Salesforce Under Fire as Hackers Claim Record-Breaking Data Theft

 

Almost 1 Billion Salesforce Records Stolen, Group Asserts

A hacker collective calling itself “Scattered LAPSUS$ Hunters” has claimed to have exfiltrated nearly one billion records tied to Salesforce customers, alleging the data includes personally identifiable information.

While Salesforce maintains that its own systems were not breached, the attackers say they infiltrated customer environments through social engineering (specifically “vishing”—voice phishing) rather than exploiting a flaw in Salesforce’s platform itself.

How the Attack May Have Worked

• The group claims it targeted companies using Salesforce software and applied tricks like impersonating IT staff over the phone to deceive personnel into granting access.
• Attackers reportedly abused OAuth tokens and integration tools (for example, via Salesloft’s Drift) to pivot into victim organizations’ Salesforce environments.

The data said to be compromised reportedly spans names, dates of birth, contact information, identity document details, customer support records, and other sensitive fields.

Salesforce’s Position & Industry Reaction

Salesforce has stated that there is no evidence its core systems were compromised and that there is no known vulnerability in its technology tied to the claims. They also described the disclosures as “extortion attempts.”

Still, the scale and audacity of the claims have stirred alarm in cybersecurity circles. Some analysts see this as an evolution in SaaS-targeted supply chain attacks, where threat actors exploit trust relationships and third-party integrations rather than conventional system vulnerabilities.

Risks, Impacts & Legal Exposure

• Reputational fallout and regulatory risk loom large: if the claims are valid, affected firms may face scrutiny under data protection laws (e.g., GDPR).
• Litigation is becoming likely. Salesforce, and companies implicated, can expect lawsuits from customers or regulators over failure to protect personal data.
• Identity theft and fraud risks rise for individuals whose personal information was included in the breach.
• Even if the claims are exaggerated, verifying their accuracy—or refuting them definitively—will be critical to restore trust.

What Affected Organisations Should Do

1. Launch forensic investigations and external audits to validate whether data was accessed or exfiltrated.
2. Assess all connected applications and integrations (OAuth, APIs, third-party services) for suspicious tokens or permissions.
3. Enforce robust multi-factor authentication (MFA) and least-privilege access models.
4. Alert customers and stakeholders transparently if exposure is confirmed.
5. Collaborate with law enforcement and regulatory bodies.
6. Monitor leaked data forums and dark web sites for signs of published content.

Conclusion

Even if Salesforce’s core systems remain intact, this incident underscores a deeper vulnerability: the human and integration surface. Attackers who weaponize empathy, trust, and complex system interdependencies can make devastating inroads. Whether or not the claimed “almost 1 billion records” figure is accurate, organizations must recalibrate their defense posture—focusing not merely on patching code, but on securing trust and connectivity across the digital supply chain.