing a **no-negotiation stance** against extortion. The **Drift app remains disabled**, and affected customers were advised to **renew access tokens** to mitigate further risks. The full scope of impacted customers and long-term consequences remain undisclosed.

SalesforceBreach8548/2025
SAL729082725
Rankiteo Explanation :
Attack with significant impact with customers data leaks

Description: A widespread data breach in **Salesforce** was uncovered by Google’s Threat Intelligence Group (GTIG) and Mandiant, orchestrated by the threat actor **UNC6395** between **August 8–18, 2025**. The attackers exploited **stolen OAuth tokens** from the **Salesloft Drift** third-party application, bypassing **Multi-Factor Authentication (MFA)** by abusing non-human identities (NHIs). This allowed them to **systematically exfiltrate large volumes of data** from corporate Salesforce accounts, focusing on **customer accounts, user details, and high-value secrets**—including **AWS access keys, Snowflake tokens, and other credentials**. The breach targeted **sensitive customer data**, with attackers deleting query logs to obscure their activity. While **Google Cloud customers were unaffected**, Salesforce and Salesloft responded by **revoking all Drift app tokens** and temporarily removing the app from the **AppExchange** during investigations. The incident highlights a growing trend of **NHI-based attacks**, where persistent, high-privilege non-human identities are exploited to **steal credentials and escalate access**. Organizations were urged to **harden access controls, rotate compromised keys, and enforce IP restrictions** to mitigate future risks. The breach underscores critical gaps in **identity governance**, as many firms lack even basic inventories of NHIs, leaving them vulnerable to such **covert, high-impact exfiltration campaigns**.

SalesforceCyber Attack6005/2019
SAL215719323
Rankiteo Explanation :
Attack threatening the organization's existence

Description: Salesforce's North American and European customers endured a 15-hour outage after a cyber attack. The incident came after the salesforce technology team blocked access to certain instances that contain customers affected by a database script deployment that inadvertently gave users broader data access than intended. To protect the customers, the company blocked access to all instances that contain affected customers until they could block access to orgs with the inadvertent permissions. As a result, customers who were not affected may also experienced service disruption.

SalesforceCyber Attack10056/2025
SAL5402554110625
Rankiteo Explanation :
Attack threatening the organization’s existence

Description: Salesforce was targeted by the newly formed **Scattered LAPSUS$ Hunters (SLH)**, a federated cybercriminal collective merging the capabilities of **Scattered Spider, ShinyHunters, and LAPSUS$**. The attack involved **AI-driven vishing, spearphishing, and zero-day exploitations** (e.g., **CVE-2025-61882** in Oracle E-Business Suite) to compromise Salesforce’s cloud infrastructure. SLH leveraged **credential harvesting, lateral movement, and privilege escalation** to exfiltrate sensitive data, likely including **customer and enterprise SaaS records**. The group announced the breach on their **Telegram-based data-leak site (DLS)**, using psychological tactics to maximize reputational damage. Given SLH’s **Extortion-as-a-Service (EaaS) model** and history of targeting high-value enterprises, the attack likely resulted in **financial fraud, operational disruption, and erosion of customer trust**. The involvement of actors like **‘yuka’ (linked to BlackLotus UEFI bootkit)** suggests advanced persistence mechanisms, increasing the risk of **long-term data exposure or ransomware deployment**. The breach aligns with SLH’s strategy of **high-impact, brand-damaging extortion**, posing existential threats to Salesforce’s market position and regulatory compliance.

SalesforceCyber Attack10055/2024
SAL5002150100925
Rankiteo Explanation :
Attack threatening the organization’s existence

Description: Salesforce is facing a major extortion attempt by a crime syndicate known as **Scattered LAPSUS$ Hunters** (tracked as **UNC6040** by Mandiant), which claims to have stolen approximately **1 billion records** from **dozens of Salesforce customers**, including high-profile companies like **Toyota and FedEx**. The attack began in **May 2024**, with the threat actors using **voice phishing (vishing)** to trick employees into connecting a malicious app to their Salesforce portals. The group created a **dedicated leak site**, demanding a ransom from Salesforce itself—threatening to **publicly dump all stolen customer data** if payment was not made by a specified deadline. Salesforce has **refused to negotiate**, risking potential exposure of sensitive customer records. The stolen data reportedly includes **personal, financial, and corporate information** from affected organizations, posing severe reputational, financial, and operational risks. The scale of the breach—nearly **1 billion records**—suggests a **systemic compromise** with far-reaching consequences for Salesforce’s client base, including potential **fraud, identity theft, and regulatory penalties**.

SalesforceCyber Attack10056/2024
SAL0962109100825
Rankiteo Explanation :
Attack threatening the organization’s existence

Description: Salesforce suffered a **massive data breach** via two distinct campaigns in 2025, orchestrated by threat actors **Scattered Lapsus$ Hunters** and **ShinyHunters**. The first wave (late 2024) involved **social engineering attacks** impersonating IT support to trick employees into linking malicious OAuth apps to Salesforce instances, enabling the theft of databases. The second wave (August 2025) exploited **stolen SalesLoft Drift OAuth tokens** to pivot into customer CRM environments, exfiltrating **support ticket data, credentials, API tokens, and authentication details**. The attackers claimed to have stolen **~1 billion records** in the first campaign and **1.5 billion records across 760+ companies** in the second, targeting high-profile victims like **Google, Cisco, Disney, FedEx, and Marriott**. A **data leak site** was launched to extort victims, threatening public release if ransoms were unpaid. Salesforce **refused to negotiate or pay**, and the leak site was later **shut down** (potentially via FBI seizure). The breach exposed **sensitive customer and corporate data**, including **authentication tokens, API keys, and support logs**, risking downstream attacks on affected companies. The scale and sophistication of the operation—leveraging **supply-chain and OAuth abuses**—highlighted critical vulnerabilities in Salesforce’s ecosystem, with **prolonged unauthorized access** and **large-scale data exfiltration** as core impacts.

SalesforceCyber Attack10058/2024
SAL2102121100425
Rankiteo Explanation :
Attack threatening the organization's existence

Description: The cybercriminal group **Scattered LAPSUS$ Hunters** (a collaboration of Scattered Spider, ShinyHunters, and Lapsus$) has resurfaced, claiming to have stolen **1 billion customer records** from **40 companies’ Salesforce environments**. The gang is demanding **$989.45** to prevent the data from being leaked online, setting an **October 10 deadline** for negotiation. While Salesforce denies a direct platform breach, the attack appears linked to a prior **OAuth token abuse campaign** via **Salesloft’s Drift integration**, which compromised hundreds of organizations in August 2024. Google and Mandiant confirmed the intrusions, attributing them to **UNC6040 (Salesforce-related breaches)**. The group had previously announced retirement but reemerged following arrests of UK teens tied to **Scattered Spider**, suggesting operational shifts. The leaked data reportedly includes **customer records**, posing severe reputational, financial, and operational risks to affected businesses. Salesforce maintains no evidence of a **platform-level vulnerability**, but the extortion attempt escalates pressure on victims.

SalesforceCyber Attack10059/2025
SAL5732257091825
Rankiteo Explanation :
Attack threatening the organization's existence

Description: The **ShinyHunters** extortion group exploited compromised **Drift OAuth tokens** linked to **Salesloft** to steal over **1.5 billion Salesforce records** from **760 companies**. Attackers used **social engineering and malicious OAuth apps** to infiltrate Salesforce environments, exfiltrating massive CRM data—including **250M Account records, 579M Contact records, 171M Opportunity records, 60M User records, and 459M Case records**. The breach originated from a **GitHub repository compromise** at Salesloft, where attackers used **TruffleHog** to extract secrets, including OAuth tokens for Drift and Drift Email, enabling unauthorized access to Salesforce-integrated systems.The stolen **Case data** was further mined for **AWS keys, Snowflake tokens, and other credentials**, facilitating deeper intrusions into victim networks. High-profile targets allegedly include **Google, Cloudflare, Palo Alto Networks, Zscaler, Tenable, CyberArk, and others**. The attackers demanded **ransom payments** to prevent data leaks, while also **searching for additional secrets** to expand their campaign. The FBI issued an advisory on the threat actors (**UNC6040/6395**), warning of ongoing risks. Salesforce advised customers to enforce **MFA, least-privilege access, and stricter OAuth app management** to mitigate exposure.

SalesforceCyber Attack10055/2025
SAL0562205100825
Rankiteo Explanation :
Attack threatening the organization's existence

Description: The cybercriminal group **ShinyHunters** (operating under the alias *Scattered LAPSUS$ Hunters*) executed a **voice phishing (vishing) campaign** in **May 2025**, tricking employees into connecting a malicious app to their **Salesforce portals**. This breach led to the theft of **over a billion customer records** from **dozens of Fortune 500 firms**, including Toyota, FedEx, Disney/Hulu, and UPS. The group threatened to **publicly leak stolen data** unless ransoms were paid by **October 10, 2025**, via a victim-shaming extortion blog. The compromised data included **customer engagement records, internal communications, and sensitive business details**. Salesforce confirmed the attack but refused to negotiate, stating it would not pay extortion demands. The incident also exposed a broader **supply-chain risk**, as the group claimed responsibility for stealing **authentication tokens from Salesloft** (a Salesforce-integrated AI chatbot provider), further expanding the attack surface. The group’s actions were linked to **multiple zero-day exploits**, including **CVE-2025-61882** in Oracle’s E-Business Suite, which they weaponized for additional data theft.

SalesforceRansomware10056/2023
SAL4232242101025
Rankiteo Explanation :
Attack threatening the organization's existence

Description: The FBI seized **BreachForums**, a hacking forum operated by **ShinyHunters**, which was used as a platform for leaking corporate data stolen via **ransomware and extortion campaigns**. Among the targeted victims was **Salesforce**, part of a high-profile breach campaign where hackers claimed to have stolen **over one billion customer records** from multiple companies, including FedEx, Disney, Google, and others. The ShinyHunters group confirmed the seizure of BreachForums’ infrastructure, including **all database backups since 2023 and escrow databases**, but emphasized that their **Salesforce data leak was still proceeding as planned**, scheduled for public release. The breach involved **massive customer data exposure**, with the hackers leveraging the forum to extort companies that refused ransom payments. While the FBI’s takedown disrupted the forum’s operations, the **dark web leak site remained active**, indicating persistent risk. The attack highlights a **large-scale, coordinated extortion scheme** targeting enterprise-level customer databases, with **potential financial, reputational, and operational fallout** for Salesforce and its clients. The stolen records likely include **sensitive personal and corporate information**, amplifying the severity of the incident.

SalesforceRansomware100510/2025
SAL5592855100325
Rankiteo Explanation :
Attack threatening the organization’s existence

Description: The ransomware group **ShinyHunters (Scattered Lapsus$ Hunters)** breached **Salesforce** by exploiting stolen OAuth tokens from **Salesloft Drift’s AI chatbot integration**, compromising **1.5 billion records** across **760 companies** (including Cisco, Disney, and Marriott). The leaked data includes **PII (names, DOBs, passports, employment histories)**, shipping details, chat transcripts, flight records, and car ownership data—validated by cybersecurity researchers. Attackers first infiltrated **Salesloft’s GitHub repository**, extracting private source code and OAuth tokens, then laterally moved to **Google Workspace, Microsoft 365, and Okta platforms** of victims. The group demanded **separate ransoms** from Salesforce and listed **39 high-profile victims** on a darkweb leak site, pressuring them to pay under threat of full data exposure. The attack leveraged **social engineering (vishing, phishing, IT impersonation)** to trick employees into granting access, highlighting vulnerabilities in **third-party supply-chain integrations** and weak **2FA/OAuth security controls**.

SalesforceRansomware100510/2023
SAL5602056101125
Rankiteo Explanation :
Attack threatening the organization’s existence

Description: A cybercriminal collective known as **Scattered Lapsus$ Hunters**—an alliance of the notorious **ShinyHunters, Scattered Spider, and LAPSUS$ ransomware groups**—threatened to leak **one billion records** allegedly exfiltrated from **Salesforce’s systems**, targeting **39 of the world’s largest corporations**, including Disney, Toyota, and McDonald’s. The attackers demanded a ransom, warning that failure to comply by **October 10, 2023**, would result in the **massive exposure of customer data** across dark web and Clearnet platforms. The breach, if executed, would compromise **sensitive personal and corporate information** of Salesforce’s high-profile clients, leading to **severe reputational damage, financial fraud risks, and potential regulatory penalties**. The threat underscores a **large-scale, coordinated extortion campaign** leveraging ransomware tactics to pressure Salesforce into negotiation, with the attackers explicitly stating their intent to **‘target each and every individual customer’** if demands were unmet. The incident highlights the **escalating sophistication of cybercriminal syndicates** in exploiting enterprise vulnerabilities for maximal disruption.

Salesforce
Breach
Severity: 85
Impact: 4
Seen: 3/2025
Blog:
SAL3132231100825
Rankiteo Explanation
Attack with significant impact with customers data leaks

Description: Salesforce experienced a data breach originating from a third-party provider, **SalesLoft**, specifically via its **Drift app**—an integration used for automated customer communications. The breach was executed by the hacker group **ShinyHunters**, who exploited compromised **GitHub credentials** at SalesLoft between **March and June**, stealing tokens linking Drift to Salesforce environments. This allowed attackers to infiltrate **Drift’s AWS environment**, obtaining **OAuth tokens** from multiple customer organizations, including **Cloudflare, Zscaler, Palo Alto Networks, and others**.The stolen data primarily included **customer contact details, basic IT support information, access tokens, and IT configuration details**. While Salesforce confirmed no direct vulnerability in its own systems, the breach exposed **CRM fields, support cases, and integration data** across **hundreds of affected organizations**. Salesforce refused to pay ransom demands, emphasizing a **no-negotiation stance** against extortion. The **Drift app remains disabled**, and affected customers were advised to **renew access tokens** to mitigate further risks. The full scope of impacted customers and long-term consequences remain undisclosed.

Salesforce
Breach
Severity: 85
Impact: 4
Seen: 8/2025
Blog:
SAL729082725
Rankiteo Explanation
Attack with significant impact with customers data leaks

Description: A widespread data breach in **Salesforce** was uncovered by Google’s Threat Intelligence Group (GTIG) and Mandiant, orchestrated by the threat actor **UNC6395** between **August 8–18, 2025**. The attackers exploited **stolen OAuth tokens** from the **Salesloft Drift** third-party application, bypassing **Multi-Factor Authentication (MFA)** by abusing non-human identities (NHIs). This allowed them to **systematically exfiltrate large volumes of data** from corporate Salesforce accounts, focusing on **customer accounts, user details, and high-value secrets**—including **AWS access keys, Snowflake tokens, and other credentials**. The breach targeted **sensitive customer data**, with attackers deleting query logs to obscure their activity. While **Google Cloud customers were unaffected**, Salesforce and Salesloft responded by **revoking all Drift app tokens** and temporarily removing the app from the **AppExchange** during investigations. The incident highlights a growing trend of **NHI-based attacks**, where persistent, high-privilege non-human identities are exploited to **steal credentials and escalate access**. Organizations were urged to **harden access controls, rotate compromised keys, and enforce IP restrictions** to mitigate future risks. The breach underscores critical gaps in **identity governance**, as many firms lack even basic inventories of NHIs, leaving them vulnerable to such **covert, high-impact exfiltration campaigns**.

Salesforce
Cyber Attack
Severity: 60
Impact:
Seen: 05/2019
Blog:
SAL215719323
Rankiteo Explanation
Attack threatening the organization's existence

Description: Salesforce's North American and European customers endured a 15-hour outage after a cyber attack. The incident came after the salesforce technology team blocked access to certain instances that contain customers affected by a database script deployment that inadvertently gave users broader data access than intended. To protect the customers, the company blocked access to all instances that contain affected customers until they could block access to orgs with the inadvertent permissions. As a result, customers who were not affected may also experienced service disruption.

Salesforce
Cyber Attack
Severity: 100
Impact: 5
Seen: 6/2025
Blog:
SAL5402554110625
Rankiteo Explanation
Attack threatening the organization’s existence

Description: Salesforce was targeted by the newly formed **Scattered LAPSUS$ Hunters (SLH)**, a federated cybercriminal collective merging the capabilities of **Scattered Spider, ShinyHunters, and LAPSUS$**. The attack involved **AI-driven vishing, spearphishing, and zero-day exploitations** (e.g., **CVE-2025-61882** in Oracle E-Business Suite) to compromise Salesforce’s cloud infrastructure. SLH leveraged **credential harvesting, lateral movement, and privilege escalation** to exfiltrate sensitive data, likely including **customer and enterprise SaaS records**. The group announced the breach on their **Telegram-based data-leak site (DLS)**, using psychological tactics to maximize reputational damage. Given SLH’s **Extortion-as-a-Service (EaaS) model** and history of targeting high-value enterprises, the attack likely resulted in **financial fraud, operational disruption, and erosion of customer trust**. The involvement of actors like **‘yuka’ (linked to BlackLotus UEFI bootkit)** suggests advanced persistence mechanisms, increasing the risk of **long-term data exposure or ransomware deployment**. The breach aligns with SLH’s strategy of **high-impact, brand-damaging extortion**, posing existential threats to Salesforce’s market position and regulatory compliance.

Salesforce
Cyber Attack
Severity: 100
Impact: 5
Seen: 5/2024
Blog:
SAL5002150100925
Rankiteo Explanation
Attack threatening the organization’s existence

Description: Salesforce is facing a major extortion attempt by a crime syndicate known as **Scattered LAPSUS$ Hunters** (tracked as **UNC6040** by Mandiant), which claims to have stolen approximately **1 billion records** from **dozens of Salesforce customers**, including high-profile companies like **Toyota and FedEx**. The attack began in **May 2024**, with the threat actors using **voice phishing (vishing)** to trick employees into connecting a malicious app to their Salesforce portals. The group created a **dedicated leak site**, demanding a ransom from Salesforce itself—threatening to **publicly dump all stolen customer data** if payment was not made by a specified deadline. Salesforce has **refused to negotiate**, risking potential exposure of sensitive customer records. The stolen data reportedly includes **personal, financial, and corporate information** from affected organizations, posing severe reputational, financial, and operational risks. The scale of the breach—nearly **1 billion records**—suggests a **systemic compromise** with far-reaching consequences for Salesforce’s client base, including potential **fraud, identity theft, and regulatory penalties**.

Salesforce
Cyber Attack
Severity: 100
Impact: 5
Seen: 6/2024
Blog:
SAL0962109100825
Rankiteo Explanation
Attack threatening the organization’s existence

Description: Salesforce suffered a **massive data breach** via two distinct campaigns in 2025, orchestrated by threat actors **Scattered Lapsus$ Hunters** and **ShinyHunters**. The first wave (late 2024) involved **social engineering attacks** impersonating IT support to trick employees into linking malicious OAuth apps to Salesforce instances, enabling the theft of databases. The second wave (August 2025) exploited **stolen SalesLoft Drift OAuth tokens** to pivot into customer CRM environments, exfiltrating **support ticket data, credentials, API tokens, and authentication details**. The attackers claimed to have stolen **~1 billion records** in the first campaign and **1.5 billion records across 760+ companies** in the second, targeting high-profile victims like **Google, Cisco, Disney, FedEx, and Marriott**. A **data leak site** was launched to extort victims, threatening public release if ransoms were unpaid. Salesforce **refused to negotiate or pay**, and the leak site was later **shut down** (potentially via FBI seizure). The breach exposed **sensitive customer and corporate data**, including **authentication tokens, API keys, and support logs**, risking downstream attacks on affected companies. The scale and sophistication of the operation—leveraging **supply-chain and OAuth abuses**—highlighted critical vulnerabilities in Salesforce’s ecosystem, with **prolonged unauthorized access** and **large-scale data exfiltration** as core impacts.

Salesforce
Cyber Attack
Severity: 100
Impact: 5
Seen: 8/2024
Blog:
SAL2102121100425
Rankiteo Explanation
Attack threatening the organization's existence

Description: The cybercriminal group **Scattered LAPSUS$ Hunters** (a collaboration of Scattered Spider, ShinyHunters, and Lapsus$) has resurfaced, claiming to have stolen **1 billion customer records** from **40 companies’ Salesforce environments**. The gang is demanding **$989.45** to prevent the data from being leaked online, setting an **October 10 deadline** for negotiation. While Salesforce denies a direct platform breach, the attack appears linked to a prior **OAuth token abuse campaign** via **Salesloft’s Drift integration**, which compromised hundreds of organizations in August 2024. Google and Mandiant confirmed the intrusions, attributing them to **UNC6040 (Salesforce-related breaches)**. The group had previously announced retirement but reemerged following arrests of UK teens tied to **Scattered Spider**, suggesting operational shifts. The leaked data reportedly includes **customer records**, posing severe reputational, financial, and operational risks to affected businesses. Salesforce maintains no evidence of a **platform-level vulnerability**, but the extortion attempt escalates pressure on victims.

Salesforce
Cyber Attack
Severity: 100
Impact: 5
Seen: 9/2025
Blog:
SAL5732257091825
Rankiteo Explanation
Attack threatening the organization's existence

Description: The **ShinyHunters** extortion group exploited compromised **Drift OAuth tokens** linked to **Salesloft** to steal over **1.5 billion Salesforce records** from **760 companies**. Attackers used **social engineering and malicious OAuth apps** to infiltrate Salesforce environments, exfiltrating massive CRM data—including **250M Account records, 579M Contact records, 171M Opportunity records, 60M User records, and 459M Case records**. The breach originated from a **GitHub repository compromise** at Salesloft, where attackers used **TruffleHog** to extract secrets, including OAuth tokens for Drift and Drift Email, enabling unauthorized access to Salesforce-integrated systems.The stolen **Case data** was further mined for **AWS keys, Snowflake tokens, and other credentials**, facilitating deeper intrusions into victim networks. High-profile targets allegedly include **Google, Cloudflare, Palo Alto Networks, Zscaler, Tenable, CyberArk, and others**. The attackers demanded **ransom payments** to prevent data leaks, while also **searching for additional secrets** to expand their campaign. The FBI issued an advisory on the threat actors (**UNC6040/6395**), warning of ongoing risks. Salesforce advised customers to enforce **MFA, least-privilege access, and stricter OAuth app management** to mitigate exposure.

Salesforce
Cyber Attack
Severity: 100
Impact: 5
Seen: 5/2025
Blog:
SAL0562205100825
Rankiteo Explanation
Attack threatening the organization's existence

Description: The cybercriminal group **ShinyHunters** (operating under the alias *Scattered LAPSUS$ Hunters*) executed a **voice phishing (vishing) campaign** in **May 2025**, tricking employees into connecting a malicious app to their **Salesforce portals**. This breach led to the theft of **over a billion customer records** from **dozens of Fortune 500 firms**, including Toyota, FedEx, Disney/Hulu, and UPS. The group threatened to **publicly leak stolen data** unless ransoms were paid by **October 10, 2025**, via a victim-shaming extortion blog. The compromised data included **customer engagement records, internal communications, and sensitive business details**. Salesforce confirmed the attack but refused to negotiate, stating it would not pay extortion demands. The incident also exposed a broader **supply-chain risk**, as the group claimed responsibility for stealing **authentication tokens from Salesloft** (a Salesforce-integrated AI chatbot provider), further expanding the attack surface. The group’s actions were linked to **multiple zero-day exploits**, including **CVE-2025-61882** in Oracle’s E-Business Suite, which they weaponized for additional data theft.

Salesforce
Ransomware
Severity: 100
Impact: 5
Seen: 6/2023
Blog:
SAL4232242101025
Rankiteo Explanation
Attack threatening the organization's existence

Description: The FBI seized **BreachForums**, a hacking forum operated by **ShinyHunters**, which was used as a platform for leaking corporate data stolen via **ransomware and extortion campaigns**. Among the targeted victims was **Salesforce**, part of a high-profile breach campaign where hackers claimed to have stolen **over one billion customer records** from multiple companies, including FedEx, Disney, Google, and others. The ShinyHunters group confirmed the seizure of BreachForums’ infrastructure, including **all database backups since 2023 and escrow databases**, but emphasized that their **Salesforce data leak was still proceeding as planned**, scheduled for public release. The breach involved **massive customer data exposure**, with the hackers leveraging the forum to extort companies that refused ransom payments. While the FBI’s takedown disrupted the forum’s operations, the **dark web leak site remained active**, indicating persistent risk. The attack highlights a **large-scale, coordinated extortion scheme** targeting enterprise-level customer databases, with **potential financial, reputational, and operational fallout** for Salesforce and its clients. The stolen records likely include **sensitive personal and corporate information**, amplifying the severity of the incident.

Salesforce
Ransomware
Severity: 100
Impact: 5
Seen: 10/2025
Blog:
SAL5592855100325
Rankiteo Explanation
Attack threatening the organization’s existence

Description: The ransomware group **ShinyHunters (Scattered Lapsus$ Hunters)** breached **Salesforce** by exploiting stolen OAuth tokens from **Salesloft Drift’s AI chatbot integration**, compromising **1.5 billion records** across **760 companies** (including Cisco, Disney, and Marriott). The leaked data includes **PII (names, DOBs, passports, employment histories)**, shipping details, chat transcripts, flight records, and car ownership data—validated by cybersecurity researchers. Attackers first infiltrated **Salesloft’s GitHub repository**, extracting private source code and OAuth tokens, then laterally moved to **Google Workspace, Microsoft 365, and Okta platforms** of victims. The group demanded **separate ransoms** from Salesforce and listed **39 high-profile victims** on a darkweb leak site, pressuring them to pay under threat of full data exposure. The attack leveraged **social engineering (vishing, phishing, IT impersonation)** to trick employees into granting access, highlighting vulnerabilities in **third-party supply-chain integrations** and weak **2FA/OAuth security controls**.

Salesforce
Ransomware
Severity: 100
Impact: 5
Seen: 10/2023
Blog:
SAL5602056101125
Rankiteo Explanation
Attack threatening the organization’s existence

Description: A cybercriminal collective known as **Scattered Lapsus$ Hunters**—an alliance of the notorious **ShinyHunters, Scattered Spider, and LAPSUS$ ransomware groups**—threatened to leak **one billion records** allegedly exfiltrated from **Salesforce’s systems**, targeting **39 of the world’s largest corporations**, including Disney, Toyota, and McDonald’s. The attackers demanded a ransom, warning that failure to comply by **October 10, 2023**, would result in the **massive exposure of customer data** across dark web and Clearnet platforms. The breach, if executed, would compromise **sensitive personal and corporate information** of Salesforce’s high-profile clients, leading to **severe reputational damage, financial fraud risks, and potential regulatory penalties**. The threat underscores a **large-scale, coordinated extortion campaign** leveraging ransomware tactics to pressure Salesforce into negotiation, with the attackers explicitly stating their intent to **‘target each and every individual customer’** if demands were unmet. The incident highlights the **escalating sophistication of cybercriminal syndicates** in exploiting enterprise vulnerabilities for maximal disruption.

Ailogo

Salesforce Company Scoring based on AI Models

Cyber Incidents Likelihood 3 - 6 - 9 months

🔒
Incident Predictions locked
Access Monitoring Plan

A.I Risk Score Likelihood 3 - 6 - 9 months

🔒
A.I. Risk Score Predictions locked
Access Monitoring Plan
statics

Underwriter Stats for Salesforce

Incidents vs Software Development Industry Average (This Year)

Salesforce has 934.48% more incidents than the average of same-industry companies with at least one recorded incident.

Incidents vs All-Companies Average (This Year)

Salesforce has 669.23% more incidents than the average of all companies with at least one recorded incident.

Incident Types Salesforce vs Software Development Industry Avg (This Year)

Salesforce reported 6 incidents this year: 3 cyber attacks, 1 ransomware, 0 vulnerabilities, 2 data breaches, compared to industry peers with at least 1 incident.

Incident History — Salesforce (X = Date, Y = Severity)

Salesforce cyber incidents detection timeline including parent company and subsidiaries

Salesforce Company Subsidiaries

SubsidiaryImage

We're the #1 AI CRM—where humans with agents drive customer success together with AI, data, and Customer 360 apps on one platform. Privacy Statement: http://www.salesforce.com/company/privacy/

similarCompanies

Salesforce Similar Companies

Booking.com
booking.com

A career at Booking.com is all about the journey, helping you explore new challenges in a place where you can be your best self. With plenty of exciting twists, turns and opportunities along the way. We’ve always been pioneers, on a mission to shape the future of travel through cutting edge techno

Security Report Compare
Pitney Bowes
pitneybowes.com

Pitney Bowes is a technology-driven products and services company that provides SaaS shipping solutions, mailing innovation, and financial services to clients around the world – including more than 90 percent of the Fortune 500. Small businesses to large enterprises, and government entities rely on

Security Report Compare
Snowflake
snowflake.com

**Snowflake is proud to be the Official Data Collaboration Provider for LA28 and Team USA.** Snowflake delivers the AI Data Cloud — a global network where thousands of organizations mobilize data with near-unlimited scale, concurrency, and performance. Inside the AI Data Cloud, organizations unite

Security Report Compare
OpenText
opentext.com

OpenText is a leading Cloud and AI company that provides organizations around the world with a comprehensive suite of Business AI, Business Clouds, and Business Technology. We help organizations grow, innovate, become more efficient and effective, and do so in a trusted and secure way—through Inform

Security Report Compare
Workday
workday.com

Workday is a leading provider of enterprise cloud applications for finance and human resources, helping customers adapt and thrive in a changing world. Workday applications for financial management, human resources, planning, spend management, and analytics are built with artificial intelligence and

Security Report Compare
Bosch Global Software Technologies
bosch-softwaretechnologies.com

With our unique ability to offer end-to-end solutions that connect the three pillars of IoT - Sensors, Software, and Services, we enable businesses to move from the traditional to the digital, or improve businesses by introducing a digital element in their products and processes. Now more than ever

Security Report Compare
Lazada
lazada.com

About Lazada Group Founded in 2012, Lazada Group is the leading eCommerce platform in Southeast Asia. We are accelerating progress in Indonesia, Malaysia, the Philippines, Singapore, Thailand and Vietnam through commerce and technology. With the largest logistics and payments networks in the regio

Security Report Compare
Cox Automotive Inc.
coxautoinc.com

Cox Automotive is the world’s largest automotive services and technology provider. Fueled by the largest breadth of first-party data fed by 2.3 billion online interactions a year, Cox Automotive tailors leading solutions for car shoppers, auto manufacturers, dealers, lenders and fleets. The company

Security Report Compare
PedidosYa
pedidosya.com

We’re  the delivery market leader in Latin America. Our platform connects over 77.000 restaurants, supermarkets, pharmacies and stores with millions of users. Nowadays we operate in more than 500 cities in Latinamerica. And we are now over 3.400 employees. PedidosYa is available for iOS, Android and

Security Report Compare
newsone

Salesforce CyberSecurity News

November 28, 2025 08:53 AM
Gainsight Verifies Token Breach Linked to Salesforce Advisory, Issues New IOCs

Gainsight, the leading customer success platform, has confirmed that a security incident involving its Salesforce integration compromised...

Read Article
November 26, 2025 04:49 PM
Gainsight CEO promises transparency as it responds to compromise of Salesforce integration

The company has been in regular contact with customers, and says only a handful have seen data directly impacted.

Read Article
November 26, 2025 02:26 PM
Gainsight breach: Salesforce details attack window, issues investigation guidance

Indicators of compromise related to Gainsight breach point to when the attacks against customers' Salesforce instances likely started.

Read Article
November 25, 2025 12:31 AM
Gainsight Partners with Salesforce: A Dynamic Duo Committed to Protecting Data

In the wake of recent reports concerning unauthorized access to Salesforce customer data through Gainsight applications, it's important to...

Read Article
November 25, 2025 12:00 AM
ShinyHunters Breach Steals Data from 200+ Firms via Salesforce Flaw

The Shadow Over Salesforce: Unraveling the Gainsight Breach That Shook Corporate Cybersecurity. In the fast-paced world of enterprise...

Read Article
November 24, 2025 04:49 PM
Gainsight says additional applications put on hold after Salesforce customers breached

Gainsight on Monday said connections to Zendesk and Hubspot have been temporarily paused following a supply chain attack targeting its...

Read Article
November 24, 2025 09:53 AM
Gainsight says additional applications put on hold after Salesforce customers breached

This story was originally published on Cybersecurity Dive. To receive daily news and insights, subscribe to our free daily Cybersecurity...

Read Article
November 23, 2025 01:55 PM
Cybersecurity News Weekly Newsletter – Fortinet, Chrome 0-Day Flaws, Cloudflare Outage and Salesforce...

Welcome to this week's edition of the Cybersecurity News Weekly Newsletter, where we analyze the critical incidents defining the current...

Read Article
November 22, 2025 06:10 PM
Salesforce: Some Customer Data Accessed via Gainsight Breach

The highly publicized data breaches earlier this fall of Salesforce customers that were linked to Salesloft's Drift application are coming...

Read Article
faq

Frequently Asked Questions

Explore insights on cybersecurity incidents, risk posture, and Rankiteo's assessments.

Salesforce CyberSecurity History Information

Official Website of Salesforce

The official website of Salesforce is http://www.salesforce.com.

Salesforce’s AI-Generated Cybersecurity Score

According to Rankiteo, Salesforce’s AI-generated cybersecurity score is 549, reflecting their Critical security posture.

How many security badges does Salesforce’ have ?

According to Rankiteo, Salesforce currently holds 0 security badges, indicating that no recognized compliance certifications are currently verified for the organization.

Does Salesforce have SOC 2 Type 1 certification ?

According to Rankiteo, Salesforce is not certified under SOC 2 Type 1.

Does Salesforce have SOC 2 Type 2 certification ?

According to Rankiteo, Salesforce does not hold a SOC 2 Type 2 certification.

Does Salesforce comply with GDPR ?

According to Rankiteo, Salesforce is not listed as GDPR compliant.

Does Salesforce have PCI DSS certification ?

According to Rankiteo, Salesforce does not currently maintain PCI DSS compliance.

Does Salesforce comply with HIPAA ?

According to Rankiteo, Salesforce is not compliant with HIPAA regulations.

Does Salesforce have ISO 27001 certification ?

According to Rankiteo,Salesforce is not certified under ISO 27001, indicating the absence of a formally recognized information security management framework.

Industry Classification of Salesforce

Salesforce operates primarily in the Software Development industry.

Number of Employees at Salesforce

Salesforce employs approximately 84,115 people worldwide.

Subsidiaries Owned by Salesforce

Salesforce presently has no subsidiaries across any sectors.

Salesforce’s LinkedIn Followers

Salesforce’s official LinkedIn profile has approximately 6,028,213 followers.

NAICS Classification of Salesforce

Salesforce is classified under the NAICS code 5112, which corresponds to Software Publishers.

Salesforce’s Presence on Crunchbase

Yes, Salesforce has an official profile on Crunchbase, which can be accessed here: https://www.crunchbase.com/organization/salesforce.

Salesforce’s Presence on LinkedIn

Yes, Salesforce maintains an official LinkedIn profile, which is actively utilized for branding and talent engagement, which can be accessed here: https://www.linkedin.com/company/salesforce.

Cybersecurity Incidents Involving Salesforce

As of December 11, 2025, Rankiteo reports that Salesforce has experienced 12 cybersecurity incidents.

Number of Peer and Competitor Companies

Salesforce has an estimated 27,532 peer or competitor companies worldwide.

What types of cybersecurity incidents have occurred at Salesforce ?

Incident Types: The types of cybersecurity incidents that have occurred include Cyber Attack, Ransomware and Breach.

How does Salesforce detect and respond to cybersecurity incidents ?

Detection and Response: The company detects and responds to cybersecurity incidents through an containment measures with blocked access to affected instances, and remediation measures with blocked access to orgs with inadvertent permissions, and and third party assistance with google threat intelligence group (gtig), third party assistance with mandiant, third party assistance with astrix security, and containment measures with revoked all active access tokens for drift app (august 20, 2025), containment measures with temporarily removed drift from salesforce appexchange, and remediation measures with restricting connected app scopes, remediation measures with searching for exposed secrets in salesforce data, remediation measures with rotating compromised credentials, remediation measures with enforcing ip restrictions, and communication strategy with advisories issued by gtig/mandiant, communication strategy with notifications to affected organizations, communication strategy with public blog post by astrix security, and enhanced monitoring with checking for specific ip addresses/user-agent strings linked to attackers, and third party assistance with google mandiant (threat intelligence), third party assistance with fbi (advisory & investigation), and law enforcement notified with fbi, and remediation measures with salesforce recommendations: enforce multi-factor authentication (mfa), remediation measures with apply principle of least privilege, remediation measures with closely manage connected applications, and communication strategy with salesforce customer advisories, communication strategy with fbi public advisory on unc6040/6395, and incident response plan activated with yes (salesforce, mandiant, and affected companies), and third party assistance with mandiant (google’s incident response), third party assistance with salesforce security team, third party assistance with fbi cyber division, and law enforcement notified with yes (fbi issued advisory on 2023-09-12), and containment measures with revoking compromised oauth tokens, containment measures with isolating affected salesforce instances, containment measures with disabling salesloft drift integrations, and remediation measures with enforcing 2fa for oauth apps, remediation measures with patching salesloft drift vulnerabilities, remediation measures with audit of third-party integrations, and recovery measures with data backup restoration (if applicable), recovery measures with customer notification plans, recovery measures with dark web monitoring for leaked data, and communication strategy with public disclosure via media (ismg, bleepingcomputer), communication strategy with customer advisories (pending), communication strategy with regulatory notifications, and network segmentation with recommended (to limit lateral movement), and enhanced monitoring with salesforce instance logs, enhanced monitoring with cloud platform (google workspace, microsoft 365, okta) activity, and incident response plan activated with yes (salesforce engaged external experts and authorities), and third party assistance with mandiant (google), third party assistance with external cybersecurity experts, and law enforcement notified with yes (us and uk authorities involved), and remediation measures with customer notifications, remediation measures with investigation of oauth abuse, and communication strategy with public security advisory, communication strategy with media statements, and incident response plan activated with yes (salesforce notified customers), and law enforcement notified with likely (fbi may have seized extortion domain), and remediation measures with refusal to pay ransom, remediation measures with customer notifications, and communication strategy with public statements and customer emails, and and third party assistance with google threat intelligence group (gtig), third party assistance with mandiant (malware analysis), third party assistance with law enforcement (fbi, uk nca), and and containment measures with salesforce: disabled malicious oauth apps, containment measures with red hat: isolated compromised gitlab server, containment measures with discord: terminated third-party vendor access, containment measures with oracle: emergency patch for cve-2025-61882, and remediation measures with salesforce: forensic analysis, customer support, remediation measures with red hat: customer notifications, repository audits, remediation measures with discord: affected user notifications, password resets, remediation measures with oracle: urged customers to apply patch, and recovery measures with salesforce: refused to pay ransom, focused on defense, recovery measures with red hat: restored gitlab from backups, recovery measures with discord: enhanced vendor security controls, and communication strategy with salesforce: customer advisories (no negotiation policy), communication strategy with red hat: public disclosure (october 2, 2025), communication strategy with discord: direct emails to affected users, communication strategy with oracle: security advisory for cve-2025-61882, and enhanced monitoring with salesforce: increased logging for oauth integrations, enhanced monitoring with red hat: gitlab access audits, and and third party assistance with google threat intelligence group (warnings), and containment measures with disabled drift app integration, containment measures with token renewal mandate for customers, and remediation measures with customer support outreach, remediation measures with oauth token rotation, and recovery measures with reactivated salesloft integrations (except drift), and communication strategy with internal memo (bloomberg-leaked), communication strategy with public statement on non-payment of ransom, communication strategy with customer advisories, and enhanced monitoring with likely (implied by google threat intelligence collaboration), and incident response plan activated with likely (salesforce refused ransom demand), and third party assistance with mandiant (google-owned threat intelligence), and communication strategy with public refusal of ransom demand (email statement), and incident response plan activated with yes (fbi and france's bl2c unit), and third party assistance with french law enforcement (bl2c unit), and law enforcement notified with yes (fbi-led operation), and containment measures with domain seizure, containment measures with backend server seizure, containment measures with nameserver redirection to fbi, and remediation measures with permanent shutdown of breachforums, remediation measures with prevention of data leak (salesforce campaign disrupted), and communication strategy with public announcement via bleepingcomputer, communication strategy with pgp-signed message from shinyhunters on telegram..

Incident Details

Can you provide details on each incident ?

Incident : Cyber Attack

measurementExposure impactImpact

Title: Salesforce 15-Hour Outage Due to Cyber Attack

Description: Salesforce's North American and European customers endured a 15-hour outage after a cyber attack. The incident came after the salesforce technology team blocked access to certain instances that contain customers affected by a database script deployment that inadvertently gave users broader data access than intended. To protect the customers, the company blocked access to all instances that contain affected customers until they could block access to orgs with the inadvertent permissions. As a result, customers who were not affected may also experienced service disruption.

Type: Cyber Attack

Attack Vector: Database Script Deployment

Vulnerability Exploited: Inadvertent Permissions

Incident : Data Breach

measurementExposure impactImpact

Title: Widespread Data Breach in Salesforce via OAuth Token Abuse by UNC6395

Description: A widespread data theft campaign targeting Salesforce was carried out by threat actor UNC6395 between August 8 and August 18, 2025. The attackers bypassed MFA by compromising OAuth tokens from the Salesloft Drift third-party application, exporting large volumes of data from corporate Salesforce accounts. Their primary goal was to harvest credentials and high-value 'secrets' like AWS access keys and Snowflake tokens. The breach was detected and mitigated through revocation of access tokens and removal of the Drift app from Salesforce’s AppExchange.

Date Detected: 2025-08-18

Date Publicly Disclosed: 2025-08-20

Date Resolved: 2025-08-20

Type: Data Breach

Attack Vector: OAuth Token AbuseNon-Human Identity (NHI) ExploitationBypassing MFA

Vulnerability Exploited: Compromised OAuth tokens from Salesloft Drift third-party application (no core Salesforce vulnerability)

Threat Actor: UNC6395

Motivation: Data ExfiltrationCredential HarvestingHigh-Value Secrets Theft (e.g., AWS keys, Snowflake tokens)

Incident : Data Breach

measurementExposure impactImpact

Title: ShinyHunters Exploits Compromised Drift OAuth Tokens to Steal 1.5B Salesforce Records

Description: The ShinyHunters extortion group claims to have stolen over 1.5 billion Salesforce records from 760 companies by exploiting compromised Drift OAuth tokens linked to Salesloft. Attackers used social engineering and malicious OAuth apps to infiltrate Salesforce environments, exfiltrating data and extorting victims with ransom demands. The campaigns are tied to groups operating under the names ShinyHunters, Scattered Spider, and Lapsus$ (now calling themselves 'Scattered Lapsus$ Hunters'). In March, an actor breached Salesloft’s GitHub repository, locating secrets—including OAuth tokens for Drift and Drift Email—using the TruffleHog tool. The stolen data spans Salesforce objects including Account, Contact, Opportunity, User, and Case tables. Attackers also searched Case data for secrets like AWS keys and Snowflake tokens to enable further intrusions. Victims allegedly include Google, Cloudflare, Palo Alto Networks, Zscaler, and others. The FBI issued an advisory on UNC6040/6395, warning of ongoing campaigns.

Type: Data Breach

Attack Vector: Social EngineeringMalicious OAuth ApplicationsCompromised GitHub RepositoryExploited OAuth Tokens (Drift/Salesloft)Secrets Exposure (TruffleHog)

Vulnerability Exploited: Weak OAuth Token ManagementLack of Multi-Factor Authentication (MFA)Excessive Privileges in Connected ApplicationsExposed Secrets in GitHub Repository

Threat Actor: ShinyHuntersScattered SpiderLapsus$UNC6040 (Google Mandiant)UNC6395 (Google Mandiant)Scattered Lapsus$ Hunters

Motivation: Financial Gain (Extortion)Data Theft for ResaleReputation DamageFurther Intrusion (Credential Harvesting)

Incident : Data Breach

measurementExposure impactImpact

Title: Scattered Lapsus$ Hunters Ransomware Attack on Salesforce Customer Data via Salesloft Drift Integration

Description: A notorious ransomware group, Scattered Lapsus$ Hunters (aka ShinyHunters), launched a darkweb data-leak site targeting 39 victims—including Cisco, Disney, KFC, Ikea, Marriott, McDonald's, Walgreens, Albertsons, and Saks Fifth Avenue—whose Salesforce CRM was integrated with the Salesloft Drift AI chatbot. The group claims to have stolen **1.5 billion Salesforce records** from **760 Salesloft Drift-using companies**, with leaked samples confirming exposure of **PII (names, DOBs, nationalities, passport numbers, contact details, employment histories)**, shipping data, marketing leads, support case records, chat transcripts, flight details, and car ownership records. The attack exploited **stolen OAuth tokens** from Salesloft’s GitHub repository, granting access to Salesforce instances and other cloud resources (Google Workspace, Microsoft 365, Okta). The FBI and Google’s Mandiant linked the attacks to **UNC6040**, a threat cluster using **social engineering (vishing, phishing, IT impersonation)** to trick support staff into granting access. ShinyHunters demanded separate ransoms from Salesforce and listed victims, threatening to leak data for non-payment.

Date Detected: 2023-08-08

Date Publicly Disclosed: 2023-09-15

Type: Data Breach

Attack Vector: Stolen OAuth TokensGitHub Repository CompromiseSocial Engineering (Vishing/Phishing)Third-Party Software Exploitation (Salesloft Drift)Lateral Movement to Cloud Platforms (Google Workspace, Microsoft 365, Okta)

Vulnerability Exploited: Weak OAuth Token SecurityLack of Multi-Factor Authentication (2FA) for OAuth AppsUnpatched Third-Party Integrations (Salesloft Drift)Human Error (Support Staff Tricked via Impersonation)

Threat Actor: Scattered Lapsus$ Hunters (aka ShinyHunters)UNC6040The Com (English-speaking cybercrime collective)

Motivation: Financial Gain (Extortion/Ransom)Data Theft for Dark Web SalesReputation Damage

Incident : Extortion

measurementExposure impactImpact

Title: Scattered LAPSUS$ Hunters Extortion Campaign Targeting Salesforce Environments

Description: A threat actor group calling itself Scattered LAPSUS$ Hunters (SLH) has launched a data-leak site listing about 40 companies’ Salesforce environments, demanding $989.45 to prevent the publication of what it claims is about 1 billion stolen records. The group set an October 10 deadline for Salesforce to negotiate payment or face data leakage. The incident is linked to prior OAuth token abuse campaigns via Salesloft's Drift integration, which affected hundreds of organizations. Salesforce denies platform compromise but acknowledges extortion attempts tied to past or unsubstantiated incidents. The group includes members from Scattered Spider, ShinyHunters, and Lapsus$, some of whom were recently arrested in connection with other high-profile attacks.

Date Publicly Disclosed: 2024-09-27

Type: Extortion

Attack Vector: OAuth Token Abuse (via Salesloft's Drift integration)Social EngineeringCredential Stuffing

Vulnerability Exploited: Misconfigured OAuth integrations (historical, via Salesloft's Drift)

Threat Actor: Scattered LAPSUS$ Hunters (SLH)Scattered SpiderShinyHuntersLapsus$

Motivation: Financial GainExtortionReputation Damage

Incident : Data Breach

measurementExposure impactImpact

Title: Salesforce Data Theft and Extortion Campaigns (2024-2025)

Description: Salesforce confirmed it would not negotiate with or pay ransom to the threat actors behind a massive wave of data theft attacks impacting its customers in 2025. The attacks involved two separate campaigns: (1) social engineering impersonating IT support to trick employees into linking malicious OAuth apps to Salesforce instances (late 2024), and (2) exploitation of stolen SalesLoft Drift OAuth tokens to pivot to CRM environments and exfiltrate data (August 2025). Threat actors, including 'Scattered Lapsus$ Hunters' and 'ShinyHunters,' claimed to have stolen nearly 1 billion records in the first campaign and 1.5 billion records (760+ companies) in the second. A data leak site was launched to extort 39 companies, including FedEx, Disney, Google, and others, but was later shut down. The FBI may have seized the domain.

Date Publicly Disclosed: 2025-09-17T00:00:00Z

Type: Data Breach

Attack Vector: Social Engineering (OAuth Phishing)Stolen OAuth Tokens (SalesLoft Drift)Supply Chain Compromise

Vulnerability Exploited: OAuth Application AbuseStolen Credentials/API TokensImproper Access Controls

Threat Actor: Scattered Lapsus$ HuntersShinyHunters

Motivation: Financial Gain (Extortion)

Incident : Data Breach

measurementExposure impactImpact

Title: ShinyHunters/Scattered LAPSUS$ Hunters Multi-Company Data Breach and Extortion Campaign (2025)

Description: A cybercriminal group (ShinyHunters/Scattered LAPSUS$ Hunters) used voice phishing (vishing) to compromise Salesforce instances of Fortune 500 companies, stealing over a billion records. The group launched a victim-shame blog threatening to leak data unless ransoms were paid. Additional breaches included Discord (via a third-party vendor), Red Hat (GitLab server compromise), and exploitation of a zero-day in Oracle E-Business Suite (CVE-2025-61882). The group also sent malware-laced threats to security researchers and leveraged ASYNCRAT trojan for persistence. Law enforcement actions targeted members, including arrests and extraditions.

Date Detected: 2025-05

Date Publicly Disclosed: 2025-06-01

Type: Data Breach

Attack Vector: Voice Phishing (Vishing)Malicious OAuth App Integration (Salesforce)Exploit of CVE-2025-61882 (Oracle E-Business Suite)Compromised Third-Party Vendor (Discord)GitLab Server Exfiltration (Red Hat)Malware-Laced Emails (ASYNCRAT Trojan)

Vulnerability Exploited: CVE-2025-61882 (Oracle E-Business Suite - Unauthenticated RCE)Salesforce OAuth Misconfiguration (via Vishing)Third-Party Customer Service Provider (Discord)GitLab Server Misconfiguration (Red Hat)

Threat Actor: Name: ShinyHunters (UNC6040), Aliases: ['Scattered LAPSUS$ Hunters', 'UNC6240', 'UNC6395'], Affiliation: ['Scattered Spider', 'Lapsus$', 'The Com (Cybercriminal Community)'], Nationality: English-speaking (Multinational), Name: Crimson Collective, Role: Claimed Responsibility for Red Hat Breach, Name: Clop Ransomware Gang, Role: Exploited CVE-2025-61882 Prior to Public Disclosure.

Motivation: Financial Gain (Extortion)Data Theft for Resale (Dark Web)Reputation Damage (Victim-Shaming)Harassment of Security Researchers

Incident : Data Breach

measurementExposure impactImpact

Title: Salesforce Data Breach via SalesLoft's Drift App by ShinyHunters

Description: Salesforce informed customers that it will not pay ransom to hackers (ShinyHunters) threatening to publish stolen customer data. The breach originated from a security incident at third-party provider SalesLoft, specifically its Drift app (integrated with Salesforce for automated customer communications). Attackers accessed SalesLoft’s GitHub account (March–June), stole OAuth tokens linking Drift to Salesforce environments, and penetrated Drift’s AWS environment to exfiltrate data from hundreds of organizations, including Cloudflare, Zscaler, and Palo Alto Networks. Stolen data included customer contact details, IT support info, access tokens, and IT configurations. Salesforce disabled the Drift app and is supporting affected customers without negotiating with attackers.

Type: Data Breach

Attack Vector: Compromised GitHub AccountStolen OAuth TokensAWS Environment InfiltrationThird-Party App Exploitation (Drift)

Vulnerability Exploited: Improper Token ManagementGitHub Account Security WeaknessThird-Party Integration Risks

Threat Actor: ShinyHunters

Motivation: Financial ExtortionData Theft for Dark Web Sale

Incident : Data Breach

measurementExposure impactImpact

Title: Salesforce Data Extortion Campaign by Scattered LAPSUS$ Hunters

Description: Salesforce refused to pay an extortion demand made by a crime syndicate (Scattered LAPSUS$ Hunters) claiming to have stolen roughly 1 billion records from dozens of Salesforce customers. The group, tracked as UNC6040 by Mandiant, initiated the campaign in May 2024 by making voice calls to organizations, tricking them into connecting an attacker-controlled app to their Salesforce portals. The group created a website naming affected customers (including Toyota and FedEx) and demanded ransom from Salesforce, threatening to leak the data if unpaid. Salesforce rejected the demand.

Date Detected: 2024-05-01

Date Publicly Disclosed: 2024-06-01

Type: Data Breach

Attack Vector: Voice Phishing (Vishing)Malicious App IntegrationSocial Engineering

Vulnerability Exploited: Human Error (Compliance with Fraudulent Requests)

Threat Actor: Scattered LAPSUS$ HuntersUNC6040 (Mandiant designation)

Motivation: Financial Gain (Extortion)

Incident : Law Enforcement Takedown

measurementExposure impactImpact

Title: FBI Seizure of BreachForums Hacking Forum Operated by ShinyHunters

Description: The FBI, in collaboration with law enforcement authorities in France, seized all domains for the BreachForums hacking forum, a platform primarily used by the ShinyHunters group to leak corporate data stolen in ransomware and extortion attacks. The seizure occurred before the Scattered Lapsus$ Hunters hacker could leak data from Salesforce breaches targeting companies that refused to pay ransoms. The operation compromised all BreachForums database backups since 2023, including escrow databases, and seized backend servers. Despite the takedown, the gang's dark web data leak site remains operational, and the Salesforce data leak (affecting over 1 billion customer records from companies like FedEx, Disney, Google, and others) is still scheduled for release. ShinyHunters confirmed no arrests of core admin team members but declared the 'era of forums' over, warning future platforms may be honeypots.

Date Publicly Disclosed: 2025-10-09

Type: Law Enforcement Takedown

Threat Actor: ShinyHuntersScattered Lapsus$ Hunters

Motivation: Financial Gain (Extortion)Data LeakageCybercrime Facilitation

Incident : data breach

measurementExposure impactImpact

Title: Scattered Lapsus$ Hunters Threatens to Leak One Billion Records Allegedly Stolen from Salesforce Systems

Description: A message on the BreachForums extortion site threatened to leak one billion records allegedly stolen from the Salesforce systems of 39 of the largest companies in the world, including Disney, Toyota, Adidas, McDonald's, IKEA, and Home Depot. The threat was issued by a super-alliance of the ShinyHunters, Scattered Spider, and LAPSUS$ ransomware groups, known as Scattered Lapsus$ Hunters. The group vowed to carry out the leak via dark web and Clearnet sites if Salesforce did not pay a ransom by 11:59 p.m. EST on October 10, 2023. The message warned of targeting individual customers of Salesforce if the company failed to comply.

Type: data breach

Threat Actor: ShinyHuntersScattered SpiderLAPSUS$Scattered Lapsus$ Hunters

Motivation: financial gainextortion

Incident : Cybercriminal Alliance Formation

measurementExposure impactImpact

Title: Formation of Scattered LAPSUS$ Hunters (SLH) Cybercriminal Collective and Targeting of Salesforce

Description: The cybercriminal underground witnessed a significant consolidation as three notorious threat actors—Scattered Spider, ShinyHunters, and LAPSUS$—formally aligned to create the **Scattered LAPSUS$ Hunters (SLH)**, a federated collective that emerged in **early August 2025**. The alliance operates primarily through **Telegram**, leveraging it as both a coordination tool and a performative marketing channel. SLH announced **Salesforce** as one of its victims, targeting high-value enterprises including SaaS providers. The group exhibits sophisticated technical capabilities, including **AI-automated vishing, spearphishing, exploit development (e.g., CVE-2025-61882, CVE-2025-31324), and zero-day vulnerability brokerage**, while formalizing an **Extortion-as-a-Service (EaaS) model**. Core operators include **'shinycorp' (principal orchestrator)** and **'yuka' (exploit developer linked to BlackLotus UEFI bootkit and Medusa rootkit)**. The collective demonstrates **adaptive resilience** through repeated Telegram channel recreations and centralized decision-making, blending **theatrical brand management** with calculated extortion tactics.

Date Detected: 2025-08-08

Date Publicly Disclosed: 2025-08-08

Type: Cybercriminal Alliance Formation

Attack Vector: AI-automated vishingSpearphishingCredential HarvestingLateral MovementPrivilege EscalationZero-day Exploitation (e.g., CVE-2025-61882, CVE-2025-31324)Exploit BrokerageData ExfiltrationExtortion-as-a-Service (EaaS)

Vulnerability Exploited: CVE-2025-61882 (Oracle E-Business Suite)CVE-2025-31324 (unspecified CRM/DBMS/SaaS target)Zero-day vulnerabilities in cloud infrastructure/SaaS platforms

Threat Actor: Name: Scattered LAPSUS$ Hunters (SLH), Aliases: ['SLH', 'scattered LAPSUS$ hunters 7.0'], Affiliated Groups: ['Scattered Spider', 'ShinyHunters', 'LAPSUS$', 'The Com'], Core Members: [{'alias': 'shinycorp', 'handles': ['@sp1d3rhunters', '@shinyc0rp'], 'role': 'Principal Orchestrator'}, {'alias': 'yuka', 'handles': None, 'role': 'Exploit Developer', 'associated_malware': ['BlackLotus UEFI bootkit', 'Medusa rootkit']}, {'alias': 'Alg0d', 'handles': None, 'role': 'Auxiliary Operator'}, {'alias': 'UNC5537', 'handles': None, 'role': 'Auxiliary Operator'}], Operational Model: ['Extortion-as-a-Service (EaaS)', 'Crowdsourced Extortion', 'Vulnerability Brokerage'].

Motivation: Financial GainReputational CapitalOperational ResilienceNarrative ControlPsychological Impact (Theatrical Branding)

What are the most common types of attacks the company has faced ?

Common Attack Types: The most common types of attacks the company has faced is Cyber Attack.

How does the company identify the attack vectors used in incidents ?

Identification of Attack Vectors: The company identifies the attack vectors used in incidents through Compromised OAuth tokens from Salesloft Drift application, Compromised Salesloft GitHub Repository (Secrets Exposure)Malicious OAuth Applications (Drift/Salesforce Integration), Salesloft GitHub Repository (Stolen OAuth Tokens), OAuth tokens via Salesloft's Drift integration, Malicious OAuth ApplicationsStolen SalesLoft Drift OAuth Tokens, Voice Phishing Calls (Salesforce)Compromised Third-Party Vendor (Discord)Exploited GitLab Misconfiguration (Red Hat)Zero-Day Exploit (Oracle CVE-2025-61882)Malicious OAuth App (Salesforce), SalesLoft GitHub Account (Compromised March–June 2024), Voice Phishing (Vishing) Calls and AI-automated vishingSpearphishingCredential Harvesting.

Impact of the Incidents

What was the impact of each incident ?

Incident : Cyber Attack SAL215719323

Systems Affected: Customer Instances

Downtime: 15 hours

Operational Impact: Service Disruption

Incident : Data Breach SAL729082725

Data Compromised: Customer account data, User data, Opportunities data, Aws access keys, Snowflake tokens, High-value secrets

Systems Affected: Salesforce corporate accountsSalesloft Drift application

Operational Impact: Temporary removal of Drift app from Salesforce AppExchangeRevocation of active access tokens

Brand Reputation Impact: Potential reputational damage due to unauthorized data access and credential theft

Identity Theft Risk: High (due to stolen credentials and secrets)

Incident : Data Breach SAL5732257091825

Data Compromised: Salesforce Account: 2, 5, 0, , m, i, l, l, i, o, n, , r, e, c, o, r, d, s, Salesforce Contact: 5, 7, 9, , m, i, l, l, i, o, n, , r, e, c, o, r, d, s, Salesforce Opportunity: 1, 7, 1, , m, i, l, l, i, o, n, , r, e, c, o, r, d, s, Salesforce User: 6, 0, , m, i, l, l, i, o, n, , r, e, c, o, r, d, s, Salesforce Case: 4, 5, 9, , m, i, l, l, i, o, n, , r, e, c, o, r, d, s, Total: 1, ., 5, , b, i, l, l, i, o, n, , r, e, c, o, r, d, s,

Systems Affected: Salesforce CRMDrift AI Chat/Email ServicesSalesloft PlatformGitHub Repository (Salesloft)Connected Applications (AWS, Snowflake, etc.)

Operational Impact: Unauthorized Data AccessExtortion ThreatsPotential Further Intrusions via Stolen CredentialsReputation Damage for Affected Companies

Brand Reputation Impact: High (Public Disclosure of Breach)Loss of Customer TrustPotential Regulatory Scrutiny

Identity Theft Risk: ['High (PII in Contact/Account Records)', 'Credential Stuffing Risk']

Incident : Data Breach SAL5592855100325

Data Compromised: Personally identifiable information (pii), Shipping information, Marketing lead data, Customer support case records, Chat transcripts, Flight details, Car ownership records, Employment histories, Passport numbers, Full contact information

Systems Affected: Salesforce CRM InstancesSalesloft Drift AI ChatbotGoogle WorkspaceMicrosoft 365Okta PlatformsGitHub Repository (Salesloft)

Operational Impact: Potential Disruption to CRM OperationsCustomer Data Exposure RisksIncident Response Activation

Brand Reputation Impact: High (Public Data Leak Site)Loss of Customer TrustMedia Scrutiny

Legal Liabilities: Potential GDPR/CCPA ViolationsRegulatory FinesClass-Action Lawsuits

Identity Theft Risk: High (Exposed PII Includes Passport Numbers, DOBs, Contact Details)

Incident : Extortion SAL2102121100425

Data Compromised: 1 billion records (claimed by threat actors)

Systems Affected: Salesforce environments of ~40 companiesCustomer data via OAuth abuse

Brand Reputation Impact: High (public extortion threats, media coverage)

Identity Theft Risk: Potential (if PII was exposed)

Incident : Data Breach SAL0962109100825

Data Compromised: Customer data, Support tickets, Credentials, Api tokens, Authentication tokens

Systems Affected: Salesforce CRM InstancesSalesLoft Drift Environments

Operational Impact: Potential infrastructure breaches due to stolen credentials/tokens

Brand Reputation Impact: High (public extortion of major brands)

Identity Theft Risk: High (PII and credentials exposed)

Incident : Data Breach SAL0562205100825

Data Compromised: Salesforce customer records (>1b), Discord user data (usernames, emails, ip addresses, payment card last 4 digits, government ids), Red hat gitlab repositories (28,000+ repos, 5,000+ customer engagement reports, api tokens, infrastructure details), Oracle e-business suite data (via cve-2025-61882), Salesloft authentication tokens (cloud services: snowflake, aws)

Systems Affected: Salesforce Instances (Multiple Fortune 500 Companies)Discord Third-Party Customer Service ProviderRed Hat GitLab ServerOracle E-Business Suite ServersSalesloft AI Chatbot Platform

Operational Impact: Forensic Investigations (Salesforce, Red Hat, Discord)Customer Notifications (Ongoing)Regulatory ScrutinyReputation Damage for Victim Companies

Customer Complaints: Expected (Due to Data Leak Threats)

Brand Reputation Impact: Salesforce (Extortion Refusal Publicized)Fortune 500 Victims (Named on Victim-Shame Blog)Red Hat (Trust Erosion Due to GitLab Breach)Discord (User Privacy Concerns)

Legal Liabilities: Potential GDPR/CCPA Violations (Discord, Salesforce Customers)Regulatory Fines (Pending Investigations)Lawsuits from Affected Individuals

Identity Theft Risk: High (Discord Government IDs, Payment Data)

Payment Information Risk: Moderate (Discord: Last 4 Digits of Cards)

Incident : Data Breach SAL3132231100825

Data Compromised: Customer contact details, It support information, Access tokens, It configurations, Crm fields, Support cases, Integration data

Systems Affected: SalesLoft Drift AppSalesforce IntegrationsDrift’s AWS EnvironmentGitHub Account (SalesLoft)

Operational Impact: Disabled Drift App IntegrationToken Renewal Required for CustomersOngoing Customer Support Efforts

Brand Reputation Impact: Public Refusal to Pay RansomThird-Party Trust ErosionMedia Coverage (Bloomberg, Google Threat Intelligence)

Identity Theft Risk: ['Low (Primarily Corporate Data)']

Incident : Data Breach SAL5002150100925

Data Compromised: ~1 billion records

Systems Affected: Salesforce Customer Portals

Brand Reputation Impact: High (Public extortion threat and data leak risk)

Identity Theft Risk: Potential (depends on compromised data types)

Incident : Law Enforcement Takedown SAL4232242101025

Data Compromised: Corporate data, Customer records (1+ billion), Escrow databases, Database backups (since 2023)

Systems Affected: BreachForums DomainsBackend ServersDatabase Backups

Downtime: ['BreachForums (Permanent)', 'Forum Infrastructure (Seized)']

Operational Impact: Termination of BreachForums OperationsDisruption of Cybercrime EcosystemLoss of Trust in Hacking Forums

Brand Reputation Impact: Negative (for Affected Companies)Loss of Anonymity for Cybercriminals

Legal Liabilities: Potential Charges for BreachForums Admins (e.g., Kai West aka 'IntelBroker')Regulatory Scrutiny for Affected Companies

Identity Theft Risk: ['High (1+ billion customer records exposed)']

Incident : data breach SAL5602056101125

Data Compromised: one billion records (alleged)

Brand Reputation Impact: high (potential, due to threat of massive data leak)

Identity Theft Risk: high (potential, given scale of alleged breach)

Incident : Cybercriminal Alliance Formation SAL5402554110625

Data Compromised: Potential crm/saas/database records (salesforce and other high-value enterprises)

Systems Affected: Cloud InfrastructureSaaS Platforms (e.g., Salesforce)Database Systems

Operational Impact: Disruption of SaaS OperationsPotential Supply Chain Risks

Brand Reputation Impact: High (Targeting of Salesforce and public extortion tactics)

Identity Theft Risk: ['Potential (PII in compromised databases)']

What types of data are most commonly compromised in incidents ?

Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Customer Account Data, User Data, Opportunities Data, Credentials, Aws Access Keys, Snowflake Tokens, High-Value Secrets, , Crm Data (Salesforce Objects), Account Records, Contact Records (Pii), Opportunity Records, User Records, Case Records (Support Tickets), Aws Keys, Snowflake Tokens, Other Credentials, , Pii, Customer Support Records, Chat Transcripts, Marketing Data, Shipping Information, Flight Details, Employment Histories, , Customer Data, Potentially Pii (Unconfirmed), , Customer Records, Support Tickets, Credentials, Api Tokens, Authentication Tokens, , Customer Records (Salesforce), User Pii (Discord: Emails, Ips, Government Ids), Source Code (Red Hat Git Repos), Api Tokens (Red Hat Cers), Infrastructure Details (Red Hat Audits), Authentication Tokens (Salesloft), , Customer Contact Details, It Support Information, Oauth Tokens, It Configurations, Crm Data, Support Cases, , Customer Records, Corporate Data, Escrow Databases, Database Backups, , Potentially Pii, Crm Data, Saas Configuration Details and .

Which entities were affected by each incident ?

Incident : Cyber Attack SAL215719323

Entity Name: Salesforce

Entity Type: Company

Industry: Technology

Location: North AmericaEurope

Incident : Data Breach SAL729082725

Entity Name: Salesforce

Entity Type: Cloud CRM Platform

Industry: Technology

Location: Global

Size: Large Enterprise

Customers Affected: Multiple corporate Salesforce accounts (exact number undisclosed)

Incident : Data Breach SAL729082725

Entity Name: Salesloft (Drift application)

Entity Type: Third-Party SaaS Provider

Industry: Sales Engagement

Location: Global

Incident : Data Breach SAL729082725

Entity Name: Multiple Unnamed Organizations

Entity Type: Corporate, Enterprise

Industry: Various

Location: Global

Incident : Data Breach SAL5732257091825

Entity Name: Salesforce

Entity Type: Cloud CRM Provider

Industry: Technology/Software

Location: Global (HQ: San Francisco, USA)

Size: Enterprise

Customers Affected: 760 companies

Incident : Data Breach SAL5732257091825

Entity Name: Salesloft

Entity Type: Sales Engagement Platform

Industry: Technology/Software

Location: USA (HQ: Atlanta, Georgia)

Size: Mid-to-Large Enterprise

Incident : Data Breach SAL5732257091825

Entity Name: Drift

Entity Type: Conversational Marketing Platform

Industry: Technology/Software

Location: USA (HQ: Boston, Massachusetts)

Size: Mid-to-Large Enterprise

Incident : Data Breach SAL5732257091825

Entity Name: Google

Entity Type: Technology Conglomerate

Industry: Technology/Internet Services

Location: Global (HQ: Mountain View, USA)

Size: Mega-Enterprise

Incident : Data Breach SAL5732257091825

Entity Name: Cloudflare

Entity Type: Web Infrastructure & Security

Industry: Technology/Cybersecurity

Location: Global (HQ: San Francisco, USA)

Size: Enterprise

Incident : Data Breach SAL5732257091825

Entity Name: Palo Alto Networks

Entity Type: Cybersecurity

Industry: Technology/Cybersecurity

Location: Global (HQ: Santa Clara, USA)

Size: Enterprise

Incident : Data Breach SAL5732257091825

Entity Name: Zscaler

Entity Type: Cloud Security

Industry: Technology/Cybersecurity

Location: Global (HQ: San Jose, USA)

Size: Enterprise

Incident : Data Breach SAL5732257091825

Entity Name: Tenable

Entity Type: Vulnerability Management

Industry: Technology/Cybersecurity

Location: Global (HQ: Columbia, USA)

Size: Enterprise

Incident : Data Breach SAL5732257091825

Entity Name: CyberArk

Entity Type: Privileged Access Management

Industry: Technology/Cybersecurity

Location: Global (HQ: Petah Tikva, Israel)

Size: Enterprise

Incident : Data Breach SAL5732257091825

Entity Name: Elastic

Entity Type: Search & Analytics

Industry: Technology/Software

Location: Global (HQ: Mountain View, USA)

Size: Enterprise

Incident : Data Breach SAL5732257091825

Entity Name: Qualys

Entity Type: IT Security & Compliance

Industry: Technology/Cybersecurity

Location: Global (HQ: Foster City, USA)

Size: Enterprise

Incident : Data Breach SAL5732257091825

Entity Name: Nutanix

Entity Type: Cloud Computing

Industry: Technology/Software

Location: Global (HQ: San Jose, USA)

Size: Enterprise

Incident : Data Breach SAL5732257091825

Entity Name: Proofpoint

Entity Type: Cybersecurity (Email Security)

Industry: Technology/Cybersecurity

Location: Global (HQ: Sunnyvale, USA)

Size: Enterprise

Incident : Data Breach SAL5732257091825

Entity Name: BeyondTrust

Entity Type: Privileged Access Management

Industry: Technology/Cybersecurity

Location: Global (HQ: Phoenix, USA)

Size: Enterprise

Incident : Data Breach SAL5732257091825

Entity Name: Rubrik

Entity Type: Data Management & Security

Industry: Technology/Cybersecurity

Location: Global (HQ: Palo Alto, USA)

Size: Enterprise

Incident : Data Breach SAL5732257091825

Entity Name: Cato Networks

Entity Type: Network Security

Industry: Technology/Cybersecurity

Location: Global (HQ: Tel Aviv, Israel)

Size: Mid-to-Large Enterprise

Incident : Data Breach SAL5592855100325

Entity Name: Salesforce

Entity Type: Software Company (CRM)

Industry: Technology

Location: Global (HQ: San Francisco, USA)

Size: Enterprise

Customers Affected: 760+ (via Salesloft Drift integration)

Incident : Data Breach SAL5592855100325

Entity Name: Salesloft (Drift)

Entity Type: Software Company (AI Chatbot)

Industry: Technology/SaaS

Location: Global (HQ: Atlanta, USA)

Size: Mid-to-Large

Customers Affected: 760+

Incident : Data Breach SAL5592855100325

Entity Name: Cisco

Entity Type: Corporation

Industry: Technology

Location: Global (HQ: San Jose, USA)

Size: Enterprise

Incident : Data Breach SAL5592855100325

Entity Name: The Walt Disney Company

Entity Type: Corporation

Industry: Entertainment

Location: Global (HQ: Burbank, USA)

Size: Enterprise

Incident : Data Breach SAL5592855100325

Entity Name: KFC (Yum! Brands)

Entity Type: Restaurant Chain

Industry: Food & Beverage

Location: Global

Size: Enterprise

Incident : Data Breach SAL5592855100325

Entity Name: IKEA

Entity Type: Retailer

Industry: Furniture

Location: Global (HQ: Netherlands)

Size: Enterprise

Incident : Data Breach SAL5592855100325

Entity Name: Marriott International

Entity Type: Hospitality

Industry: Hotels

Location: Global (HQ: Bethesda, USA)

Size: Enterprise

Incident : Data Breach SAL5592855100325

Entity Name: McDonald's

Entity Type: Restaurant Chain

Industry: Food & Beverage

Location: Global (HQ: Chicago, USA)

Size: Enterprise

Incident : Data Breach SAL5592855100325

Entity Name: Walgreens Boots Alliance

Entity Type: Pharmacy Retailer

Industry: Healthcare/Retail

Location: Global (HQ: Deerfield, USA)

Size: Enterprise

Incident : Data Breach SAL5592855100325

Entity Name: Albertsons Companies

Entity Type: Grocery Retailer

Industry: Retail

Location: USA

Size: Enterprise

Incident : Data Breach SAL5592855100325

Entity Name: Saks Fifth Avenue

Entity Type: Luxury Retailer

Industry: Retail

Location: USA (HQ: New York)

Size: Large

Incident : Extortion SAL2102121100425

Entity Name: Salesforce

Entity Type: Corporation

Industry: Cloud Computing / CRM

Location: San Francisco, California, USA

Size: Large (Enterprise)

Customers Affected: ~40 companies (via Salesforce environments)

Incident : Extortion SAL2102121100425

Entity Name: Salesloft (Drift integration)

Entity Type: Corporation

Industry: Sales Engagement Software

Location: Atlanta, Georgia, USA

Customers Affected: Hundreds of organizations (via OAuth abuse)

Incident : Extortion SAL2102121100425

Entity Name: Multiple Unnamed Companies

Entity Type: Corporations, Organizations

Industry: Various

Location: Global

Incident : Data Breach SAL0962109100825

Entity Name: Salesforce

Entity Type: Cloud Service Provider

Industry: Technology (CRM/SaaS)

Location: San Francisco, California, USA

Size: Enterprise

Customers Affected: 39+ (direct extortion targets), 760+ (SalesLoft campaign)

Incident : Data Breach SAL0962109100825

Entity Name: FedEx

Entity Type: Corporation

Industry: Logistics

Location: Memphis, Tennessee, USA

Size: Enterprise

Incident : Data Breach SAL0962109100825

Entity Name: Disney/Hulu

Entity Type: Corporation

Industry: Entertainment

Location: Burbank, California, USA

Size: Enterprise

Incident : Data Breach SAL0962109100825

Entity Name: Home Depot

Entity Type: Corporation

Industry: Retail

Location: Atlanta, Georgia, USA

Size: Enterprise

Incident : Data Breach SAL0962109100825

Entity Name: Marriott

Entity Type: Corporation

Industry: Hospitality

Location: Bethesda, Maryland, USA

Size: Enterprise

Incident : Data Breach SAL0962109100825

Entity Name: Google

Entity Type: Corporation

Industry: Technology

Location: Mountain View, California, USA

Size: Enterprise

Incident : Data Breach SAL0962109100825

Entity Name: Cisco

Entity Type: Corporation

Industry: Technology

Location: San Jose, California, USA

Size: Enterprise

Incident : Data Breach SAL0962109100825

Entity Name: Toyota

Entity Type: Corporation

Industry: Automotive

Location: Toyota City, Aichi, Japan

Size: Enterprise

Incident : Data Breach SAL0962109100825

Entity Name: Gap

Entity Type: Corporation

Industry: Retail

Location: San Francisco, California, USA

Size: Enterprise

Incident : Data Breach SAL0962109100825

Entity Name: Kering

Entity Type: Corporation

Industry: Luxury Goods

Location: Paris, France

Size: Enterprise

Incident : Data Breach SAL0962109100825

Entity Name: McDonald's

Entity Type: Corporation

Industry: Food Service

Location: Chicago, Illinois, USA

Size: Enterprise

Incident : Data Breach SAL0962109100825

Entity Name: Walgreens

Entity Type: Corporation

Industry: Pharmacy/Retail

Location: Deerfield, Illinois, USA

Size: Enterprise

Incident : Data Breach SAL0962109100825

Entity Name: Instacart

Entity Type: Corporation

Industry: E-commerce

Location: San Francisco, California, USA

Size: Enterprise

Incident : Data Breach SAL0962109100825

Entity Name: Cartier

Entity Type: Corporation

Industry: Luxury Goods

Location: Paris, France

Size: Enterprise

Incident : Data Breach SAL0962109100825

Entity Name: Adidas

Entity Type: Corporation

Industry: Apparel

Location: Herzogenaurach, Germany

Size: Enterprise

Incident : Data Breach SAL0962109100825

Entity Name: Saks Fifth Avenue

Entity Type: Corporation

Industry: Retail

Location: New York, New York, USA

Size: Enterprise

Incident : Data Breach SAL0962109100825

Entity Name: Air France & KLM

Entity Type: Corporation

Industry: Aviation

Location: Paris, France / Amstelveen, Netherlands

Size: Enterprise

Incident : Data Breach SAL0962109100825

Entity Name: TransUnion

Entity Type: Corporation

Industry: Credit Reporting

Location: Chicago, Illinois, USA

Size: Enterprise

Incident : Data Breach SAL0962109100825

Entity Name: HBO Max

Entity Type: Corporation

Industry: Entertainment

Location: New York, New York, USA

Size: Enterprise

Incident : Data Breach SAL0962109100825

Entity Name: UPS

Entity Type: Corporation

Industry: Logistics

Location: Atlanta, Georgia, USA

Size: Enterprise

Incident : Data Breach SAL0962109100825

Entity Name: Chanel

Entity Type: Corporation

Industry: Luxury Goods

Location: Paris, France

Size: Enterprise

Incident : Data Breach SAL0962109100825

Entity Name: IKEA

Entity Type: Corporation

Industry: Retail

Location: Delft, Netherlands

Size: Enterprise

Incident : Data Breach SAL0962109100825

Entity Name: Qantas

Entity Type: Corporation

Industry: Aviation

Location: Sydney, Australia

Size: Enterprise

Incident : Data Breach SAL0962109100825

Entity Name: Allianz Life

Entity Type: Corporation

Industry: Insurance

Location: Minneapolis, Minnesota, USA

Size: Enterprise

Incident : Data Breach SAL0962109100825

Entity Name: Farmers Insurance

Entity Type: Corporation

Industry: Insurance

Location: Los Angeles, California, USA

Size: Enterprise

Incident : Data Breach SAL0962109100825

Entity Name: Workday

Entity Type: Corporation

Industry: Technology (HR/Finance SaaS)

Location: Pleasanton, California, USA

Size: Enterprise

Incident : Data Breach SAL0962109100825

Entity Name: LVMH (Dior, Louis Vuitton, Tiffany & Co.)

Entity Type: Corporation

Industry: Luxury Goods

Location: Paris, France

Size: Enterprise

Incident : Data Breach SAL0962109100825

Entity Name: Cloudflare

Entity Type: Corporation

Industry: Technology (Cybersecurity)

Location: San Francisco, California, USA

Size: Enterprise

Incident : Data Breach SAL0962109100825

Entity Name: Zscaler

Entity Type: Corporation

Industry: Technology (Cybersecurity)

Location: San Jose, California, USA

Size: Enterprise

Incident : Data Breach SAL0962109100825

Entity Name: Tenable

Entity Type: Corporation

Industry: Technology (Cybersecurity)

Location: Columbia, Maryland, USA

Size: Enterprise

Incident : Data Breach SAL0962109100825

Entity Name: CyberArk

Entity Type: Corporation

Industry: Technology (Cybersecurity)

Location: Petah Tikva, Israel

Size: Enterprise

Incident : Data Breach SAL0962109100825

Entity Name: Elastic

Entity Type: Corporation

Industry: Technology (Search/Data Analytics)

Location: Mountain View, California, USA

Size: Enterprise

Incident : Data Breach SAL0962109100825

Entity Name: BeyondTrust

Entity Type: Corporation

Industry: Technology (Cybersecurity)

Location: Phoenix, Arizona, USA

Size: Enterprise

Incident : Data Breach SAL0962109100825

Entity Name: Proofpoint

Entity Type: Corporation

Industry: Technology (Cybersecurity)

Location: Sunnyvale, California, USA

Size: Enterprise

Incident : Data Breach SAL0962109100825

Entity Name: JFrog

Entity Type: Corporation

Industry: Technology (DevOps)

Location: Sunnyvale, California, USA

Size: Enterprise

Incident : Data Breach SAL0962109100825

Entity Name: Nutanix

Entity Type: Corporation

Industry: Technology (Cloud Computing)

Location: San Jose, California, USA

Size: Enterprise

Incident : Data Breach SAL0962109100825

Entity Name: Qualys

Entity Type: Corporation

Industry: Technology (Cybersecurity)

Location: Foster City, California, USA

Size: Enterprise

Incident : Data Breach SAL0962109100825

Entity Name: Rubrik

Entity Type: Corporation

Industry: Technology (Data Management)

Location: Palo Alto, California, USA

Size: Enterprise

Incident : Data Breach SAL0962109100825

Entity Name: Cato Networks

Entity Type: Corporation

Industry: Technology (Network Security)

Location: Tel Aviv, Israel

Size: Enterprise

Incident : Data Breach SAL0962109100825

Entity Name: Palo Alto Networks

Entity Type: Corporation

Industry: Technology (Cybersecurity)

Location: Santa Clara, California, USA

Size: Enterprise

Incident : Data Breach SAL0562205100825

Entity Name: Salesforce

Entity Type: CRM Platform

Industry: Enterprise Software

Location: USA (Global Operations)

Size: Large (Fortune 500)

Customers Affected: >1B Records (Across Dozens of Clients)

Incident : Data Breach SAL0562205100825

Entity Name: Google

Entity Type: Technology

Industry: Internet Services

Location: USA

Size: Large

Customers Affected: Corporate Salesforce Instance Compromised

Incident : Data Breach SAL0562205100825

Entity Name: Toyota

Entity Type: Corporation

Industry: Automotive

Location: Japan/Global

Size: Large

Customers Affected: Salesforce Data Stolen (Volume Undisclosed)

Incident : Data Breach SAL0562205100825

Entity Name: FedEx

Entity Type: Corporation

Industry: Logistics

Location: USA/Global

Size: Large

Customers Affected: Salesforce Data Stolen (Volume Undisclosed)

Incident : Data Breach SAL0562205100825

Entity Name: Disney/Hulu

Entity Type: Corporation

Industry: Entertainment

Location: USA

Size: Large

Customers Affected: Salesforce Data Stolen (Volume Undisclosed)

Incident : Data Breach SAL0562205100825

Entity Name: UPS

Entity Type: Corporation

Industry: Logistics

Location: USA/Global

Size: Large

Customers Affected: Salesforce Data Stolen (Volume Undisclosed)

Incident : Data Breach SAL0562205100825

Entity Name: Red Hat (IBM)

Entity Type: Subsidiary

Industry: Enterprise Software

Location: USA/Global

Size: Large

Customers Affected: 28,000+ Git Repos, 5,000+ Customer Engagement Reports

Incident : Data Breach SAL0562205100825

Entity Name: Discord

Entity Type: Corporation

Industry: Social Media/Communication

Location: USA

Size: Large

Customers Affected: Limited Number of Users (Support/Trust & Safety Interactions)

Incident : Data Breach SAL0562205100825

Entity Name: Oracle

Entity Type: Corporation

Industry: Enterprise Software

Location: USA/Global

Size: Large

Customers Affected: E-Business Suite Users (Via CVE-2025-61882)

Incident : Data Breach SAL0562205100825

Entity Name: Salesloft

Entity Type: Corporation

Industry: Sales Engagement

Location: USA

Size: Medium

Customers Affected: Authentication Tokens Stolen (Impacted Cloud Services: Snowflake, AWS)

Incident : Data Breach SAL3132231100825

Entity Name: Salesforce

Entity Type: CRM Provider

Industry: Cloud Computing / SaaS

Location: San Francisco, California, USA

Size: Enterprise (150,000+ employees)

Customers Affected: Unknown (Hundreds of organizations)

Incident : Data Breach SAL3132231100825

Entity Name: SalesLoft

Entity Type: Sales Engagement Platform

Industry: Sales Technology

Location: Atlanta, Georgia, USA

Size: Mid-Large (500+ employees)

Customers Affected: Unknown (Via Drift App)

Incident : Data Breach SAL3132231100825

Entity Name: Cloudflare

Entity Type: Web Infrastructure & Security

Industry: Cybersecurity

Location: San Francisco, California, USA

Size: Enterprise

Incident : Data Breach SAL3132231100825

Entity Name: Zscaler

Entity Type: Cloud Security

Industry: Cybersecurity

Location: San Jose, California, USA

Size: Enterprise

Incident : Data Breach SAL3132231100825

Entity Name: Palo Alto Networks

Entity Type: Cybersecurity

Industry: Network Security

Location: Santa Clara, California, USA

Size: Enterprise

Incident : Data Breach SAL3132231100825

Entity Name: CyberArk

Entity Type: Privileged Access Security

Industry: Cybersecurity

Location: Petah Tikva, Israel / Newton, Massachusetts, USA

Size: Enterprise

Incident : Data Breach SAL3132231100825

Entity Name: Rubrik

Entity Type: Data Management & Security

Industry: Cloud Data Protection

Location: Palo Alto, California, USA

Size: Mid-Large

Incident : Data Breach SAL3132231100825

Entity Name: Nutanix

Entity Type: Hybrid Cloud Computing

Industry: IT Infrastructure

Location: San Jose, California, USA

Size: Enterprise

Incident : Data Breach SAL3132231100825

Entity Name: Ericsson

Entity Type: Telecommunications

Industry: Networking & 5G

Location: Stockholm, Sweden

Size: Enterprise

Incident : Data Breach SAL3132231100825

Entity Name: JFrog

Entity Type: DevOps Platform

Industry: Software Development

Location: Sunnyvale, California, USA

Size: Mid-Large

Incident : Data Breach SAL5002150100925

Entity Name: Salesforce

Entity Type: Cloud CRM Provider

Industry: Technology

Location: San Francisco, California, USA

Size: Large Enterprise

Customers Affected: Dozens (including Toyota, FedEx, and 37 others)

Incident : Data Breach SAL5002150100925

Entity Name: Toyota

Entity Type: Automotive Manufacturer

Industry: Automotive

Location: Global

Size: Large Enterprise

Incident : Data Breach SAL5002150100925

Entity Name: FedEx

Entity Type: Logistics Company

Industry: Transportation/Logistics

Location: Global

Size: Large Enterprise

Incident : Law Enforcement Takedown SAL4232242101025

Entity Name: BreachForums

Entity Type: Hacking Forum / Data Extortion Site

Industry: Cybercrime

Location: Global (Seized by U.S. and France)

Incident : Law Enforcement Takedown SAL4232242101025

Entity Name: Salesforce (Indirectly Affected via Breach)

Entity Type: Cloud Computing / CRM

Industry: Technology

Location: Global

Size: Enterprise

Customers Affected: 1+ billion records (across multiple companies)

Incident : Law Enforcement Takedown SAL4232242101025

Entity Name: FedEx

Entity Type: Logistics

Industry: Transportation

Location: Global

Size: Enterprise

Incident : Law Enforcement Takedown SAL4232242101025

Entity Name: Disney/Hulu

Entity Type: Entertainment

Industry: Media

Location: Global

Size: Enterprise

Incident : Law Enforcement Takedown SAL4232242101025

Entity Name: Home Depot

Entity Type: Retail

Industry: Home Improvement

Location: Global

Size: Enterprise

Incident : Law Enforcement Takedown SAL4232242101025

Entity Name: Marriott

Entity Type: Hospitality

Industry: Travel

Location: Global

Size: Enterprise

Incident : Law Enforcement Takedown SAL4232242101025

Entity Name: Google

Entity Type: Technology

Industry: Internet Services

Location: Global

Size: Enterprise

Incident : Law Enforcement Takedown SAL4232242101025

Entity Name: Cisco

Entity Type: Technology

Industry: Networking

Location: Global

Size: Enterprise

Incident : Law Enforcement Takedown SAL4232242101025

Entity Name: Toyota

Entity Type: Automotive

Industry: Manufacturing

Location: Global

Size: Enterprise

Incident : Law Enforcement Takedown SAL4232242101025

Entity Name: Gap

Entity Type: Retail

Industry: Fashion

Location: Global

Size: Enterprise

Incident : Law Enforcement Takedown SAL4232242101025

Entity Name: McDonald's

Entity Type: Food Service

Industry: Restaurant

Location: Global

Size: Enterprise

Incident : Law Enforcement Takedown SAL4232242101025

Entity Name: Walgreens

Entity Type: Retail

Industry: Pharmacy

Location: Global

Size: Enterprise

Incident : Law Enforcement Takedown SAL4232242101025

Entity Name: Instacart

Entity Type: E-Commerce

Industry: Grocery Delivery

Location: Global

Size: Enterprise

Incident : Law Enforcement Takedown SAL4232242101025

Entity Name: Cartier

Entity Type: Luxury Goods

Industry: Retail

Location: Global

Size: Enterprise

Incident : Law Enforcement Takedown SAL4232242101025

Entity Name: Adidas

Entity Type: Retail

Industry: Sportswear

Location: Global

Size: Enterprise

Incident : Law Enforcement Takedown SAL4232242101025

Entity Name: Saks Fifth Avenue

Entity Type: Retail

Industry: Luxury Department Store

Location: Global

Size: Enterprise

Incident : Law Enforcement Takedown SAL4232242101025

Entity Name: Air France & KLM

Entity Type: Aviation

Industry: Travel

Location: Global

Size: Enterprise

Incident : Law Enforcement Takedown SAL4232242101025

Entity Name: TransUnion

Entity Type: Financial Services

Industry: Credit Reporting

Location: Global

Size: Enterprise

Incident : Law Enforcement Takedown SAL4232242101025

Entity Name: HBO Max

Entity Type: Entertainment

Industry: Streaming

Location: Global

Size: Enterprise

Incident : Law Enforcement Takedown SAL4232242101025

Entity Name: UPS

Entity Type: Logistics

Industry: Transportation

Location: Global

Size: Enterprise

Incident : Law Enforcement Takedown SAL4232242101025

Entity Name: Chanel

Entity Type: Luxury Goods

Industry: Retail

Location: Global

Size: Enterprise

Incident : Law Enforcement Takedown SAL4232242101025

Entity Name: IKEA

Entity Type: Retail

Industry: Furniture

Location: Global

Size: Enterprise

Incident : data breach SAL5602056101125

Entity Name: Salesforce

Entity Type: corporation

Industry: cloud computing / CRM

Location: San Francisco, California, USA

Size: large

Customers Affected: 39 (including Disney, Toyota, Adidas, McDonald's, IKEA, Home Depot)

Incident : data breach SAL5602056101125

Entity Name: Disney

Entity Type: corporation

Industry: entertainment

Location: Burbank, California, USA

Size: large

Incident : data breach SAL5602056101125

Entity Name: Toyota

Entity Type: corporation

Industry: automotive

Location: Toyota City, Aichi, Japan

Size: large

Incident : data breach SAL5602056101125

Entity Name: Adidas

Entity Type: corporation

Industry: sportswear

Location: Herzogenaurach, Germany

Size: large

Incident : data breach SAL5602056101125

Entity Name: McDonald's

Entity Type: corporation

Industry: fast food

Location: Chicago, Illinois, USA

Size: large

Incident : data breach SAL5602056101125

Entity Name: IKEA

Entity Type: corporation

Industry: retail / furniture

Location: Delft, Netherlands

Size: large

Incident : data breach SAL5602056101125

Entity Name: Home Depot

Entity Type: corporation

Industry: retail / home improvement

Location: Atlanta, Georgia, USA

Size: large

Incident : Cybercriminal Alliance Formation SAL5402554110625

Entity Name: Salesforce

Entity Type: SaaS Provider

Industry: Customer Relationship Management (CRM)

Location: Global (HQ: San Francisco, USA)

Size: Enterprise

Response to the Incidents

What measures were taken in response to each incident ?

Incident : Cyber Attack SAL215719323

Containment Measures: Blocked access to affected instances

Remediation Measures: Blocked access to orgs with inadvertent permissions

Incident : Data Breach SAL729082725

Incident Response Plan Activated: True

Third Party Assistance: Google Threat Intelligence Group (Gtig), Mandiant, Astrix Security.

Containment Measures: Revoked all active access tokens for Drift app (August 20, 2025)Temporarily removed Drift from Salesforce AppExchange

Remediation Measures: Restricting Connected App scopesSearching for exposed secrets in Salesforce dataRotating compromised credentialsEnforcing IP restrictions

Communication Strategy: Advisories issued by GTIG/MandiantNotifications to affected organizationsPublic blog post by Astrix Security

Enhanced Monitoring: Checking for specific IP addresses/User-Agent strings linked to attackers

Incident : Data Breach SAL5732257091825

Third Party Assistance: Google Mandiant (Threat Intelligence), Fbi (Advisory & Investigation).

Law Enforcement Notified: FBI,

Remediation Measures: Salesforce Recommendations: Enforce Multi-Factor Authentication (MFA)Apply Principle of Least PrivilegeClosely Manage Connected Applications

Communication Strategy: Salesforce Customer AdvisoriesFBI Public Advisory on UNC6040/6395

Incident : Data Breach SAL5592855100325

Incident Response Plan Activated: Yes (Salesforce, Mandiant, and Affected Companies)

Third Party Assistance: Mandiant (Google’S Incident Response), Salesforce Security Team, Fbi Cyber Division.

Law Enforcement Notified: Yes (FBI Issued Advisory on 2023-09-12)

Containment Measures: Revoking Compromised OAuth TokensIsolating Affected Salesforce InstancesDisabling Salesloft Drift Integrations

Remediation Measures: Enforcing 2FA for OAuth AppsPatching Salesloft Drift VulnerabilitiesAudit of Third-Party Integrations

Recovery Measures: Data Backup Restoration (if applicable)Customer Notification PlansDark Web Monitoring for Leaked Data

Communication Strategy: Public Disclosure via Media (ISMG, BleepingComputer)Customer Advisories (Pending)Regulatory Notifications

Network Segmentation: Recommended (to Limit Lateral Movement)

Enhanced Monitoring: Salesforce Instance LogsCloud Platform (Google Workspace, Microsoft 365, Okta) Activity

Incident : Extortion SAL2102121100425

Incident Response Plan Activated: Yes (Salesforce engaged external experts and authorities)

Third Party Assistance: Mandiant (Google), External Cybersecurity Experts.

Law Enforcement Notified: Yes (US and UK authorities involved)

Remediation Measures: Customer notificationsInvestigation of OAuth abuse

Communication Strategy: Public security advisoryMedia statements

Incident : Data Breach SAL0962109100825

Incident Response Plan Activated: Yes (Salesforce notified customers)

Law Enforcement Notified: Likely (FBI may have seized extortion domain)

Remediation Measures: Refusal to pay ransomCustomer notifications

Communication Strategy: Public statements and customer emails

Incident : Data Breach SAL0562205100825

Incident Response Plan Activated: True

Third Party Assistance: Google Threat Intelligence Group (Gtig), Mandiant (Malware Analysis), Law Enforcement (Fbi, Uk Nca).

Containment Measures: Salesforce: Disabled Malicious OAuth AppsRed Hat: Isolated Compromised GitLab ServerDiscord: Terminated Third-Party Vendor AccessOracle: Emergency Patch for CVE-2025-61882

Remediation Measures: Salesforce: Forensic Analysis, Customer SupportRed Hat: Customer Notifications, Repository AuditsDiscord: Affected User Notifications, Password ResetsOracle: Urged Customers to Apply Patch

Recovery Measures: Salesforce: Refused to Pay Ransom, Focused on DefenseRed Hat: Restored GitLab from BackupsDiscord: Enhanced Vendor Security Controls

Communication Strategy: Salesforce: Customer Advisories (No Negotiation Policy)Red Hat: Public Disclosure (October 2, 2025)Discord: Direct Emails to Affected UsersOracle: Security Advisory for CVE-2025-61882

Enhanced Monitoring: Salesforce: Increased Logging for OAuth IntegrationsRed Hat: GitLab Access Audits

Incident : Data Breach SAL3132231100825

Incident Response Plan Activated: True

Third Party Assistance: Google Threat Intelligence Group (Warnings).

Containment Measures: Disabled Drift App IntegrationToken Renewal Mandate for Customers

Remediation Measures: Customer Support OutreachOAuth Token Rotation

Recovery Measures: Reactivated SalesLoft Integrations (Except Drift)

Communication Strategy: Internal Memo (Bloomberg-Leaked)Public Statement on Non-Payment of RansomCustomer Advisories

Enhanced Monitoring: Likely (Implied by Google Threat Intelligence Collaboration)

Incident : Data Breach SAL5002150100925

Incident Response Plan Activated: Likely (Salesforce refused ransom demand)

Third Party Assistance: Mandiant (Google-Owned Threat Intelligence).

Communication Strategy: Public refusal of ransom demand (email statement)

Incident : Law Enforcement Takedown SAL4232242101025

Incident Response Plan Activated: Yes (FBI and France's BL2C Unit)

Third Party Assistance: French Law Enforcement (Bl2C Unit).

Law Enforcement Notified: Yes (FBI-led operation)

Containment Measures: Domain SeizureBackend Server SeizureNameserver Redirection to FBI

Remediation Measures: Permanent Shutdown of BreachForumsPrevention of Data Leak (Salesforce Campaign Disrupted)

Communication Strategy: Public Announcement via BleepingComputerPGP-Signed Message from ShinyHunters on Telegram

What is the company's incident response plan?

Incident Response Plan: The company's incident response plan is described as Yes (Salesforce, Mandiant, and Affected Companies), Yes (Salesforce engaged external experts and authorities), Yes (Salesforce notified customers), , , Likely (Salesforce refused ransom demand), Yes (FBI and France's BL2C Unit).

How does the company involve third-party assistance in incident response ?

Third-Party Assistance: The company involves third-party assistance in incident response through Google Threat Intelligence Group (GTIG), Mandiant, Astrix Security, , Google Mandiant (Threat Intelligence), FBI (Advisory & Investigation), , Mandiant (Google’s Incident Response), Salesforce Security Team, FBI Cyber Division, , Mandiant (Google), External cybersecurity experts, , Google Threat Intelligence Group (GTIG), Mandiant (Malware Analysis), Law Enforcement (FBI, UK NCA), , Google Threat Intelligence Group (Warnings), , Mandiant (Google-owned threat intelligence), , French Law Enforcement (BL2C Unit), .

Data Breach Information

What type of data was compromised in each breach ?

Incident : Data Breach SAL729082725

Type of Data Compromised: Customer account data, User data, Opportunities data, Credentials, Aws access keys, Snowflake tokens, High-value secrets

Sensitivity of Data: High (includes cloud infrastructure keys and authentication tokens)

Incident : Data Breach SAL5732257091825

Type of Data Compromised: Crm data (salesforce objects), Account records, Contact records (pii), Opportunity records, User records, Case records (support tickets), Aws keys, Snowflake tokens, Other credentials

Number of Records Exposed: 1.5 billion

Sensitivity of Data: High (PII, Business-Critical CRM Data, Credentials)

Data Exfiltration: Confirmed (Massive Scale)Evidence: Shared File Listing Salesloft’s Breached Source Code Folders

File Types Exposed: Salesforce Database RecordsSource Code (Salesloft GitHub)Configuration FilesAPI Keys/Secrets

Personally Identifiable Information: Contact Records (Names, Email Addresses, Phone Numbers, etc.)User Records (Employee/Client Data)

Incident : Data Breach SAL5592855100325

Type of Data Compromised: Pii, Customer support records, Chat transcripts, Marketing data, Shipping information, Flight details, Employment histories

Number of Records Exposed: 1,500,000,000 (claimed)

Sensitivity of Data: High (Includes Passport Numbers, Nationalities, Contact Details)

Data Exfiltration: Confirmed (Samples Validated by Researchers)

Data Encryption: No (Data Stolen in Plaintext)

File Types Exposed: Database DumpsCSV/Excel FilesJSON/Log FilesChat Transcripts

Personally Identifiable Information: Full NamesDates of BirthNationalitiesPassport NumbersEmail AddressesPhone NumbersPhysical AddressesEmployment Histories

Incident : Extortion SAL2102121100425

Type of Data Compromised: Customer data, Potentially pii (unconfirmed)

Number of Records Exposed: 1 billion (claimed; unverified)

Sensitivity of Data: Moderate to High (if PII included)

Data Exfiltration: Claimed by threat actors

Personally Identifiable Information: Potential (unconfirmed)

Incident : Data Breach SAL0962109100825

Type of Data Compromised: Customer records, Support tickets, Credentials, Api tokens, Authentication tokens

Number of Records Exposed: ~2.5 billion (1B in first campaign, 1.5B in second)

Sensitivity of Data: High (PII, credentials, business-sensitive data)

Data Exfiltration: Yes

File Types Exposed: DatabasesSupport LogsConfiguration Files

Personally Identifiable Information: Yes

Incident : Data Breach SAL0562205100825

Type of Data Compromised: Customer records (salesforce), User pii (discord: emails, ips, government ids), Source code (red hat git repos), Api tokens (red hat cers), Infrastructure details (red hat audits), Authentication tokens (salesloft)

Number of Records Exposed: >1B (Salesforce) + Undisclosed (Discord, Red Hat, Oracle)

Sensitivity of Data: High (PII, Government IDs, Source Code, API Tokens)

File Types Exposed: Salesforce Database ExportsGit Repositories (Red Hat)Customer Support Tickets (Discord)Oracle E-Business Suite Records

Personally Identifiable Information: Discord: Usernames, Emails, IPs, Government ID ImagesSalesforce: Customer Data (Varies by Client)Red Hat: Business Contact Information (Limited)

Incident : Data Breach SAL3132231100825

Type of Data Compromised: Customer contact details, It support information, Oauth tokens, It configurations, Crm data, Support cases

Number of Records Exposed: Unknown (Hundreds of organizations affected)

Sensitivity of Data: Moderate (Corporate IT and Customer Data)

Personally Identifiable Information: Limited (Primarily Corporate PII)

Incident : Data Breach SAL5002150100925

Number of Records Exposed: 989.45 million (~1 billion)

Data Exfiltration: Claimed by threat actor

Incident : Law Enforcement Takedown SAL4232242101025

Type of Data Compromised: Customer records, Corporate data, Escrow databases, Database backups

Number of Records Exposed: 1+ billion (Salesforce campaign)

Sensitivity of Data: High (Personally Identifiable Information)

Data Exfiltration: Yes (Stolen from Salesforce breaches)

Personally Identifiable Information: Yes

Incident : data breach SAL5602056101125

Number of Records Exposed: one billion (alleged)

Data Exfiltration: alleged

Incident : Cybercriminal Alliance Formation SAL5402554110625

Type of Data Compromised: Potentially pii, crm data, saas configuration details

Sensitivity of Data: High (Enterprise SaaS and cloud infrastructure)

Personally Identifiable Information: Likely (based on target profile)

What measures does the company take to prevent data exfiltration ?

Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Blocked access to orgs with inadvertent permissions, , Restricting Connected App scopes, Searching for exposed secrets in Salesforce data, Rotating compromised credentials, Enforcing IP restrictions, , Salesforce Recommendations: Enforce Multi-Factor Authentication (MFA), Apply Principle of Least Privilege, Closely Manage Connected Applications, , Enforcing 2FA for OAuth Apps, Patching Salesloft Drift Vulnerabilities, Audit of Third-Party Integrations, , Customer notifications, Investigation of OAuth abuse, , Refusal to pay ransom, Customer notifications, , Salesforce: Forensic Analysis, Customer Support, Red Hat: Customer Notifications, Repository Audits, Discord: Affected User Notifications, Password Resets, Oracle: Urged Customers to Apply Patch, , Customer Support Outreach, OAuth Token Rotation, , Permanent Shutdown of BreachForums, Prevention of Data Leak (Salesforce Campaign Disrupted), .

How does the company handle incidents involving personally identifiable information (PII) ?

Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by blocked access to affected instances, , revoked all active access tokens for drift app (august 20, 2025), temporarily removed drift from salesforce appexchange, , revoking compromised oauth tokens, isolating affected salesforce instances, disabling salesloft drift integrations, , salesforce: disabled malicious oauth apps, red hat: isolated compromised gitlab server, discord: terminated third-party vendor access, oracle: emergency patch for cve-2025-61882, , disabled drift app integration, token renewal mandate for customers, , domain seizure, backend server seizure, nameserver redirection to fbi and .

Ransomware Information

Was ransomware involved in any of the incidents ?

Incident : Data Breach SAL729082725

Data Exfiltration: True

Incident : Data Breach SAL5732257091825

Ransom Demanded: ['Extortion Threats (No Specific Ransom Amount Disclosed)']

Data Exfiltration: ['Yes (Extortion-Based)']

Incident : Data Breach SAL5592855100325

Ransom Demanded: ['Separate Ransoms from Salesforce and Listed Victims', 'Extortion Threats via Dark Web Leak Site']

Data Encryption: No (Data Theft Without Encryption)

Data Exfiltration: Yes (1.5B Records Claimed)

Incident : Extortion SAL2102121100425

Ransom Demanded: $989.45 (for all data)

Ransom Paid: No (as of disclosure)

Data Exfiltration: Claimed

Incident : Data Breach SAL0962109100825

Ransom Demanded: Unspecified (extortion demands to companies or Salesforce)

Ransom Paid: No (Salesforce refused to pay)

Data Encryption: No (data theft, not encryption)

Data Exfiltration: Yes

Incident : Data Breach SAL0562205100825

Ransom Demanded: Unspecified (Threatened Public Leak if Unpaid by October 10, 2025)

Data Exfiltration: True

Incident : Data Breach SAL3132231100825

Ransom Demanded: True

Data Exfiltration: True

Incident : Data Breach SAL5002150100925

Ransom Demanded: Unspecified (extortion demand to Salesforce)

Ransom Paid: No (Salesforce refused)

Data Exfiltration: Claimed (~1 billion records)

Incident : Law Enforcement Takedown SAL4232242101025

Ransom Demanded: Yes (Salesforce Campaign)

Ransom Paid: Unknown (Companies targeted for non-payment)

Data Exfiltration: Yes

Incident : data breach SAL5602056101125

Ransom Demanded: unspecified (threatened leak if unpaid by October 10, 2023, 11:59 p.m. EST)

Data Exfiltration: alleged

Incident : Cybercriminal Alliance Formation SAL5402554110625

Data Exfiltration: True

How does the company recover data encrypted by ransomware ?

Data Recovery from Ransomware: The company recovers data encrypted by ransomware through Data Backup Restoration (if applicable), Customer Notification Plans, Dark Web Monitoring for Leaked Data, , Salesforce: Refused to Pay Ransom, Focused on Defense, Red Hat: Restored GitLab from Backups, Discord: Enhanced Vendor Security Controls, , Reactivated SalesLoft Integrations (Except Drift), .

Regulatory Compliance

Were there any regulatory violations and fines imposed for each incident ?

Incident : Data Breach SAL729082725

Regulatory Notifications: Notifications sent to affected organizations (details undisclosed)

Incident : Data Breach SAL5592855100325

Regulations Violated: Potential GDPR (EU), CCPA (California), Sector-Specific Data Protection Laws,

Legal Actions: Pending (Potential Class-Action Lawsuits), Regulatory Investigations,

Regulatory Notifications: Likely Required (e.g., GDPR 72-Hour Rule)State Attorney General Notifications (USA)

Incident : Extortion SAL2102121100425

Legal Actions: Arrests of UK teens (Scattered Spider members), Ongoing investigations,

Incident : Data Breach SAL0562205100825

Regulations Violated: Potential GDPR (EU Customer Data in Salesforce/Discord), Potential CCPA (California Residents), Industry-Specific Compliance (e.g., PCI DSS for Payment Data),

Legal Actions: UK Charges Against Scattered Spider Members (September 2025), US Charges Against Thalha Jubair (MGM, Caesars, Harrods Attacks), Extradition of Tyler Buchanan (Spain to US, April 2025), Noah Urban Sentencing (10 Years, August 2025),

Regulatory Notifications: Salesforce: Notified Customers (No Regulatory Filings Mentioned)Red Hat: Customer Notifications (October 2, 2025)Discord: Affected User Notifications (Ongoing)

Incident : Law Enforcement Takedown SAL4232242101025

Legal Actions: Arrests of BreachForums Admins (France), Charges Against Kai West ('IntelBroker') in U.S.,

How does the company ensure compliance with regulatory requirements ?

Ensuring Regulatory Compliance: The company ensures compliance with regulatory requirements through Pending (Potential Class-Action Lawsuits), Regulatory Investigations, , Arrests of UK teens (Scattered Spider members), Ongoing investigations, , UK Charges Against Scattered Spider Members (September 2025), US Charges Against Thalha Jubair (MGM, Caesars, Harrods Attacks), Extradition of Tyler Buchanan (Spain to US, April 2025), Noah Urban Sentencing (10 Years, August 2025), , Arrests of BreachForums Admins (France), Charges Against Kai West ('IntelBroker') in U.S., .

Lessons Learned and Recommendations

What lessons were learned from each incident ?

Incident : Data Breach SAL729082725

Lessons Learned: Non-human identities (NHIs) are persistent, high-privilege targets for attackers., OAuth token abuse can bypass MFA, highlighting the need for stricter access controls., Organizations often lack visibility into NHIs, increasing risk of exploitation., Proactive measures (e.g., IP restrictions, secret scanning) are critical to mitigate NHI-based attacks.

Incident : Data Breach SAL5732257091825

Lessons Learned: OAuth tokens and connected applications are high-value targets for attackers., Social engineering and malicious OAuth apps can bypass traditional security controls., Exposed secrets in repositories (e.g., GitHub) enable supply chain attacks., Extortion groups increasingly target CRM data for its sensitivity and leverage in negotiations., Multi-factor authentication (MFA) and least privilege principles are critical for mitigating such breaches.

Incident : Data Breach SAL5592855100325

Lessons Learned: Third-party integrations (e.g., Salesloft Drift) introduce significant supply-chain risks; rigorous vendor security assessments are critical., OAuth tokens and API keys must be protected with **2FA and strict access controls** to prevent abuse., Social engineering (vishing/phishing) remains a highly effective attack vector; **employee training and verification protocols** are essential., Lateral movement to cloud platforms (Google Workspace, Microsoft 365, Okta) underscores the need for **zero-trust architecture and segmentation**., Proactive threat hunting and **dark web monitoring** can help detect stolen data early., Incident response plans must include **third-party breach scenarios** with clear escalation paths.

Incident : Data Breach SAL0562205100825

Lessons Learned: Vishing Remains Effective for OAuth Abuse (Salesforce), Third-Party Vendors Are Critical Attack Vectors (Discord, Salesloft), GitLab Server Hardening Needed (Red Hat), Zero-Day Patching Urgency (Oracle CVE-2025-61882), Extortion Groups Evolve Tactics (Victim-Shaming Blogs, Malware Threats), Cross-Group Collaboration (Scattered Spider + Lapsus$ + ShinyHunters)

Incident : Data Breach SAL3132231100825

Lessons Learned: Third-party app integrations introduce significant risk; rigorous vetting and monitoring are critical., OAuth token management requires stricter controls (e.g., rotation, least-privilege access)., GitHub account security is a high-value target for attackers; MFA and access logging are essential., Public refusal to pay ransom can deter attackers but may escalate data leak risks.

Incident : Law Enforcement Takedown SAL4232242101025

Lessons Learned: Cybercrime forums are vulnerable to law enforcement takedowns, especially with international cooperation., Data backups can be compromised if stored within seized infrastructure., High-profile data leak threats can accelerate law enforcement action., The 'era of forums' for cybercriminals may be ending due to increased scrutiny and takedowns.

Incident : Cybercriminal Alliance Formation SAL5402554110625

Lessons Learned: Cybercriminal consolidation enhances operational resilience and technical sophistication., Telegram’s role as both a coordination and performative marketing tool amplifies psychological impact., Exploit brokerage and zero-day vulnerabilities are critical force multipliers for modern threat actors., Extortion-as-a-Service (EaaS) models lower the barrier to entry for affiliate-driven attacks., Theatrical branding and narrative control are strategic assets equivalent to technical capabilities.

What recommendations were made to prevent future incidents ?

Incident : Data Breach SAL729082725

Recommendations: Hardening access controls by restricting Connected App scopes in Salesforce., Conducting audits to identify and secure exposed secrets within Salesforce data., Rotating compromised credentials and enforcing least-privilege access for NHIs., Implementing IP restrictions to limit access to trusted locations., Monitoring for suspicious IP addresses/User-Agent strings associated with attackers., Creating an inventory of non-human identities (NHIs) to improve visibility and security.Hardening access controls by restricting Connected App scopes in Salesforce., Conducting audits to identify and secure exposed secrets within Salesforce data., Rotating compromised credentials and enforcing least-privilege access for NHIs., Implementing IP restrictions to limit access to trusted locations., Monitoring for suspicious IP addresses/User-Agent strings associated with attackers., Creating an inventory of non-human identities (NHIs) to improve visibility and security.Hardening access controls by restricting Connected App scopes in Salesforce., Conducting audits to identify and secure exposed secrets within Salesforce data., Rotating compromised credentials and enforcing least-privilege access for NHIs., Implementing IP restrictions to limit access to trusted locations., Monitoring for suspicious IP addresses/User-Agent strings associated with attackers., Creating an inventory of non-human identities (NHIs) to improve visibility and security.Hardening access controls by restricting Connected App scopes in Salesforce., Conducting audits to identify and secure exposed secrets within Salesforce data., Rotating compromised credentials and enforcing least-privilege access for NHIs., Implementing IP restrictions to limit access to trusted locations., Monitoring for suspicious IP addresses/User-Agent strings associated with attackers., Creating an inventory of non-human identities (NHIs) to improve visibility and security.Hardening access controls by restricting Connected App scopes in Salesforce., Conducting audits to identify and secure exposed secrets within Salesforce data., Rotating compromised credentials and enforcing least-privilege access for NHIs., Implementing IP restrictions to limit access to trusted locations., Monitoring for suspicious IP addresses/User-Agent strings associated with attackers., Creating an inventory of non-human identities (NHIs) to improve visibility and security.Hardening access controls by restricting Connected App scopes in Salesforce., Conducting audits to identify and secure exposed secrets within Salesforce data., Rotating compromised credentials and enforcing least-privilege access for NHIs., Implementing IP restrictions to limit access to trusted locations., Monitoring for suspicious IP addresses/User-Agent strings associated with attackers., Creating an inventory of non-human identities (NHIs) to improve visibility and security.

Incident : Data Breach SAL5732257091825

Recommendations: Enforce MFA for all user and service accounts, especially those with access to sensitive data., Audit and monitor OAuth applications and connected apps for suspicious activity., Implement the principle of least privilege to limit access to CRM data and APIs., Regularly scan repositories (e.g., GitHub) for exposed secrets using tools like TruffleHog., Monitor for unusual data access patterns, especially in Salesforce environments., Educate employees on social engineering tactics, particularly phishing and malicious OAuth app requests., Isolate high-value systems (e.g., CRM) from less secure environments to limit lateral movement., Develop and test incident response plans for extortion and data breach scenarios.Enforce MFA for all user and service accounts, especially those with access to sensitive data., Audit and monitor OAuth applications and connected apps for suspicious activity., Implement the principle of least privilege to limit access to CRM data and APIs., Regularly scan repositories (e.g., GitHub) for exposed secrets using tools like TruffleHog., Monitor for unusual data access patterns, especially in Salesforce environments., Educate employees on social engineering tactics, particularly phishing and malicious OAuth app requests., Isolate high-value systems (e.g., CRM) from less secure environments to limit lateral movement., Develop and test incident response plans for extortion and data breach scenarios.Enforce MFA for all user and service accounts, especially those with access to sensitive data., Audit and monitor OAuth applications and connected apps for suspicious activity., Implement the principle of least privilege to limit access to CRM data and APIs., Regularly scan repositories (e.g., GitHub) for exposed secrets using tools like TruffleHog., Monitor for unusual data access patterns, especially in Salesforce environments., Educate employees on social engineering tactics, particularly phishing and malicious OAuth app requests., Isolate high-value systems (e.g., CRM) from less secure environments to limit lateral movement., Develop and test incident response plans for extortion and data breach scenarios.Enforce MFA for all user and service accounts, especially those with access to sensitive data., Audit and monitor OAuth applications and connected apps for suspicious activity., Implement the principle of least privilege to limit access to CRM data and APIs., Regularly scan repositories (e.g., GitHub) for exposed secrets using tools like TruffleHog., Monitor for unusual data access patterns, especially in Salesforce environments., Educate employees on social engineering tactics, particularly phishing and malicious OAuth app requests., Isolate high-value systems (e.g., CRM) from less secure environments to limit lateral movement., Develop and test incident response plans for extortion and data breach scenarios.Enforce MFA for all user and service accounts, especially those with access to sensitive data., Audit and monitor OAuth applications and connected apps for suspicious activity., Implement the principle of least privilege to limit access to CRM data and APIs., Regularly scan repositories (e.g., GitHub) for exposed secrets using tools like TruffleHog., Monitor for unusual data access patterns, especially in Salesforce environments., Educate employees on social engineering tactics, particularly phishing and malicious OAuth app requests., Isolate high-value systems (e.g., CRM) from less secure environments to limit lateral movement., Develop and test incident response plans for extortion and data breach scenarios.Enforce MFA for all user and service accounts, especially those with access to sensitive data., Audit and monitor OAuth applications and connected apps for suspicious activity., Implement the principle of least privilege to limit access to CRM data and APIs., Regularly scan repositories (e.g., GitHub) for exposed secrets using tools like TruffleHog., Monitor for unusual data access patterns, especially in Salesforce environments., Educate employees on social engineering tactics, particularly phishing and malicious OAuth app requests., Isolate high-value systems (e.g., CRM) from less secure environments to limit lateral movement., Develop and test incident response plans for extortion and data breach scenarios.Enforce MFA for all user and service accounts, especially those with access to sensitive data., Audit and monitor OAuth applications and connected apps for suspicious activity., Implement the principle of least privilege to limit access to CRM data and APIs., Regularly scan repositories (e.g., GitHub) for exposed secrets using tools like TruffleHog., Monitor for unusual data access patterns, especially in Salesforce environments., Educate employees on social engineering tactics, particularly phishing and malicious OAuth app requests., Isolate high-value systems (e.g., CRM) from less secure environments to limit lateral movement., Develop and test incident response plans for extortion and data breach scenarios.Enforce MFA for all user and service accounts, especially those with access to sensitive data., Audit and monitor OAuth applications and connected apps for suspicious activity., Implement the principle of least privilege to limit access to CRM data and APIs., Regularly scan repositories (e.g., GitHub) for exposed secrets using tools like TruffleHog., Monitor for unusual data access patterns, especially in Salesforce environments., Educate employees on social engineering tactics, particularly phishing and malicious OAuth app requests., Isolate high-value systems (e.g., CRM) from less secure environments to limit lateral movement., Develop and test incident response plans for extortion and data breach scenarios.

Incident : Data Breach SAL5592855100325

Recommendations: **For Salesforce/Salesloft Customers:**, - Immediately **revoke and rotate OAuth tokens** for all third-party integrations., - Enforce **multi-factor authentication (2FA) for all OAuth applications** and admin accounts., - Conduct a **full audit of third-party app permissions** in Salesforce and disable unused integrations., - Implement **network segmentation** to limit lateral movement between cloud platforms (e.g., Salesforce, Google Workspace, Okta)., - Deploy **behavioral analytics and anomaly detection** to identify suspicious access patterns., **For All Organizations:**, - **Assess third-party vendor security** with penetration testing and contractually enforce security standards., - **Train employees on social engineering tactics**, especially vishing and IT impersonation scams., - **Monitor dark web forums** for leaked credentials or mentions of your organization., - **Develop a third-party breach response plan** with legal, PR, and technical playbooks., - **Patch promptly**—unpatched software (e.g., Oracle E-Business Suite) is a common attack vector.**For Salesforce/Salesloft Customers:**, - Immediately **revoke and rotate OAuth tokens** for all third-party integrations., - Enforce **multi-factor authentication (2FA) for all OAuth applications** and admin accounts., - Conduct a **full audit of third-party app permissions** in Salesforce and disable unused integrations., - Implement **network segmentation** to limit lateral movement between cloud platforms (e.g., Salesforce, Google Workspace, Okta)., - Deploy **behavioral analytics and anomaly detection** to identify suspicious access patterns., **For All Organizations:**, - **Assess third-party vendor security** with penetration testing and contractually enforce security standards., - **Train employees on social engineering tactics**, especially vishing and IT impersonation scams., - **Monitor dark web forums** for leaked credentials or mentions of your organization., - **Develop a third-party breach response plan** with legal, PR, and technical playbooks., - **Patch promptly**—unpatched software (e.g., Oracle E-Business Suite) is a common attack vector.**For Salesforce/Salesloft Customers:**, - Immediately **revoke and rotate OAuth tokens** for all third-party integrations., - Enforce **multi-factor authentication (2FA) for all OAuth applications** and admin accounts., - Conduct a **full audit of third-party app permissions** in Salesforce and disable unused integrations., - Implement **network segmentation** to limit lateral movement between cloud platforms (e.g., Salesforce, Google Workspace, Okta)., - Deploy **behavioral analytics and anomaly detection** to identify suspicious access patterns., **For All Organizations:**, - **Assess third-party vendor security** with penetration testing and contractually enforce security standards., - **Train employees on social engineering tactics**, especially vishing and IT impersonation scams., - **Monitor dark web forums** for leaked credentials or mentions of your organization., - **Develop a third-party breach response plan** with legal, PR, and technical playbooks., - **Patch promptly**—unpatched software (e.g., Oracle E-Business Suite) is a common attack vector.**For Salesforce/Salesloft Customers:**, - Immediately **revoke and rotate OAuth tokens** for all third-party integrations., - Enforce **multi-factor authentication (2FA) for all OAuth applications** and admin accounts., - Conduct a **full audit of third-party app permissions** in Salesforce and disable unused integrations., - Implement **network segmentation** to limit lateral movement between cloud platforms (e.g., Salesforce, Google Workspace, Okta)., - Deploy **behavioral analytics and anomaly detection** to identify suspicious access patterns., **For All Organizations:**, - **Assess third-party vendor security** with penetration testing and contractually enforce security standards., - **Train employees on social engineering tactics**, especially vishing and IT impersonation scams., - **Monitor dark web forums** for leaked credentials or mentions of your organization., - **Develop a third-party breach response plan** with legal, PR, and technical playbooks., - **Patch promptly**—unpatched software (e.g., Oracle E-Business Suite) is a common attack vector.**For Salesforce/Salesloft Customers:**, - Immediately **revoke and rotate OAuth tokens** for all third-party integrations., - Enforce **multi-factor authentication (2FA) for all OAuth applications** and admin accounts., - Conduct a **full audit of third-party app permissions** in Salesforce and disable unused integrations., - Implement **network segmentation** to limit lateral movement between cloud platforms (e.g., Salesforce, Google Workspace, Okta)., - Deploy **behavioral analytics and anomaly detection** to identify suspicious access patterns., **For All Organizations:**, - **Assess third-party vendor security** with penetration testing and contractually enforce security standards., - **Train employees on social engineering tactics**, especially vishing and IT impersonation scams., - **Monitor dark web forums** for leaked credentials or mentions of your organization., - **Develop a third-party breach response plan** with legal, PR, and technical playbooks., - **Patch promptly**—unpatched software (e.g., Oracle E-Business Suite) is a common attack vector.**For Salesforce/Salesloft Customers:**, - Immediately **revoke and rotate OAuth tokens** for all third-party integrations., - Enforce **multi-factor authentication (2FA) for all OAuth applications** and admin accounts., - Conduct a **full audit of third-party app permissions** in Salesforce and disable unused integrations., - Implement **network segmentation** to limit lateral movement between cloud platforms (e.g., Salesforce, Google Workspace, Okta)., - Deploy **behavioral analytics and anomaly detection** to identify suspicious access patterns., **For All Organizations:**, - **Assess third-party vendor security** with penetration testing and contractually enforce security standards., - **Train employees on social engineering tactics**, especially vishing and IT impersonation scams., - **Monitor dark web forums** for leaked credentials or mentions of your organization., - **Develop a third-party breach response plan** with legal, PR, and technical playbooks., - **Patch promptly**—unpatched software (e.g., Oracle E-Business Suite) is a common attack vector.**For Salesforce/Salesloft Customers:**, - Immediately **revoke and rotate OAuth tokens** for all third-party integrations., - Enforce **multi-factor authentication (2FA) for all OAuth applications** and admin accounts., - Conduct a **full audit of third-party app permissions** in Salesforce and disable unused integrations., - Implement **network segmentation** to limit lateral movement between cloud platforms (e.g., Salesforce, Google Workspace, Okta)., - Deploy **behavioral analytics and anomaly detection** to identify suspicious access patterns., **For All Organizations:**, - **Assess third-party vendor security** with penetration testing and contractually enforce security standards., - **Train employees on social engineering tactics**, especially vishing and IT impersonation scams., - **Monitor dark web forums** for leaked credentials or mentions of your organization., - **Develop a third-party breach response plan** with legal, PR, and technical playbooks., - **Patch promptly**—unpatched software (e.g., Oracle E-Business Suite) is a common attack vector.**For Salesforce/Salesloft Customers:**, - Immediately **revoke and rotate OAuth tokens** for all third-party integrations., - Enforce **multi-factor authentication (2FA) for all OAuth applications** and admin accounts., - Conduct a **full audit of third-party app permissions** in Salesforce and disable unused integrations., - Implement **network segmentation** to limit lateral movement between cloud platforms (e.g., Salesforce, Google Workspace, Okta)., - Deploy **behavioral analytics and anomaly detection** to identify suspicious access patterns., **For All Organizations:**, - **Assess third-party vendor security** with penetration testing and contractually enforce security standards., - **Train employees on social engineering tactics**, especially vishing and IT impersonation scams., - **Monitor dark web forums** for leaked credentials or mentions of your organization., - **Develop a third-party breach response plan** with legal, PR, and technical playbooks., - **Patch promptly**—unpatched software (e.g., Oracle E-Business Suite) is a common attack vector.**For Salesforce/Salesloft Customers:**, - Immediately **revoke and rotate OAuth tokens** for all third-party integrations., - Enforce **multi-factor authentication (2FA) for all OAuth applications** and admin accounts., - Conduct a **full audit of third-party app permissions** in Salesforce and disable unused integrations., - Implement **network segmentation** to limit lateral movement between cloud platforms (e.g., Salesforce, Google Workspace, Okta)., - Deploy **behavioral analytics and anomaly detection** to identify suspicious access patterns., **For All Organizations:**, - **Assess third-party vendor security** with penetration testing and contractually enforce security standards., - **Train employees on social engineering tactics**, especially vishing and IT impersonation scams., - **Monitor dark web forums** for leaked credentials or mentions of your organization., - **Develop a third-party breach response plan** with legal, PR, and technical playbooks., - **Patch promptly**—unpatched software (e.g., Oracle E-Business Suite) is a common attack vector.**For Salesforce/Salesloft Customers:**, - Immediately **revoke and rotate OAuth tokens** for all third-party integrations., - Enforce **multi-factor authentication (2FA) for all OAuth applications** and admin accounts., - Conduct a **full audit of third-party app permissions** in Salesforce and disable unused integrations., - Implement **network segmentation** to limit lateral movement between cloud platforms (e.g., Salesforce, Google Workspace, Okta)., - Deploy **behavioral analytics and anomaly detection** to identify suspicious access patterns., **For All Organizations:**, - **Assess third-party vendor security** with penetration testing and contractually enforce security standards., - **Train employees on social engineering tactics**, especially vishing and IT impersonation scams., - **Monitor dark web forums** for leaked credentials or mentions of your organization., - **Develop a third-party breach response plan** with legal, PR, and technical playbooks., - **Patch promptly**—unpatched software (e.g., Oracle E-Business Suite) is a common attack vector.**For Salesforce/Salesloft Customers:**, - Immediately **revoke and rotate OAuth tokens** for all third-party integrations., - Enforce **multi-factor authentication (2FA) for all OAuth applications** and admin accounts., - Conduct a **full audit of third-party app permissions** in Salesforce and disable unused integrations., - Implement **network segmentation** to limit lateral movement between cloud platforms (e.g., Salesforce, Google Workspace, Okta)., - Deploy **behavioral analytics and anomaly detection** to identify suspicious access patterns., **For All Organizations:**, - **Assess third-party vendor security** with penetration testing and contractually enforce security standards., - **Train employees on social engineering tactics**, especially vishing and IT impersonation scams., - **Monitor dark web forums** for leaked credentials or mentions of your organization., - **Develop a third-party breach response plan** with legal, PR, and technical playbooks., - **Patch promptly**—unpatched software (e.g., Oracle E-Business Suite) is a common attack vector.**For Salesforce/Salesloft Customers:**, - Immediately **revoke and rotate OAuth tokens** for all third-party integrations., - Enforce **multi-factor authentication (2FA) for all OAuth applications** and admin accounts., - Conduct a **full audit of third-party app permissions** in Salesforce and disable unused integrations., - Implement **network segmentation** to limit lateral movement between cloud platforms (e.g., Salesforce, Google Workspace, Okta)., - Deploy **behavioral analytics and anomaly detection** to identify suspicious access patterns., **For All Organizations:**, - **Assess third-party vendor security** with penetration testing and contractually enforce security standards., - **Train employees on social engineering tactics**, especially vishing and IT impersonation scams., - **Monitor dark web forums** for leaked credentials or mentions of your organization., - **Develop a third-party breach response plan** with legal, PR, and technical playbooks., - **Patch promptly**—unpatched software (e.g., Oracle E-Business Suite) is a common attack vector.

Incident : Data Breach SAL0962109100825

Recommendations: Enhance OAuth application security and monitoring, Implement stricter access controls for third-party integrations, Conduct regular security awareness training for social engineering risks, Monitor for unauthorized data exfiltration in CRM environments, Review supply chain security for third-party SaaS providersEnhance OAuth application security and monitoring, Implement stricter access controls for third-party integrations, Conduct regular security awareness training for social engineering risks, Monitor for unauthorized data exfiltration in CRM environments, Review supply chain security for third-party SaaS providersEnhance OAuth application security and monitoring, Implement stricter access controls for third-party integrations, Conduct regular security awareness training for social engineering risks, Monitor for unauthorized data exfiltration in CRM environments, Review supply chain security for third-party SaaS providersEnhance OAuth application security and monitoring, Implement stricter access controls for third-party integrations, Conduct regular security awareness training for social engineering risks, Monitor for unauthorized data exfiltration in CRM environments, Review supply chain security for third-party SaaS providersEnhance OAuth application security and monitoring, Implement stricter access controls for third-party integrations, Conduct regular security awareness training for social engineering risks, Monitor for unauthorized data exfiltration in CRM environments, Review supply chain security for third-party SaaS providers

Incident : Data Breach SAL0562205100825

Recommendations: Implement MFA for OAuth Integrations (Salesforce), Audit Third-Party Vendor Security (Discord, Salesloft), Isolate GitLab/Sensitive Repos (Red Hat), Monitor Dark Web for Stolen Data (All Victims), Enhance Employee Training on Vishing (Salesforce Customers), Apply Zero-Day Patches Immediately (Oracle), Coordinate with Law Enforcement (FBI, INTERPOL for Cross-Border Cases)Implement MFA for OAuth Integrations (Salesforce), Audit Third-Party Vendor Security (Discord, Salesloft), Isolate GitLab/Sensitive Repos (Red Hat), Monitor Dark Web for Stolen Data (All Victims), Enhance Employee Training on Vishing (Salesforce Customers), Apply Zero-Day Patches Immediately (Oracle), Coordinate with Law Enforcement (FBI, INTERPOL for Cross-Border Cases)Implement MFA for OAuth Integrations (Salesforce), Audit Third-Party Vendor Security (Discord, Salesloft), Isolate GitLab/Sensitive Repos (Red Hat), Monitor Dark Web for Stolen Data (All Victims), Enhance Employee Training on Vishing (Salesforce Customers), Apply Zero-Day Patches Immediately (Oracle), Coordinate with Law Enforcement (FBI, INTERPOL for Cross-Border Cases)Implement MFA for OAuth Integrations (Salesforce), Audit Third-Party Vendor Security (Discord, Salesloft), Isolate GitLab/Sensitive Repos (Red Hat), Monitor Dark Web for Stolen Data (All Victims), Enhance Employee Training on Vishing (Salesforce Customers), Apply Zero-Day Patches Immediately (Oracle), Coordinate with Law Enforcement (FBI, INTERPOL for Cross-Border Cases)Implement MFA for OAuth Integrations (Salesforce), Audit Third-Party Vendor Security (Discord, Salesloft), Isolate GitLab/Sensitive Repos (Red Hat), Monitor Dark Web for Stolen Data (All Victims), Enhance Employee Training on Vishing (Salesforce Customers), Apply Zero-Day Patches Immediately (Oracle), Coordinate with Law Enforcement (FBI, INTERPOL for Cross-Border Cases)Implement MFA for OAuth Integrations (Salesforce), Audit Third-Party Vendor Security (Discord, Salesloft), Isolate GitLab/Sensitive Repos (Red Hat), Monitor Dark Web for Stolen Data (All Victims), Enhance Employee Training on Vishing (Salesforce Customers), Apply Zero-Day Patches Immediately (Oracle), Coordinate with Law Enforcement (FBI, INTERPOL for Cross-Border Cases)Implement MFA for OAuth Integrations (Salesforce), Audit Third-Party Vendor Security (Discord, Salesloft), Isolate GitLab/Sensitive Repos (Red Hat), Monitor Dark Web for Stolen Data (All Victims), Enhance Employee Training on Vishing (Salesforce Customers), Apply Zero-Day Patches Immediately (Oracle), Coordinate with Law Enforcement (FBI, INTERPOL for Cross-Border Cases)

Incident : Data Breach SAL3132231100825

Recommendations: Conduct third-party security audits for all integrated apps, especially those with OAuth access., Implement automated token rotation and anomaly detection for cloud environments., Enhance GitHub security with mandatory MFA, IP restrictions, and regular access reviews., Develop a unified incident response plan for supply chain attacks involving multiple vendors., Proactively communicate with customers about breach scope and mitigation steps to maintain trust.Conduct third-party security audits for all integrated apps, especially those with OAuth access., Implement automated token rotation and anomaly detection for cloud environments., Enhance GitHub security with mandatory MFA, IP restrictions, and regular access reviews., Develop a unified incident response plan for supply chain attacks involving multiple vendors., Proactively communicate with customers about breach scope and mitigation steps to maintain trust.Conduct third-party security audits for all integrated apps, especially those with OAuth access., Implement automated token rotation and anomaly detection for cloud environments., Enhance GitHub security with mandatory MFA, IP restrictions, and regular access reviews., Develop a unified incident response plan for supply chain attacks involving multiple vendors., Proactively communicate with customers about breach scope and mitigation steps to maintain trust.Conduct third-party security audits for all integrated apps, especially those with OAuth access., Implement automated token rotation and anomaly detection for cloud environments., Enhance GitHub security with mandatory MFA, IP restrictions, and regular access reviews., Develop a unified incident response plan for supply chain attacks involving multiple vendors., Proactively communicate with customers about breach scope and mitigation steps to maintain trust.Conduct third-party security audits for all integrated apps, especially those with OAuth access., Implement automated token rotation and anomaly detection for cloud environments., Enhance GitHub security with mandatory MFA, IP restrictions, and regular access reviews., Develop a unified incident response plan for supply chain attacks involving multiple vendors., Proactively communicate with customers about breach scope and mitigation steps to maintain trust.

Incident : Law Enforcement Takedown SAL4232242101025

Recommendations: Companies should proactively monitor dark web leak sites for exposed data., Enhance third-party risk management to mitigate supply chain attacks (e.g., Salesforce breaches)., Law enforcement should continue targeting cybercrime infrastructure to disrupt operations., Organizations should prepare for potential data leaks even after ransomware attacks are 'resolved.'Companies should proactively monitor dark web leak sites for exposed data., Enhance third-party risk management to mitigate supply chain attacks (e.g., Salesforce breaches)., Law enforcement should continue targeting cybercrime infrastructure to disrupt operations., Organizations should prepare for potential data leaks even after ransomware attacks are 'resolved.'Companies should proactively monitor dark web leak sites for exposed data., Enhance third-party risk management to mitigate supply chain attacks (e.g., Salesforce breaches)., Law enforcement should continue targeting cybercrime infrastructure to disrupt operations., Organizations should prepare for potential data leaks even after ransomware attacks are 'resolved.'Companies should proactively monitor dark web leak sites for exposed data., Enhance third-party risk management to mitigate supply chain attacks (e.g., Salesforce breaches)., Law enforcement should continue targeting cybercrime infrastructure to disrupt operations., Organizations should prepare for potential data leaks even after ransomware attacks are 'resolved.'

Incident : Cybercriminal Alliance Formation SAL5402554110625

Recommendations: Monitor dark web/Telegram channels for SLH activity and zero-day exploit discussions., Enhance AI-driven phishing/vishing detection for credential harvesting campaigns., Implement zero-trust architectures to mitigate lateral movement risks in cloud/SaaS environments., Collaborate with vulnerability brokerage programs to preempt exploit proliferation., Develop counter-narrative strategies to disrupt threat actor branding and psychological operations.Monitor dark web/Telegram channels for SLH activity and zero-day exploit discussions., Enhance AI-driven phishing/vishing detection for credential harvesting campaigns., Implement zero-trust architectures to mitigate lateral movement risks in cloud/SaaS environments., Collaborate with vulnerability brokerage programs to preempt exploit proliferation., Develop counter-narrative strategies to disrupt threat actor branding and psychological operations.Monitor dark web/Telegram channels for SLH activity and zero-day exploit discussions., Enhance AI-driven phishing/vishing detection for credential harvesting campaigns., Implement zero-trust architectures to mitigate lateral movement risks in cloud/SaaS environments., Collaborate with vulnerability brokerage programs to preempt exploit proliferation., Develop counter-narrative strategies to disrupt threat actor branding and psychological operations.Monitor dark web/Telegram channels for SLH activity and zero-day exploit discussions., Enhance AI-driven phishing/vishing detection for credential harvesting campaigns., Implement zero-trust architectures to mitigate lateral movement risks in cloud/SaaS environments., Collaborate with vulnerability brokerage programs to preempt exploit proliferation., Develop counter-narrative strategies to disrupt threat actor branding and psychological operations.Monitor dark web/Telegram channels for SLH activity and zero-day exploit discussions., Enhance AI-driven phishing/vishing detection for credential harvesting campaigns., Implement zero-trust architectures to mitigate lateral movement risks in cloud/SaaS environments., Collaborate with vulnerability brokerage programs to preempt exploit proliferation., Develop counter-narrative strategies to disrupt threat actor branding and psychological operations.

What are the key lessons learned from past incidents ?

Key Lessons Learned: The key lessons learned from past incidents are Non-human identities (NHIs) are persistent, high-privilege targets for attackers.,OAuth token abuse can bypass MFA, highlighting the need for stricter access controls.,Organizations often lack visibility into NHIs, increasing risk of exploitation.,Proactive measures (e.g., IP restrictions, secret scanning) are critical to mitigate NHI-based attacks.OAuth tokens and connected applications are high-value targets for attackers.,Social engineering and malicious OAuth apps can bypass traditional security controls.,Exposed secrets in repositories (e.g., GitHub) enable supply chain attacks.,Extortion groups increasingly target CRM data for its sensitivity and leverage in negotiations.,Multi-factor authentication (MFA) and least privilege principles are critical for mitigating such breaches.Third-party integrations (e.g., Salesloft Drift) introduce significant supply-chain risks; rigorous vendor security assessments are critical.,OAuth tokens and API keys must be protected with **2FA and strict access controls** to prevent abuse.,Social engineering (vishing/phishing) remains a highly effective attack vector; **employee training and verification protocols** are essential.,Lateral movement to cloud platforms (Google Workspace, Microsoft 365, Okta) underscores the need for **zero-trust architecture and segmentation**.,Proactive threat hunting and **dark web monitoring** can help detect stolen data early.,Incident response plans must include **third-party breach scenarios** with clear escalation paths.Vishing Remains Effective for OAuth Abuse (Salesforce),Third-Party Vendors Are Critical Attack Vectors (Discord, Salesloft),GitLab Server Hardening Needed (Red Hat),Zero-Day Patching Urgency (Oracle CVE-2025-61882),Extortion Groups Evolve Tactics (Victim-Shaming Blogs, Malware Threats),Cross-Group Collaboration (Scattered Spider + Lapsus$ + ShinyHunters)Third-party app integrations introduce significant risk; rigorous vetting and monitoring are critical.,OAuth token management requires stricter controls (e.g., rotation, least-privilege access).,GitHub account security is a high-value target for attackers; MFA and access logging are essential.,Public refusal to pay ransom can deter attackers but may escalate data leak risks.Cybercrime forums are vulnerable to law enforcement takedowns, especially with international cooperation.,Data backups can be compromised if stored within seized infrastructure.,High-profile data leak threats can accelerate law enforcement action.,The 'era of forums' for cybercriminals may be ending due to increased scrutiny and takedowns.Cybercriminal consolidation enhances operational resilience and technical sophistication.,Telegram’s role as both a coordination and performative marketing tool amplifies psychological impact.,Exploit brokerage and zero-day vulnerabilities are critical force multipliers for modern threat actors.,Extortion-as-a-Service (EaaS) models lower the barrier to entry for affiliate-driven attacks.,Theatrical branding and narrative control are strategic assets equivalent to technical capabilities.

References

Where can I find more information about each incident ?

Incident : Data Breach SAL729082725

Source: Google Threat Intelligence Group (GTIG) and Mandiant Advisory

Date Accessed: 2025-08-20

Incident : Data Breach SAL729082725

Source: Astrix Security Blog Post

Date Accessed: 2025-08-20

Incident : Data Breach SAL729082725

Source: Hackread.com (Jonathan Sander interview)

URL: https://hackread.com

Date Accessed: 2025-08-20

Incident : Data Breach SAL5732257091825

Source: Google Mandiant Threat Intelligence Report on UNC6040/UNC6395

Incident : Data Breach SAL5732257091825

Source: FBI Advisory on ShinyHunters/Scattered Spider Campaigns

Incident : Data Breach SAL5732257091825

Source: Salesforce Customer Advisory on Mitigation Measures

Incident : Data Breach SAL5732257091825

Source: ShinyHunters Telegram/Leak Site (Evidence of Breach)

Incident : Data Breach SAL5732257091825

Source: Media Reports on Breach (e.g., BleepingComputer, KrebsOnSecurity)

Incident : Data Breach SAL5592855100325

Source: Information Security Media Group (ISMG)

URL: https://www.ismg.com

Date Accessed: 2023-09-15

Incident : Data Breach SAL5592855100325

Source: BleepingComputer

URL: https://www.bleepingcomputer.com/news/security/shinyhunters-ransomware-group-leaks-salesforce-customer-data/

Date Accessed: 2023-09-15

Incident : Data Breach SAL5592855100325

Source: FBI Cyber Division Advisory (UNC6040)

URL: https://www.fbi.gov

Date Accessed: 2023-09-12

Incident : Data Breach SAL5592855100325

Source: Google Mandiant Defensive Framework

URL: https://www.mandiant.com

Date Accessed: 2023-09-12

Incident : Data Breach SAL5592855100325

Source: Resecurity Report on 'The Com' Cybercrime Collective

URL: https://www.resecurity.com

Date Accessed: 2023-09-10

Incident : Extortion SAL2102121100425

Source: The Register

URL: https://www.theregister.com/2024/09/27/salesforce_extortion_scattered_lapsus_hunters/

Date Accessed: 2024-09-27

Incident : Extortion SAL2102121100425

Source: Salesforce Security Advisory

Date Accessed: 2024-09-26

Incident : Extortion SAL2102121100425

Source: Google Threat Intelligence Group

Date Accessed: 2024-08-08

Incident : Extortion SAL2102121100425

Source: Cloudflare (OAuth Abuse Report)

Date Accessed: 2024-08

Incident : Data Breach SAL0962109100825

Source: BleepingComputer

URL: https://www.bleepingcomputer.com

Date Accessed: 2025-09-17T00:00:00Z

Incident : Data Breach SAL0962109100825

Source: Bloomberg

URL: https://www.bloomberg.com

Date Accessed: 2025-09-17T00:00:00Z

Incident : Data Breach SAL0562205100825

Source: KrebsOnSecurity

URL: https://krebsonsecurity.com

Date Accessed: 2025-10

Incident : Data Breach SAL0562205100825

Source: Google Threat Intelligence Group (GTIG)

URL: https://blog.google/threat-analysis-group/

Date Accessed: 2025-06

Incident : Data Breach SAL0562205100825

Source: BleepingComputer

URL: https://www.bleepingcomputer.com/news/security/oracle-rushes-patch-for-zero-day-exploited-by-clop-ransomware/

Date Accessed: 2025-10

Incident : Data Breach SAL0562205100825

Source: Mandiant (Charles Carmichael LinkedIn)

URL: https://www.linkedin.com/in/charles-carmichael-mandiant

Date Accessed: 2025-10-05

Incident : Data Breach SAL0562205100825

Source: Red Hat Security Advisory

URL: https://access.redhat.com/security

Date Accessed: 2025-10-02

Incident : Data Breach SAL0562205100825

Source: US Department of Justice (Noah Urban Sentencing)

URL: https://www.justice.gov/opa/pr/florida-man-sentenced-10-years-prison-his-role-international-cybercrime-group

Date Accessed: 2025-08

Incident : Data Breach SAL0562205100825

Source: UK National Crime Agency (Scattered Spider Charges)

URL: https://www.nationalcrimeagency.gov.uk/news

Date Accessed: 2025-09

Incident : Data Breach SAL3132231100825

Source: Bloomberg

Incident : Data Breach SAL3132231100825

Source: Google Threat Intelligence Group

Date Accessed: August 2024

Incident : Data Breach SAL5002150100925

Source: Mandiant (Google-owned)

Date Accessed: 2024-06-01

Incident : Data Breach SAL5002150100925

Source: Salesforce Public Statement

Date Accessed: 2024-07-10

Incident : Law Enforcement Takedown SAL4232242101025

Source: BleepingComputer

URL: https://www.bleepingcomputer.com

Date Accessed: 2025-10-09

Incident : data breach SAL5602056101125

Source: BreachForums extortion site

Incident : Cybercriminal Alliance Formation SAL5402554110625

Source: GBHackers (GBH)

Incident : Cybercriminal Alliance Formation SAL5402554110625

Source: SLH Telegram Channels (e.g., 'scattered LAPSUS$ hunters 7.0')

Incident : Cybercriminal Alliance Formation SAL5402554110625

Source: GitHub Repository (Yukari/Cvsp - BlackLotus/Medusa)

Where can stakeholders find additional resources on cybersecurity best practices ?

Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: Google Threat Intelligence Group (GTIG) and Mandiant AdvisoryDate Accessed: 2025-08-20, and Source: Astrix Security Blog PostDate Accessed: 2025-08-20, and Source: Hackread.com (Jonathan Sander interview)Url: https://hackread.comDate Accessed: 2025-08-20, and Source: Google Mandiant Threat Intelligence Report on UNC6040/UNC6395, and Source: FBI Advisory on ShinyHunters/Scattered Spider Campaigns, and Source: Salesforce Customer Advisory on Mitigation Measures, and Source: ShinyHunters Telegram/Leak Site (Evidence of Breach), and Source: Media Reports on Breach (e.g., BleepingComputer, KrebsOnSecurity), and Source: Information Security Media Group (ISMG)Url: https://www.ismg.comDate Accessed: 2023-09-15, and Source: BleepingComputerUrl: https://www.bleepingcomputer.com/news/security/shinyhunters-ransomware-group-leaks-salesforce-customer-data/Date Accessed: 2023-09-15, and Source: FBI Cyber Division Advisory (UNC6040)Url: https://www.fbi.govDate Accessed: 2023-09-12, and Source: Google Mandiant Defensive FrameworkUrl: https://www.mandiant.comDate Accessed: 2023-09-12, and Source: Resecurity Report on 'The Com' Cybercrime CollectiveUrl: https://www.resecurity.comDate Accessed: 2023-09-10, and Source: The RegisterUrl: https://www.theregister.com/2024/09/27/salesforce_extortion_scattered_lapsus_hunters/Date Accessed: 2024-09-27, and Source: Salesforce Security AdvisoryDate Accessed: 2024-09-26, and Source: Google Threat Intelligence GroupDate Accessed: 2024-08-08, and Source: Cloudflare (OAuth Abuse Report)Date Accessed: 2024-08, and Source: BleepingComputerUrl: https://www.bleepingcomputer.comDate Accessed: 2025-09-17T00:00:00Z, and Source: BloombergUrl: https://www.bloomberg.comDate Accessed: 2025-09-17T00:00:00Z, and Source: KrebsOnSecurityUrl: https://krebsonsecurity.comDate Accessed: 2025-10, and Source: Google Threat Intelligence Group (GTIG)Url: https://blog.google/threat-analysis-group/Date Accessed: 2025-06, and Source: BleepingComputerUrl: https://www.bleepingcomputer.com/news/security/oracle-rushes-patch-for-zero-day-exploited-by-clop-ransomware/Date Accessed: 2025-10, and Source: Mandiant (Charles Carmichael LinkedIn)Url: https://www.linkedin.com/in/charles-carmichael-mandiantDate Accessed: 2025-10-05, and Source: Red Hat Security AdvisoryUrl: https://access.redhat.com/securityDate Accessed: 2025-10-02, and Source: US Department of Justice (Noah Urban Sentencing)Url: https://www.justice.gov/opa/pr/florida-man-sentenced-10-years-prison-his-role-international-cybercrime-groupDate Accessed: 2025-08, and Source: UK National Crime Agency (Scattered Spider Charges)Url: https://www.nationalcrimeagency.gov.uk/newsDate Accessed: 2025-09, and Source: Bloomberg, and Source: Google Threat Intelligence GroupDate Accessed: August 2024, and Source: Mandiant (Google-owned)Date Accessed: 2024-06-01, and Source: Salesforce Public StatementDate Accessed: 2024-07-10, and Source: BleepingComputerUrl: https://www.bleepingcomputer.comDate Accessed: 2025-10-09, and Source: BreachForums extortion site, and Source: GBHackers (GBH), and Source: SLH Telegram Channels (e.g., 'scattered LAPSUS$ hunters 7.0'), and Source: GitHub Repository (Yukari/Cvsp - BlackLotus/Medusa).

Investigation Status

What is the current status of the investigation for each incident ?

Incident : Data Breach SAL729082725

Investigation Status: Ongoing (as of August 20, 2025)

Incident : Data Breach SAL5732257091825

Investigation Status: Ongoing (FBI and Private Sector Investigations)

Incident : Data Breach SAL5592855100325

Investigation Status: Ongoing (FBI, Mandiant, Salesforce, and Affected Companies)

Incident : Extortion SAL2102121100425

Investigation Status: Ongoing (Salesforce, Mandiant, law enforcement)

Incident : Data Breach SAL0962109100825

Investigation Status: Ongoing (domain seizure suggests active law enforcement involvement)

Incident : Data Breach SAL0562205100825

Investigation Status: Ongoing (Law Enforcement, Forensic Analysis by Victim Companies)

Incident : Data Breach SAL3132231100825

Investigation Status: Ongoing (SalesLoft has not publicly responded; Salesforce supporting customers)

Incident : Data Breach SAL5002150100925

Investigation Status: Ongoing (Mandiant tracking as UNC6040)

Incident : Law Enforcement Takedown SAL4232242101025

Investigation Status: Ongoing (FBI and French authorities)

Incident : data breach SAL5602056101125

Investigation Status: ongoing (allegations not confirmed by Salesforce or affected companies as of report)

Incident : Cybercriminal Alliance Formation SAL5402554110625

Investigation Status: Ongoing (as of 2025-2026)

How does the company communicate the status of incident investigations to stakeholders ?

Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Advisories Issued By Gtig/Mandiant, Notifications To Affected Organizations, Public Blog Post By Astrix Security, Salesforce Customer Advisories, Fbi Public Advisory On Unc6040/6395, Public Disclosure Via Media (Ismg, Bleepingcomputer), Customer Advisories (Pending), Regulatory Notifications, Public Security Advisory, Media Statements, Public statements and customer emails, Salesforce: Customer Advisories (No Negotiation Policy), Red Hat: Public Disclosure (October 2, 2025), Discord: Direct Emails To Affected Users, Oracle: Security Advisory For Cve-2025-61882, Internal Memo (Bloomberg-Leaked), Public Statement On Non-Payment Of Ransom, Customer Advisories, Public refusal of ransom demand (email statement), Public Announcement Via Bleepingcomputer and Pgp-Signed Message From Shinyhunters On Telegram.

Stakeholder and Customer Advisories

Were there any advisories issued to stakeholders or customers for each incident ?

Incident : Data Breach SAL729082725

Stakeholder Advisories: Gtig/Mandiant Advisory, Salesforce/Salesloft Notifications To Affected Organizations.

Customer Advisories: Recommendations for credential rotation and access control hardening

Incident : Data Breach SAL5732257091825

Stakeholder Advisories: Salesforce Urgent Security Advisory, Fbi Private Industry Notification (Pin).

Customer Advisories: Salesforce Recommendations for Customers to Secure Environments

Incident : Data Breach SAL5592855100325

Stakeholder Advisories: Salesforce Security Bulletin (Pending), Vendor Notifications To Affected Customers, Regulatory Disclosures (E.G., Sec Filings For Public Companies).

Customer Advisories: Recommended: Password Resets for Affected AccountsCredit Monitoring for Exposed PIIPhishing Awareness Alerts

Incident : Extortion SAL2102121100425

Stakeholder Advisories: Salesforce security advisory (2024-09-26)

Customer Advisories: Notifications sent to affected organizations (via Salesforce and Google)

Incident : Data Breach SAL0962109100825

Stakeholder Advisories: Salesforce emailed customers on 2025-09-17 to warn about extortion threats and refusal to pay ransom.

Customer Advisories: Customers advised of potential data leaks and encouraged to monitor for unauthorized access.

Incident : Data Breach SAL0562205100825

Stakeholder Advisories: Salesforce: 'Will Not Negotiate Or Pay Extortion' (October 2025), Red Hat: 'Notify Affected Customers' (October 2, 2025), Discord: 'Limited User Impact, Password Resets Advised' (September 2025).

Customer Advisories: Salesforce: Monitor for Phishing, Enable MFADiscord: Reset Passwords, Watch for Identity TheftRed Hat: Audit GitLab Access, Rotate Compromised Tokens

Incident : Data Breach SAL3132231100825

Stakeholder Advisories: Salesforce Internal Memo (Leaked To Bloomberg), Customer Notifications For Token Renewal.

Customer Advisories: Token renewal instructionsSupport channels for affected organizations

Incident : Law Enforcement Takedown SAL4232242101025

Customer Advisories: Companies affected by the Salesforce campaign (e.g., FedEx, Disney, Google) may need to notify customers of potential data exposure.

What advisories does the company provide to stakeholders and customers following an incident ?

Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Gtig/Mandiant Advisory, Salesforce/Salesloft Notifications To Affected Organizations, Recommendations For Credential Rotation And Access Control Hardening, , Salesforce Urgent Security Advisory, Fbi Private Industry Notification (Pin), Salesforce Recommendations For Customers To Secure Environments, , Salesforce Security Bulletin (Pending), Vendor Notifications To Affected Customers, Regulatory Disclosures (E.G., Sec Filings For Public Companies), Recommended: Password Resets For Affected Accounts, Credit Monitoring For Exposed Pii, Phishing Awareness Alerts, , Salesforce security advisory (2024-09-26), Notifications sent to affected organizations (via Salesforce and Google), Salesforce emailed customers on 2025-09-17 to warn about extortion threats and refusal to pay ransom., Customers advised of potential data leaks and encouraged to monitor for unauthorized access., Salesforce: 'Will Not Negotiate Or Pay Extortion' (October 2025), Red Hat: 'Notify Affected Customers' (October 2, 2025), Discord: 'Limited User Impact, Password Resets Advised' (September 2025), Salesforce: Monitor For Phishing, Enable Mfa, Discord: Reset Passwords, Watch For Identity Theft, Red Hat: Audit Gitlab Access, Rotate Compromised Tokens, , Salesforce Internal Memo (Leaked To Bloomberg), Customer Notifications For Token Renewal, Token Renewal Instructions, Support Channels For Affected Organizations, , Companies Affected By The Salesforce Campaign (E.G., Fedex, Disney, Google) May Need To Notify Customers Of Potential Data Exposure. and .

Initial Access Broker

How did the initial access broker gain entry for each incident ?

Incident : Data Breach SAL729082725

Entry Point: Compromised OAuth tokens from Salesloft Drift application

Reconnaissance Period: Likely conducted prior to August 8, 2025 (exact duration undisclosed)

High Value Targets: Aws Access Keys, Snowflake Tokens, Customer/Opportunity Data,

Data Sold on Dark Web: Aws Access Keys, Snowflake Tokens, Customer/Opportunity Data,

Incident : Data Breach SAL5732257091825

Entry Point: Compromised Salesloft Github Repository (Secrets Exposure), Malicious Oauth Applications (Drift/Salesforce Integration),

Reconnaissance Period: ['At Least 1 Year (Ongoing Campaigns)']

High Value Targets: Salesforce Crm Data, Aws/Snowflake Credentials In Case Records, Source Code Repositories,

Data Sold on Dark Web: Salesforce Crm Data, Aws/Snowflake Credentials In Case Records, Source Code Repositories,

Incident : Data Breach SAL5592855100325

Entry Point: Salesloft GitHub Repository (Stolen OAuth Tokens)

Reconnaissance Period: 2023-08-08 to 2023-08-18 (Per Google’s Threat Intelligence)

Backdoors Established: ['Persistent Access via Compromised OAuth Tokens', 'Lateral Movement to Google Workspace/Microsoft 365']

High Value Targets: Salesforce Crm Data, Customer Pii, Corporate Support Case Records,

Data Sold on Dark Web: Salesforce Crm Data, Customer Pii, Corporate Support Case Records,

Incident : Extortion SAL2102121100425

Entry Point: OAuth tokens via Salesloft's Drift integration

High Value Targets: Salesforce Customer Data, Crm Environments,

Data Sold on Dark Web: Salesforce Customer Data, Crm Environments,

Incident : Data Breach SAL0962109100825

Entry Point: Malicious Oauth Applications, Stolen Salesloft Drift Oauth Tokens,

Reconnaissance Period: Late 2024 (first campaign), Early August 2025 (second campaign)

High Value Targets: Crm Databases, Support Tickets, Credentials/Tokens,

Data Sold on Dark Web: Crm Databases, Support Tickets, Credentials/Tokens,

Incident : Data Breach SAL0562205100825

Entry Point: Voice Phishing Calls (Salesforce), Compromised Third-Party Vendor (Discord), Exploited Gitlab Misconfiguration (Red Hat), Zero-Day Exploit (Oracle Cve-2025-61882), Malicious Oauth App (Salesforce),

Reconnaissance Period: Months (Salesforce Campaign Planned Since Early 2025)

Backdoors Established: ['ASYNCRAT Trojan (Targeted Security Researchers)', 'Persistent GitLab Access (Red Hat)']

High Value Targets: Fortune 500 Salesforce Data, Red Hat Customer Engagement Reports (Cers), Oracle E-Business Suite Servers, Discord Government Id Images,

Data Sold on Dark Web: Fortune 500 Salesforce Data, Red Hat Customer Engagement Reports (Cers), Oracle E-Business Suite Servers, Discord Government Id Images,

Incident : Data Breach SAL3132231100825

Entry Point: SalesLoft GitHub Account (Compromised March–June 2024)

Reconnaissance Period: Likely conducted prior to March 2024 (exact duration unknown)

Backdoors Established: ['Stolen OAuth Tokens (Persistent Access)']

High Value Targets: Salesforce Integrations, Drift App Aws Environment, Customer Crm Data,

Data Sold on Dark Web: Salesforce Integrations, Drift App Aws Environment, Customer Crm Data,

Incident : Data Breach SAL5002150100925

Entry Point: Voice Phishing (Vishing) Calls

Reconnaissance Period: Likely conducted prior to May 2024

Backdoors Established: Attacker-controlled app integrated into Salesforce portals

High Value Targets: Salesforce Customer Data,

Data Sold on Dark Web: Salesforce Customer Data,

Incident : Law Enforcement Takedown SAL4232242101025

High Value Targets: Salesforce Customer Data, Corporate Databases,

Data Sold on Dark Web: Salesforce Customer Data, Corporate Databases,

Incident : data breach SAL5602056101125

High Value Targets: Salesforce Customer Data (39 Large Corporations),

Data Sold on Dark Web: Salesforce Customer Data (39 Large Corporations),

Incident : Cybercriminal Alliance Formation SAL5402554110625

Entry Point: Ai-Automated Vishing, Spearphishing, Credential Harvesting,

High Value Targets: Salesforce, Saas Providers, Cloud Infrastructure, Database Systems,

Data Sold on Dark Web: Salesforce, Saas Providers, Cloud Infrastructure, Database Systems,

Post-Incident Analysis

What were the root causes and corrective actions taken for each incident ?

Incident : Cyber Attack SAL215719323

Root Causes: Inadvertent Permissions,

Corrective Actions: Blocked Access To Orgs With Inadvertent Permissions,

Incident : Data Breach SAL729082725

Root Causes: Overprivileged Non-Human Identities (Nhis) With Persistent Access., Lack Of Visibility/Management Of Oauth Tokens And Connected Apps., Insufficient Restrictions On Connected App Scopes In Salesforce.,

Corrective Actions: Revoke And Rotate Compromised Oauth Tokens., Enforce Ip Restrictions And User-Agent Monitoring., Audit And Secure Exposed Secrets In Salesforce Environments., Implement Inventory And Governance For Nhis.,

Incident : Data Breach SAL5732257091825

Root Causes: Weak Oauth Token Management In Drift/Salesloft Integrations, Lack Of Mfa For High-Risk Accounts/Applications, Excessive Privileges Granted To Connected Apps, Exposed Secrets In Public/Private Repositories (Github), Inadequate Monitoring For Anomalous Oauth App Activity,

Corrective Actions: Salesforce: Enforced Mfa And Least Privilege Guidelines For Customers, Drift/Salesloft: Revoked Compromised Oauth Tokens And Audited Integrations, Affected Companies: Initiated Credential Rotation And Access Reviews, Fbi: Shared Indicators Of Compromise (Iocs) For Detection,

Incident : Data Breach SAL5592855100325

Root Causes: 1. **Weak Oauth Security**: Salesloft’S Github Repository Lacked Protection For Oauth Tokens, Enabling Initial Access., 2. **Third-Party Risk**: Salesloft Drift Integration Was Not Adequately Vetted For Security Vulnerabilities., 3. **Social Engineering Gaps**: Support Staff Were Tricked Into Granting Access Via Vishing/Phishing (Unc6040 Tactics)., 4. **Lack Of 2Fa**: Oauth Applications And Admin Accounts Did Not Enforce Multi-Factor Authentication., 5. **Lateral Movement Opportunities**: Poor Segmentation Allowed Attackers To Pivot To Google Workspace, Microsoft 365, And Okta.,

Corrective Actions: **Immediate:**, - Revoke All Compromised Oauth Tokens And Enforce 2Fa For New Tokens., - Isolate And Audit All Third-Party Integrations With Salesforce., - Reset Credentials For Affected Employees/Customers., **Short-Term:**, - Deploy **Behavioral Analytics** To Detect Anomalous Access Patterns., - Conduct **Phishing/Vishing Simulations** To Test Employee Awareness., - Implement **Network Segmentation** Between Cloud Platforms., **Long-Term:**, - Establish A **Third-Party Risk Management Program** With Regular Vendor Audits., - Adopt A **Zero-Trust Architecture** To Limit Lateral Movement., - Develop A **Supply-Chain Breach Playbook** For Future Incidents.,

Incident : Extortion SAL2102121100425

Root Causes: Oauth Token Misuse, Third-Party Integration Vulnerabilities (Drift), Potential Insider Threats Or Credential Theft,

Incident : Data Breach SAL0962109100825

Root Causes: Insufficient Oauth Application Security, Lack Of Monitoring For Anomalous Data Access, Supply Chain Vulnerability (Salesloft Drift Tokens), Successful Social Engineering Attacks,

Incident : Data Breach SAL0562205100825

Root Causes: Lack Of Mfa On Salesforce Oauth Integrations, Insufficient Third-Party Vendor Security (Discord), Gitlab Server Misconfiguration (Red Hat), Delayed Patching (Oracle Cve-2025-61882), Social Engineering Susceptibility (Vishing Success),

Corrective Actions: Salesforce: Stricter Oauth App Review Process, Discord: Vendor Security Audits, Red Hat: Gitlab Hardening, Token Rotation, Oracle: Emergency Patch Deployment, Cross-Industry: Shared Threat Intelligence On Shinyhunters Tactics,

Incident : Data Breach SAL3132231100825

Root Causes: Inadequate Security Controls For Salesloft’S Github Account (E.G., Lack Of Mfa, Monitoring)., Overprivileged Oauth Tokens With Prolonged Validity., Lack Of Segmentation Between Drift App And Salesforce Customer Environments., Delayed Detection Of Github Account Compromise (March–June 2024).,

Corrective Actions: Salesforce Disabled Drift App And Mandated Token Renewal., Salesloft Likely Reviewing Github Security And Token Management (Unconfirmed)., Affected Customers Advised To Rotate Credentials And Audit Integrations.,

Incident : Data Breach SAL5002150100925

Root Causes: Human Error (Compliance With Fraudulent Calls), Lack Of Multi-Factor Authentication For App Integrations,

Incident : Law Enforcement Takedown SAL4232242101025

Root Causes: Centralized Infrastructure (Breachforums) Created A Single Point Of Failure For Cybercriminal Operations., Underestimation Of Law Enforcement'S Ability To Seize Backups And Escrow Databases., Over-Reliance On Forum-Based Models For Data Extortion Campaigns.,

Corrective Actions: Shinyhunters Declared No Further Reboots Of Breachforums, Suggesting A Shift To Decentralized Or Darker Web-Only Operations., Increased Caution Among Cybercriminals Regarding Forum-Based Activities (Perceived As 'Honeypots')., Potential Migration Of Data Leak Operations To More Secure, Less Detectable Platforms.,

Incident : Cybercriminal Alliance Formation SAL5402554110625

Root Causes: Exploitation Of Zero-Day Vulnerabilities (E.G., Cve-2025-61882)., Lack Of Adaptive Defenses Against Ai-Driven Social Engineering., Fragmented Cybercriminal Ecosystems Enabling Consolidation (E.G., Post-Breachforums Vacuum)., Over-Reliance On Traditional Perimeter Security In Cloud/Saas Environments.,

Corrective Actions: Proactive Zero-Day Patch Management And Exploit Mitigation., Behavioral Analytics For Credential-Based Attacks., Dark Web Monitoring For Emerging Threat Actor Alliances., Cross-Sector Collaboration To Disrupt Eaas Models.,

What is the company's process for conducting post-incident analysis ?

Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Google Threat Intelligence Group (Gtig), Mandiant, Astrix Security, , Checking For Specific Ip Addresses/User-Agent Strings Linked To Attackers, , Google Mandiant (Threat Intelligence), Fbi (Advisory & Investigation), , Mandiant (Google’S Incident Response), Salesforce Security Team, Fbi Cyber Division, , Salesforce Instance Logs, Cloud Platform (Google Workspace, Microsoft 365, Okta) Activity, , Mandiant (Google), External Cybersecurity Experts, , Google Threat Intelligence Group (Gtig), Mandiant (Malware Analysis), Law Enforcement (Fbi, Uk Nca), , Salesforce: Increased Logging For Oauth Integrations, Red Hat: Gitlab Access Audits, , Google Threat Intelligence Group (Warnings), , Likely (Implied By Google Threat Intelligence Collaboration), , Mandiant (Google-Owned Threat Intelligence), , French Law Enforcement (Bl2C Unit), .

What corrective actions has the company taken based on post-incident analysis ?

Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Blocked Access To Orgs With Inadvertent Permissions, , Revoke And Rotate Compromised Oauth Tokens., Enforce Ip Restrictions And User-Agent Monitoring., Audit And Secure Exposed Secrets In Salesforce Environments., Implement Inventory And Governance For Nhis., , Salesforce: Enforced Mfa And Least Privilege Guidelines For Customers, Drift/Salesloft: Revoked Compromised Oauth Tokens And Audited Integrations, Affected Companies: Initiated Credential Rotation And Access Reviews, Fbi: Shared Indicators Of Compromise (Iocs) For Detection, , **Immediate:**, - Revoke All Compromised Oauth Tokens And Enforce 2Fa For New Tokens., - Isolate And Audit All Third-Party Integrations With Salesforce., - Reset Credentials For Affected Employees/Customers., **Short-Term:**, - Deploy **Behavioral Analytics** To Detect Anomalous Access Patterns., - Conduct **Phishing/Vishing Simulations** To Test Employee Awareness., - Implement **Network Segmentation** Between Cloud Platforms., **Long-Term:**, - Establish A **Third-Party Risk Management Program** With Regular Vendor Audits., - Adopt A **Zero-Trust Architecture** To Limit Lateral Movement., - Develop A **Supply-Chain Breach Playbook** For Future Incidents., , Salesforce: Stricter Oauth App Review Process, Discord: Vendor Security Audits, Red Hat: Gitlab Hardening, Token Rotation, Oracle: Emergency Patch Deployment, Cross-Industry: Shared Threat Intelligence On Shinyhunters Tactics, , Salesforce Disabled Drift App And Mandated Token Renewal., Salesloft Likely Reviewing Github Security And Token Management (Unconfirmed)., Affected Customers Advised To Rotate Credentials And Audit Integrations., , Shinyhunters Declared No Further Reboots Of Breachforums, Suggesting A Shift To Decentralized Or Darker Web-Only Operations., Increased Caution Among Cybercriminals Regarding Forum-Based Activities (Perceived As 'Honeypots')., Potential Migration Of Data Leak Operations To More Secure, Less Detectable Platforms., , Proactive Zero-Day Patch Management And Exploit Mitigation., Behavioral Analytics For Credential-Based Attacks., Dark Web Monitoring For Emerging Threat Actor Alliances., Cross-Sector Collaboration To Disrupt Eaas Models., .

Additional Questions

General Information

Has the company ever paid ransoms ?

Ransom Payment History: The company has Paid ransoms in the past.

What was the amount of the last ransom demanded ?

Last Ransom Demanded: The amount of the last ransom demanded was ['Extortion Threats (No Specific Ransom Amount Disclosed)'].

Who was the attacking group in the last incident ?

Last Attacking Group: The attacking group in the last incident were an UNC6395, ShinyHuntersScattered SpiderLapsus$UNC6040 (Google Mandiant)UNC6395 (Google Mandiant)Scattered Lapsus$ Hunters, Scattered Lapsus$ Hunters (aka ShinyHunters)UNC6040The Com (English-speaking cybercrime collective), Scattered LAPSUS$ Hunters (SLH)Scattered SpiderShinyHuntersLapsus$, Scattered Lapsus$ HuntersShinyHunters, Name: ShinyHunters (UNC6040)Aliases: Scattered LAPSUS$ Hunters, Aliases: UNC6240, Aliases: UNC6395, Affiliation: Scattered Spider, Affiliation: Lapsus$, Affiliation: The Com (Cybercriminal Community), Nationality: English-speaking (Multinational)Name: Crimson CollectiveRole: Claimed Responsibility for Red Hat BreachName: Clop Ransomware GangRole: Exploited CVE-2025-61882 Prior to Public Disclosure, ShinyHunters, Scattered LAPSUS$ HuntersUNC6040 (Mandiant designation), ShinyHuntersScattered Lapsus$ Hunters, ShinyHuntersScattered SpiderLAPSUS$Scattered Lapsus$ Hunters, Name: Scattered LAPSUS$ Hunters (SLH)Aliases: SLH, Aliases: scattered LAPSUS$ hunters 7.0, Affiliated Groups: Scattered Spider, Affiliated Groups: ShinyHunters, Affiliated Groups: LAPSUS$, Affiliated Groups: The Com, Alias: shinycorp, Handles: ['@sp1d3rhunters', '@shinyc0rp'], Role: Principal Orchestrator, Alias: yuka, Handles: None, Role: Exploit Developer, Associated Malware: ['BlackLotus UEFI bootkit', 'Medusa rootkit'], Alias: Alg0d, Handles: None, Role: Auxiliary Operator, Alias: UNC5537, Handles: None, Role: Auxiliary Operator, Operational Model: Extortion-as-a-Service (EaaS), Operational Model: Crowdsourced Extortion, Operational Model: Vulnerability Brokerage and .

Incident Details

What was the most recent incident detected ?

Most Recent Incident Detected: The most recent incident detected was on 2025-08-18.

What was the most recent incident publicly disclosed ?

Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2025-08-08.

What was the most recent incident resolved ?

Most Recent Incident Resolved: The most recent incident resolved was on 2025-08-20.

Impact of the Incidents

What was the most significant data compromised in an incident ?

Most Significant Data Compromised: The most significant data compromised in an incident were Customer account data, User data, Opportunities data, AWS access keys, Snowflake tokens, High-value secrets, Salesforce Account: 250 million records, Salesforce Contact: 579 million records, Salesforce Opportunity: 171 million records, Salesforce User: 60 million records, Salesforce Case: 459 million records, Total: 1.5 billion records, , Salesforce Account: 250 million records, Salesforce Contact: 579 million records, Salesforce Opportunity: 171 million records, Salesforce User: 60 million records, Salesforce Case: 459 million records, Total: 1.5 billion records, , Personally Identifiable Information (PII), Shipping Information, Marketing Lead Data, Customer Support Case Records, Chat Transcripts, Flight Details, Car Ownership Records, Employment Histories, Passport Numbers, Full Contact Information, , 1 billion records (claimed by threat actors), Customer Data, Support Tickets, Credentials, API Tokens, Authentication Tokens, , Salesforce Customer Records (>1B), Discord User Data (Usernames, Emails, IP Addresses, Payment Card Last 4 Digits, Government IDs), Red Hat GitLab Repositories (28,000+ Repos, 5,000+ Customer Engagement Reports, API Tokens, Infrastructure Details), Oracle E-Business Suite Data (Via CVE-2025-61882), Salesloft Authentication Tokens (Cloud Services: Snowflake, AWS), , Customer Contact Details, IT Support Information, Access Tokens, IT Configurations, CRM Fields, Support Cases, Integration Data, , ~1 billion records, Corporate Data, Customer Records (1+ billion), Escrow Databases, Database Backups (since 2023), , one billion records (alleged), Potential CRM/SaaS/Database Records (Salesforce and other high-value enterprises) and .

What was the most significant system affected in an incident ?

Most Significant System Affected: The most significant system affected in an incident were Customer Instances and Salesforce corporate accountsSalesloft Drift application and Salesforce CRMDrift AI Chat/Email ServicesSalesloft PlatformGitHub Repository (Salesloft)Connected Applications (AWS, Snowflake, etc.) and Salesforce CRM InstancesSalesloft Drift AI ChatbotGoogle WorkspaceMicrosoft 365Okta PlatformsGitHub Repository (Salesloft) and Salesforce environments of ~40 companiesCustomer data via OAuth abuse and Salesforce CRM InstancesSalesLoft Drift Environments and Salesforce Instances (Multiple Fortune 500 Companies)Discord Third-Party Customer Service ProviderRed Hat GitLab ServerOracle E-Business Suite ServersSalesloft AI Chatbot Platform and SalesLoft Drift AppSalesforce IntegrationsDrift’s AWS EnvironmentGitHub Account (SalesLoft) and Salesforce Customer Portals and BreachForums DomainsBackend ServersDatabase Backups and Cloud InfrastructureSaaS Platforms (e.g., Salesforce)Database Systems.

Response to the Incidents

What third-party assistance was involved in the most recent incident ?

Third-Party Assistance in Most Recent Incident: The third-party assistance involved in the most recent incident was google threat intelligence group (gtig), mandiant, astrix security, , google mandiant (threat intelligence), fbi (advisory & investigation), , mandiant (google’s incident response), salesforce security team, fbi cyber division, , mandiant (google), external cybersecurity experts, , google threat intelligence group (gtig), mandiant (malware analysis), law enforcement (fbi, uk nca), , google threat intelligence group (warnings), , mandiant (google-owned threat intelligence), , french law enforcement (bl2c unit), .

What containment measures were taken in the most recent incident ?

Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident were Blocked access to affected instances, Revoked all active access tokens for Drift app (August 20, 2025)Temporarily removed Drift from Salesforce AppExchange, Revoking Compromised OAuth TokensIsolating Affected Salesforce InstancesDisabling Salesloft Drift Integrations, Salesforce: Disabled Malicious OAuth AppsRed Hat: Isolated Compromised GitLab ServerDiscord: Terminated Third-Party Vendor AccessOracle: Emergency Patch for CVE-2025-61882, Disabled Drift App IntegrationToken Renewal Mandate for Customers and Domain SeizureBackend Server SeizureNameserver Redirection to FBI.

Data Breach Information

What was the most sensitive data compromised in a breach ?

Most Sensitive Data Compromised: The most sensitive data compromised in a breach were Snowflake tokens, Authentication Tokens, Red Hat GitLab Repositories (28,000+ Repos, 5,000+ Customer Engagement Reports, API Tokens, Infrastructure Details), Full Contact Information, Potential CRM/SaaS/Database Records (Salesforce and other high-value enterprises), Integration Data, Chat Transcripts, IT Configurations, Shipping Information, Escrow Databases, Employment Histories, Database Backups (since 2023), Marketing Lead Data, Customer Records (1+ billion), Oracle E-Business Suite Data (Via CVE-2025-61882), AWS access keys, IT Support Information, User data, ~1 billion records, Flight Details, Access Tokens, Support Cases, Corporate Data, 1 billion records (claimed by threat actors), Salesforce Customer Records (>1B), CRM Fields, Passport Numbers, Customer Support Case Records, Customer Contact Details, High-value secrets, one billion records (alleged), API Tokens, Support Tickets, Customer account data, Salesloft Authentication Tokens (Cloud Services: Snowflake, AWS), Credentials, Discord User Data (Usernames, Emails, IP Addresses, Payment Card Last 4 Digits, Government IDs), Car Ownership Records, Customer Data, Personally Identifiable Information (PII) and Opportunities data.

What was the number of records exposed in the most significant breach ?

Number of Records Exposed in Most Significant Breach: The number of records exposed in the most significant breach was 8.5B.

Ransomware Information

What was the highest ransom demanded in a ransomware incident ?

Highest Ransom Demanded: The highest ransom demanded in a ransomware incident was unspecified (threatened leak if unpaid by October 10, 2023, 11:59 p.m. EST).

Regulatory Compliance

What was the most significant legal action taken for a regulatory violation ?

Most Significant Legal Action: The most significant legal action taken for a regulatory violation was Pending (Potential Class-Action Lawsuits), Regulatory Investigations, , Arrests of UK teens (Scattered Spider members), Ongoing investigations, , UK Charges Against Scattered Spider Members (September 2025), US Charges Against Thalha Jubair (MGM, Caesars, Harrods Attacks), Extradition of Tyler Buchanan (Spain to US, April 2025), Noah Urban Sentencing (10 Years, August 2025), , Arrests of BreachForums Admins (France), Charges Against Kai West ('IntelBroker') in U.S., .

Lessons Learned and Recommendations

What was the most significant lesson learned from past incidents ?

Most Significant Lesson Learned: The most significant lesson learned from past incidents was Theatrical branding and narrative control are strategic assets equivalent to technical capabilities.

What was the most significant recommendation implemented to improve cybersecurity ?

Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Creating an inventory of non-human identities (NHIs) to improve visibility and security., Monitor for unauthorized data exfiltration in CRM environments, Monitor dark web/Telegram channels for SLH activity and zero-day exploit discussions., Enhance third-party risk management to mitigate supply chain attacks (e.g., Salesforce breaches)., Enhance Employee Training on Vishing (Salesforce Customers), Develop and test incident response plans for extortion and data breach scenarios., Monitoring for suspicious IP addresses/User-Agent strings associated with attackers., - **Train employees on social engineering tactics**, especially vishing and IT impersonation scams., Develop counter-narrative strategies to disrupt threat actor branding and psychological operations., Hardening access controls by restricting Connected App scopes in Salesforce., Educate employees on social engineering tactics, particularly phishing and malicious OAuth app requests., Regularly scan repositories (e.g., GitHub) for exposed secrets using tools like TruffleHog., - **Patch promptly**—unpatched software (e.g., Oracle E-Business Suite) is a common attack vector., Enforce MFA for all user and service accounts, especially those with access to sensitive data., **For Salesforce/Salesloft Customers:**, - **Monitor dark web forums** for leaked credentials or mentions of your organization., Develop a unified incident response plan for supply chain attacks involving multiple vendors., Law enforcement should continue targeting cybercrime infrastructure to disrupt operations., Rotating compromised credentials and enforcing least-privilege access for NHIs., - Deploy **behavioral analytics and anomaly detection** to identify suspicious access patterns., Audit Third-Party Vendor Security (Discord, Salesloft), Conduct regular security awareness training for social engineering risks, Implement stricter access controls for third-party integrations, Collaborate with vulnerability brokerage programs to preempt exploit proliferation., Implementing IP restrictions to limit access to trusted locations., Audit and monitor OAuth applications and connected apps for suspicious activity., Conducting audits to identify and secure exposed secrets within Salesforce data., **For All Organizations:**, Monitor Dark Web for Stolen Data (All Victims), - Enforce **multi-factor authentication (2FA) for all OAuth applications** and admin accounts., Companies should proactively monitor dark web leak sites for exposed data., - Implement **network segmentation** to limit lateral movement between cloud platforms (e.g., Salesforce, Google Workspace, Okta)., Implement MFA for OAuth Integrations (Salesforce), Apply Zero-Day Patches Immediately (Oracle), Monitor for unusual data access patterns, especially in Salesforce environments., Isolate GitLab/Sensitive Repos (Red Hat), Enhance AI-driven phishing/vishing detection for credential harvesting campaigns., Enhance GitHub security with mandatory MFA, IP restrictions, and regular access reviews., - Immediately **revoke and rotate OAuth tokens** for all third-party integrations., - **Develop a third-party breach response plan** with legal, PR, and technical playbooks., Proactively communicate with customers about breach scope and mitigation steps to maintain trust., Isolate high-value systems (e.g., CRM) from less secure environments to limit lateral movement., Implement automated token rotation and anomaly detection for cloud environments., Review supply chain security for third-party SaaS providers, Organizations should prepare for potential data leaks even after ransomware attacks are 'resolved.', Coordinate with Law Enforcement (FBI, INTERPOL for Cross-Border Cases), Implement the principle of least privilege to limit access to CRM data and APIs., Implement zero-trust architectures to mitigate lateral movement risks in cloud/SaaS environments., - **Assess third-party vendor security** with penetration testing and contractually enforce security standards., Enhance OAuth application security and monitoring, - Conduct a **full audit of third-party app permissions** in Salesforce and disable unused integrations., Conduct third-party security audits for all integrated apps and especially those with OAuth access..

References

What is the most recent source of information about an incident ?

Most Recent Source: The most recent source of information about an incident are BleepingComputer, Astrix Security Blog Post, Hackread.com (Jonathan Sander interview), Salesforce Public Statement, KrebsOnSecurity, Bloomberg, Mandiant (Charles Carmichael LinkedIn), Google Mandiant Threat Intelligence Report on UNC6040/UNC6395, SLH Telegram Channels (e.g., 'scattered LAPSUS$ hunters 7.0'), GBHackers (GBH), Google Mandiant Defensive Framework, Mandiant (Google-owned), Media Reports on Breach (e.g., BleepingComputer, KrebsOnSecurity), Google Threat Intelligence Group (GTIG), US Department of Justice (Noah Urban Sentencing), BreachForums extortion site, GitHub Repository (Yukari/Cvsp - BlackLotus/Medusa), Resecurity Report on 'The Com' Cybercrime Collective, Red Hat Security Advisory, Google Threat Intelligence Group, FBI Cyber Division Advisory (UNC6040), Salesforce Security Advisory, FBI Advisory on ShinyHunters/Scattered Spider Campaigns, Salesforce Customer Advisory on Mitigation Measures, The Register, UK National Crime Agency (Scattered Spider Charges), Google Threat Intelligence Group (GTIG) and Mandiant Advisory, ShinyHunters Telegram/Leak Site (Evidence of Breach), Cloudflare (OAuth Abuse Report) and Information Security Media Group (ISMG).

What is the most recent URL for additional resources on cybersecurity best practices ?

Most Recent URL for Additional Resources: The most recent URL for additional resources on cybersecurity best practices is https://hackread.com, https://www.ismg.com, https://www.bleepingcomputer.com/news/security/shinyhunters-ransomware-group-leaks-salesforce-customer-data/, https://www.fbi.gov, https://www.mandiant.com, https://www.resecurity.com, https://www.theregister.com/2024/09/27/salesforce_extortion_scattered_lapsus_hunters/, https://www.bleepingcomputer.com, https://www.bloomberg.com, https://krebsonsecurity.com, https://blog.google/threat-analysis-group/, https://www.bleepingcomputer.com/news/security/oracle-rushes-patch-for-zero-day-exploited-by-clop-ransomware/, https://www.linkedin.com/in/charles-carmichael-mandiant, https://access.redhat.com/security, https://www.justice.gov/opa/pr/florida-man-sentenced-10-years-prison-his-role-international-cybercrime-group, https://www.nationalcrimeagency.gov.uk/news, https://www.bleepingcomputer.com .

Investigation Status

What is the current status of the most recent investigation ?

Current Status of Most Recent Investigation: The current status of the most recent investigation is Ongoing (as of August 20, 2025).

Stakeholder and Customer Advisories

What was the most recent stakeholder advisory issued ?

Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was GTIG/Mandiant advisory, Salesforce/Salesloft notifications to affected organizations, Salesforce Urgent Security Advisory, FBI Private Industry Notification (PIN), Salesforce Security Bulletin (Pending), Vendor Notifications to Affected Customers, Regulatory Disclosures (e.g., SEC Filings for Public Companies), Salesforce security advisory (2024-09-26), Salesforce emailed customers on 2025-09-17 to warn about extortion threats and refusal to pay ransom., Salesforce: 'Will Not Negotiate or Pay Extortion' (October 2025), Red Hat: 'Notify Affected Customers' (October 2, 2025), Discord: 'Limited User Impact, Password Resets Advised' (September 2025), Salesforce internal memo (leaked to Bloomberg), Customer notifications for token renewal, .

What was the most recent customer advisory issued ?

Most Recent Customer Advisory: The most recent customer advisory issued were an Recommendations for credential rotation and access control hardening, Salesforce Recommendations for Customers to Secure Environments, Recommended: Password Resets for Affected AccountsCredit Monitoring for Exposed PIIPhishing Awareness Alerts, Notifications sent to affected organizations (via Salesforce and Google), Customers advised of potential data leaks and encouraged to monitor for unauthorized access., Salesforce: Monitor for Phishing, Enable MFADiscord: Reset Passwords, Watch for Identity TheftRed Hat: Audit GitLab Access, Rotate Compromised Tokens, Token renewal instructionsSupport channels for affected organizations, Companies affected by the Salesforce campaign (e.g., FedEx, Disney and Google) may need to notify customers of potential data exposure.

Initial Access Broker

What was the most recent entry point used by an initial access broker ?

Most Recent Entry Point: The most recent entry point used by an initial access broker were an SalesLoft GitHub Account (Compromised March–June 2024), Voice Phishing (Vishing) Calls, Salesloft GitHub Repository (Stolen OAuth Tokens), OAuth tokens via Salesloft's Drift integration and Compromised OAuth tokens from Salesloft Drift application.

What was the most recent reconnaissance period for an incident ?

Most Recent Reconnaissance Period: The most recent reconnaissance period for an incident was Likely conducted prior to August 8, 2025 (exact duration undisclosed), At Least 1 Year (Ongoing Campaigns), 2023-08-08 to 2023-08-18 (Per Google’s Threat Intelligence), Late 2024 (first campaign), Early August 2025 (second campaign), Months (Salesforce Campaign Planned Since Early 2025), Likely conducted prior to March 2024 (exact duration unknown), Likely conducted prior to May 2024.

Post-Incident Analysis

What was the most significant root cause identified in post-incident analysis ?

Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Inadvertent Permissions, Overprivileged non-human identities (NHIs) with persistent access.Lack of visibility/management of OAuth tokens and connected apps.Insufficient restrictions on Connected App scopes in Salesforce., Weak OAuth Token Management in Drift/Salesloft IntegrationsLack of MFA for High-Risk Accounts/ApplicationsExcessive Privileges Granted to Connected AppsExposed Secrets in Public/Private Repositories (GitHub)Inadequate Monitoring for Anomalous OAuth App Activity, 1. **Weak OAuth Security**: Salesloft’s GitHub repository lacked protection for OAuth tokens, enabling initial access.2. **Third-Party Risk**: Salesloft Drift integration was not adequately vetted for security vulnerabilities.3. **Social Engineering Gaps**: Support staff were tricked into granting access via vishing/phishing (UNC6040 tactics).4. **Lack of 2FA**: OAuth applications and admin accounts did not enforce multi-factor authentication.5. **Lateral Movement Opportunities**: Poor segmentation allowed attackers to pivot to Google Workspace, Microsoft 365, and Okta., OAuth token misuseThird-party integration vulnerabilities (Drift)Potential insider threats or credential theft, Insufficient OAuth application securityLack of monitoring for anomalous data accessSupply chain vulnerability (SalesLoft Drift tokens)Successful social engineering attacks, Lack of MFA on Salesforce OAuth IntegrationsInsufficient Third-Party Vendor Security (Discord)GitLab Server Misconfiguration (Red Hat)Delayed Patching (Oracle CVE-2025-61882)Social Engineering Susceptibility (Vishing Success), Inadequate security controls for SalesLoft’s GitHub account (e.g., lack of MFA, monitoring).Overprivileged OAuth tokens with prolonged validity.Lack of segmentation between Drift app and Salesforce customer environments.Delayed detection of GitHub account compromise (March–June 2024)., Human Error (Compliance with Fraudulent Calls)Lack of Multi-Factor Authentication for App Integrations, Centralized infrastructure (BreachForums) created a single point of failure for cybercriminal operations.Underestimation of law enforcement's ability to seize backups and escrow databases.Over-reliance on forum-based models for data extortion campaigns., Exploitation of zero-day vulnerabilities (e.g., CVE-2025-61882).Lack of adaptive defenses against AI-driven social engineering.Fragmented cybercriminal ecosystems enabling consolidation (e.g., post-BreachForums vacuum).Over-reliance on traditional perimeter security in cloud/SaaS environments..

What was the most significant corrective action taken based on post-incident analysis ?

Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was Blocked access to orgs with inadvertent permissions, Revoke and rotate compromised OAuth tokens.Enforce IP restrictions and User-Agent monitoring.Audit and secure exposed secrets in Salesforce environments.Implement inventory and governance for NHIs., Salesforce: Enforced MFA and Least Privilege Guidelines for CustomersDrift/Salesloft: Revoked Compromised OAuth Tokens and Audited IntegrationsAffected Companies: Initiated Credential Rotation and Access ReviewsFBI: Shared Indicators of Compromise (IOCs) for Detection, **Immediate:**- Revoke all compromised OAuth tokens and enforce 2FA for new tokens.- Isolate and audit all third-party integrations with Salesforce.- Reset credentials for affected employees/customers.**Short-Term:**- Deploy **behavioral analytics** to detect anomalous access patterns.- Conduct **phishing/vishing simulations** to test employee awareness.- Implement **network segmentation** between cloud platforms.**Long-Term:**- Establish a **third-party risk management program** with regular vendor audits.- Adopt a **zero-trust architecture** to limit lateral movement.- Develop a **supply-chain breach playbook** for future incidents., Salesforce: Stricter OAuth App Review ProcessDiscord: Vendor Security AuditsRed Hat: GitLab Hardening, Token RotationOracle: Emergency Patch DeploymentCross-Industry: Shared Threat Intelligence on ShinyHunters Tactics, Salesforce disabled Drift app and mandated token renewal.SalesLoft likely reviewing GitHub security and token management (unconfirmed).Affected customers advised to rotate credentials and audit integrations., ShinyHunters declared no further reboots of BreachForums, suggesting a shift to decentralized or darker web-only operations.Increased caution among cybercriminals regarding forum-based activities (perceived as 'honeypots').Potential migration of data leak operations to more secure, less detectable platforms., Proactive zero-day patch management and exploit mitigation.Behavioral analytics for credential-based attacks.Dark web monitoring for emerging threat actor alliances.Cross-sector collaboration to disrupt EaaS models..

cve

Latest Global CVEs (Not Company-Specific)

Description

FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. Versions prior to 16.0.96 and 17.0.1 through 17.0.9 have a weak default password. By default, this is a 6 digit numeric value which can be brute forced. (This is the app_password parameter). Depending on local configuration, this password could be the extension, voicemail, user manager, DPMA or EPM phone admin password. This issue is fixed in versions 16.0.96 and 17.0.10.

Published
Date
2025-12-10
Updated
Date
2025-12-10
Risk Information
cvss4
Base: 6.9
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
References
Description

Neuron is a PHP framework for creating and orchestrating AI Agents. In versions 2.8.11 and below, the MySQLWriteTool executes arbitrary SQL provided by the caller using PDO::prepare() + execute() without semantic restrictions. This is consistent with the name (“write tool”), but in an LLM/agent context it becomes a high-risk capability: prompt injection or indirect prompt manipulation can cause execution of destructive queries such as DROP TABLE, TRUNCATE, DELETE, ALTER, or privilege-related statements (subject to DB permissions). Deployments that expose an agent with MySQLWriteTool enabled to untrusted input and/or run the tool with a DB user that has broad privileges are impacted. This issue is fixed in version 2.8.12.

Published
Date
2025-12-10
Updated
Date
2025-12-10
Risk Information
cvss3
Base: 9.4
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
References
Description

Neuron is a PHP framework for creating and orchestrating AI Agents. Versions 2.8.11 and below use MySQLSelectTool, which is vulnerable to Read-Only Bypass. MySQLSelectTool is intended to be a read-only SQL tool (e.g., for LLM agent querying, however, validation based on the first keyword (e.g., SELECT) and a forbidden-keyword list does not block file-writing constructs such as INTO OUTFILE / INTO DUMPFILE. As a result, an attacker who can influence the tool input (e.g., via prompt injection through a public agent endpoint) may write arbitrary files to the DB server if the MySQL/MariaDB account has the FILE privilege and server configuration permits writes to a useful location (e.g., a web-accessible directory). This issue is fixed in version 2.8.12.

Published
Date
2025-12-10
Updated
Date
2025-12-10
Risk Information
cvss3
Base: 8.2
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
References
Description

Okta Java Management SDK facilitates interactions with the Okta management API. In versions 11.0.0 through 20.0.0, race conditions may arise from concurrent requests using the ApiClient class. This could cause a status code or response header from one request’s response to influence another request’s response. This issue is fixed in version 20.0.1.

Published
Date
2025-12-10
Updated
Date
2025-12-10
Risk Information
cvss3
Base: 8.4
Severity: HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L
References
Description

The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. When using versions 4.11.0 through 4.11.2 and 4.12.0, simultaneous requests on the same client may result in improper lookups in the TokenRequestCache for the request results. This issue is fixed in versions 4.11.2 and 4.12.1.

Published
Date
2025-12-10
Updated
Date
2025-12-10
Risk Information
cvss3
Base: 5.4
Severity: HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N
References

Access Data Using Our API

SubsidiaryImage

Get company history

curl -i -X GET 'https://api.rankiteo.com/underwriter-getcompany-history?linkedin_id=salesforce' -H 'apikey: YOUR_API_KEY_HERE'
Try It API Documentation rapidRapid

What Do We Measure ?

revertimgrevertimgrevertimgrevertimg
Incident
revertimgrevertimgrevertimgrevertimg
Finding
revertimgrevertimgrevertimgrevertimg
Grade
revertimgrevertimgrevertimgrevertimg
Digital Assets

Every week, Rankiteo analyzes billions of signals to give organizations a sharper, faster view of emerging risks. With deeper, more actionable intelligence at their fingertips, security teams can outpace threat actors, respond instantly to Zero-Day attacks, and dramatically shrink their risk exposure window.

These are some of the factors we use to calculate the overall score:

Network Security

Identify exposed access points, detect misconfigured SSL certificates, and uncover vulnerabilities across the network infrastructure.

SBOM (Software Bill of Materials)

Gain visibility into the software components used within an organization to detect vulnerabilities, manage risk, and ensure supply chain security.

CMDB (Configuration Management Database)

Monitor and manage all IT assets and their configurations to ensure accurate, real-time visibility across the company's technology environment.

Threat Intelligence

Leverage real-time insights on active threats, malware campaigns, and emerging vulnerabilities to proactively defend against evolving cyberattacks.

Top LeftTop RightBottom LeftBottom Right
Rankiteo
By Rankiteo
View on G2.com
Rankiteo is a unified scoring and risk platform that analyzes billions of signals weekly to help organizations gain faster, more actionable insights into emerging threats. Empowering teams to outpace adversaries and reduce exposure.
View latest reports → View all security reports →
Users Love Us Badge