Mirror Review
October 09, 2025
Salesforce is facing a significant cybersecurity threat from a ransomware group called Scattered Lapsus$ Hunters.
This group claims to have stolen nearly 1 billion records from Salesforce customer databases by exploiting vulnerabilities in third-party applications integrated with Salesforce, rather than breaching Salesforce’s own systems.
The stolen data from the Salesforce ransomware threat includes sensitive customer information such as names, contact details, birth dates, meal preferences, and frequent flyer numbers. Moreover, the group is threatening to release this data unless a ransom is paid.
Salesforce has firmly rejected these ransom demands, stating that it will not engage with or pay the threat actors.
The company emphasizes that the alleged data theft stems from breaches of third-party applications, not from any compromise of Salesforce’s own platform.
How Third-Party Apps Were Exploited in the Salesforce Ransomware Threat
The hacker group Scattered Lapsus$ Hunters is a coalition of previously known groups, including Lapsus$, Scattered Spider, and ShinyHunters. They have been involved in various cyberattacks.
In the case of the Salesforce ransomware threat, the attackers exploited OAuth token vulnerabilities in the Drift integration.
- OAuth tokens are used to grant third-party applications access to Salesforce data without exposing user credentials.
- However, if these tokens are compromised, attackers can gain unauthorized access to sensitive data.
- The attackers employed social engineering tactics, such as vishing, to trick employees into granting access to these third-party applications.
- Once access was obtained, the attackers used the compromised OAuth tokens to extract data from Salesforce instances.
Salesforce’s Response to the Ransomware Attack
- October 2, 2025: Salesforce issued a security advisory alerting customers about social engineering attacks exploiting third-party integrations.
- October 3, 2025: The hacker group claimed responsibility for stealing nearly 1 billion records. Salesforce clarified that its platform itself was not breached.
- October 7, 2025: Salesforce sent a client alert warning about the potential public release of stolen data.
- Ongoing: The company is actively monitoring systems, collaborating with law enforcement, and advising customers to strengthen security on third-party apps.
Salesforce emphasizes transparency and continues to enhance its security measures to prevent future incidents.
What Organizations Can Do to Stay Safe
The Salesforce ransomware threat highlights how critical it is to secure not just your main platform, but also every third-party app connected to it. Organizations can take several steps to minimize risk:
1. Audit and Manage Third-Party Applications
Regularly review all third-party applications integrated with your Salesforce instance. Identify which apps have access to sensitive data and remove any that are unnecessary.
- Example: The attackers exploited the Drift integration through Salesloft. Organizations that regularly audit integrations may have detected unusual access permissions before data could be exfiltrated.
- Tip: Use Salesforce’s built-in “Connected Apps” and “Permission Sets” tools to track and control access rights.
2. Implement Strong Authentication Practices
Enforce multi-factor authentication (MFA) for all users accessing Salesforce and third-party integrations. MFA adds an extra layer of protection beyond passwords, reducing the risk of account takeover.
- Example: If the compromised OAuth tokens had been tied to MFA-protected accounts, attackers would have faced an additional barrier.
- Tip: Use SSO (Single Sign-On) solutions where possible to centralize authentication and simplify MFA enforcement.
3. Educate Employees About Social Engineering Attacks
Attackers often rely on human error to gain access. Regularly train employees on vishing, phishing, and other social engineering tactics.
- Example: Scattered Lapsus$ Hunters reportedly used vishing to trick employees into granting access to third-party applications.
- Tip: Simulate phishing campaigns within your organization to reinforce learning and improve response times.
4. Monitor and Respond to Unusual Activity
Implement real-time monitoring for suspicious behavior in Salesforce and connected apps. Look for unusual logins, large data exports, or unexpected permission changes.
- Example: A sudden spike in data downloads from a single integration could indicate a compromised token.
- Tip: Establish an incident response plan detailing immediate steps, internal communication, and law enforcement contact points.
5. Collaborate with Security Experts
Partner with cybersecurity professionals to evaluate your Salesforce environment, third-party apps, and overall cloud ecosystem. Regular security audits and penetration tests can uncover vulnerabilities before attackers exploit them.
- Tip: Consider a bug bounty program or external vulnerability assessment to continuously test your defenses.
- Tip: Stay updated with Salesforce’s Security Advisories for emerging threats and patches.
Conclusion
The Salesforce ransomware threat shows that no organization is too big to be targeted. Even the most secure, well-resourced companies can face massive risks if small mistakes occur, like granting excessive access to third-party apps or falling for social engineering tactics.
Moreover, businesses must treat every integration as a potential vulnerability.
The lesson is clear: cybersecurity is only as strong as its weakest link, and overlooking small vulnerabilities can have enormous consequences even for the world’s biggest companies.
