Your customer data sitting in Salesforce isn’t as safe as you thought. Scattered LAPSUS$ Hunters—a cybercrime supergroup combining the worst of Lapsus$, Scattered Spider, and ShinyHunters—claims to have stolen between 1 and 1.5 billion records from over 50 organizations.
The hackers didn’t crack Salesforce itself. Instead, they played the oldest game in the book: tricking employees into handing over the keys. Through phishing calls and OAuth token theft, they waltzed into corporate Salesforce instances like they owned the place. Once inside, they used the platform’s own tools to vacuum up customer databases wholesale.
The Victims Read Like a Fortune 500 Directory
From Google to Toyota, no industry escaped the dragnet.
The casualty list spans every sector you can imagine. Google’s Ads CRM got hit. Disney and Hulu lost customer records. Toyota, FedEx, TransUnion, and Allianz Life all found their Salesforce data on a dark web extortion portal with an October 10 deadline.
The hackers aren’t just threatening to leak—they’re showcasing data samples like some twisted product catalog. This wasn’t random spray-and-pray hacking. The attackers systematically targeted high-value Salesforce customers, knowing that CRM systems contain the crown jewels: customer contact information, purchase histories, and internal sales notes that could fuel devastating follow-up attacks.
Salesforce Plays Defense While Enterprises Panic
The platform provider insists its security held—but that misses the point.
Salesforce maintains “there is no indication that the Salesforce platform has been compromised, nor is this activity related to any known vulnerability in our technology,” according to TechCrunch. Technically true, but it sidesteps the real problem: when your employees become the vulnerability, platform security becomes irrelevant.
The breach exposes how cloud-first strategies create new attack surfaces. Your data isn’t just sitting in one place anymore—it’s flowing through OAuth integrations, third-party apps, and employee devices that hackers can compromise through social manipulation. After their Telegram channel got banned, the group declared they were “going dark,” but cybersecurity experts warn this is likely just a rebrand.
The New Reality of Cloud Security
This changes how enterprises think about SaaS risk.
This incident marks a turning point. Attackers have figured out that breaching 50 Salesforce customers yields more data than hacking Salesforce itself. Expect mandatory multi-factor authentication, zero-trust policies, and OAuth security audits to become standard practice. Your cloud strategy just got a lot more complicated—and expensive.
