Full Report
An extortion group has launched a new data leak site to publicly extort dozens of companies impacted by a wave of Salesforce breaches, leaking samples of data stolen in the attacks. [...]
Analysis Summary
# Incident Report: ShinyHunters Salesforce Data Extortion Campaign
## Executive Summary
The extortion group "Scattered Lapsus$ Hunters" (claiming association with ShinyHunters, Scattered Spider, and Lapsus$) publicly launched a data leak site targeting 39 companies whose Salesforce data was previously compromised. The attackers primarily gained access by tricking employees into authorizing malicious OAuth applications connected to Salesforce instances. The group is attempting to extort the victim organizations individually and is also demanding a ransom from Salesforce itself to prevent the leak of approximately 1 billion records.
## Incident Details
- Discovery Date: October 3, 2025 (Date the leak site was launched/publicly known)
- Incident Date: Attacks occurring throughout the year leading up to the disclosure, though specific initial compromise timing is not detailed.
- Affected Organization: 39 named companies, including FedEx, Disney/Hulu, Home Depot, Marriott, Google, Cisco, Toyota, and others.
- Sector: Various (Retail, Technology, Hospitality, Logistics, etc.)
- Geography: Global (Implied, based on victim list)
## Timeline of Events
### Initial Access
- Date/Time: Ongoing throughout the year leading up to October 2025.
- Vector: Social engineering, specifically **voice phishing attacks** combined with tricking employees into granting permissions to a malicious **OAuth application** linked to the company's Salesforce instance.
- Details: Employees were convinced to link the malicious OAuth app, granting the attackers necessary access credentials/permissions to the Salesforce environment.
### Lateral Movement
- Details: Not explicitly detailed in the context provided, but subsequent access to company databases and data exfiltration occurred following the establishment of access via the compromised OAuth link.
### Data Exfiltration/Impact
- Details: Attackers stole company databases from the compromised Salesforce instances. Allegedly, this incident is related to a broader campaign resulting in the theft of up to 1 billion Salesforce records across many victims.
### Detection & Response
- Date/Time: Attackers claim victims were contacted "long ago" via email regarding the breach. Public disclosure occurred when the data leak site was launched on October 3, 2025, after victims ignored initial contact.
- Details: Victims were reportedly contacted via email, and samples of the stolen data were provided. The response from victims has largely been silence, prompting the public extortion site launch with an October 10 deadline.
## Attack Methodology
- Initial Access: Malicious OAuth application authorization (gained via social engineering/voice phishing).
- Persistence: Not specified, but access was maintained long enough to exfiltrate large volumes of data.
- Privilege Escalation: Not specified, but initial access via OAuth provided high-level access to data within Salesforce.
- Defense Evasion: Attackers relied on legitimate-looking OAuth flows to gain access without immediately triggering traditional network defense alerts.
- Credential Access: Likely obtained via the authorized OAuth session or subsequent access to exposed credentials within the Salesforce environment.
- Discovery: Internal reconnaissance of the accessed Salesforce environment to identify valuable databases.
- Lateral Movement: Not specified beyond the initial environment access granted by the OAuth token.
- Collection: Exfiltration of company databases from Salesforce instances.
- Exfiltration: Data was likely transferred out following collection, leading to samples being posted on the extortion site.
- Impact: Data exposure, extortion threats, and potential subsequent legal action against Salesforce itself (due to GDPR non-compliance claims).
## Impact Assessment
- Financial: Extortion demands being made against 39 companies plus Salesforce itself. Potential civil/commercial lawsuits against Salesforce mentioned.
- Data Breach: Approximately 1 billion records allegedly stolen in the wider campaign. Stolen data includes sensitive information from the victims' Salesforce environments.
- Operational: Threat of public disclosure following an October 10 deadline suggests significant operational disruption if data is released.
- Reputational: Inclusion of major brands (FedEx, Google, Marriott, etc.) on the leak site severely impacts organizational reputation.
## Indicators of Compromise
- Network indicators: Not provided (URLs and IPs were not disclosed).
- File indicators: Not provided.
- Behavioral indicators: Unauthorized linking of external OAuth applications to Salesforce instances generating unusual data export activities.
## Response Actions
- Containment: Victims were reportedly contacted individually prior to the public leak.
- Eradication: Not specified, but likely involves revoking the malicious OAuth application permissions and reviewing related user accounts.
- Recovery: Not specified, beyond the deadline given for victims to negotiate.
## Lessons Learned
- Insider risk remains high, particularly when social engineering targets authorized access mechanisms (like OAuth).
- Organizations must have robust processes for immediately responding to data exfiltration alerts or direct extortion notifications.
- OAuth application authorizations must be tightly governed and regularly audited, as they represent a powerful form of persistent backend access.
## Recommendations
- Implement stringent controls requiring multi-factor authentication (MFA) on all user sessions, even those accessing systems via authorized third-party OAuth tokens, where possible.
- Conduct regular security training focused specifically on voice phishing and the dangers of linking unknown or untrusted third-party applications to core cloud services like Salesforce.
- Establish playbooks for immediate access revocation (e.g., disabling/revoking problematic OAuth tokens) immediately upon suspected compromise notification.