A hacking group has released millions of records allegedly stolen from Salesforce customers, according to reports.
This marks a new phase in a months-long campaign of extortion, social engineering, and data theft that has targeted major global brands
What Has Happened?
The group – believed to be a splinter of the ShinyHunters/Scattered Spider/LAPSUS$ collective (tracked as UNC6240) – claimed in late September to have breached 39 Salesforce customers, demanding ransom from both Salesforce and the affected companies.
Salesforce has reportedly refused to pay, stating to Salesforce Ben that the incidents relate to “past or unsubstantiated events”, insisting there is no evidence the Salesforce platform itself has been compromised.
This week, the hackers have apparently followed through on their threats, leaking data on their Tor-based site for six of the named victims: Albertsons, Engie Resources, Fujifilm, GAP, Qantas, and Vietnam Airlines.
According to breach-notification service Have I Been Pwned, roughly 7.3 million Vietnam Airlines accounts have appeared in the dump, with details including names, email addresses, phone numbers, birth dates, and loyalty-program IDs.
Qantas, which has previously warned that six million customers might have been affected after the attackers hit a third-party contact-center platform, has obtained a court injunction to block any distribution of the data as it investigates it with cybersecurity experts, according to reports.
A spokesperson from Salesforce told Salesforce Ben:
“We have nothing more to add at this time beyond our Trust post.
“Would emphasize per our statement – based on our investigation in partnership with external experts and authorities, our findings indicate these extortion attempts relate to past incidents, and we remain engaged with affected customers to provide support. At this time, there is no indication that the Salesforce platform has been compromised, nor is this activity related to any known vulnerability in our technology.”
How the Attacks Work
Salesforce Ben has reported throughout 2025 on a wave of social-engineering attacks exploiting human – rather than platform – vulnerabilities.
Attackers posing as Salesforce support staff or partner personnel phone English-speaking branches of multinational corporations, persuading employees to install a malicious imitation of Salesforce Data Loader. Once launched, the fake application grants the attackers OAuth-level access, allowing them to query and exfiltrate sensitive customer data directly from live Salesforce orgs.
Follow-up extortion attempts typically follow, with victims told their data will be leaked unless a ransom is paid. Many organizations refer only to a “third-party CRM” in public statements, but subsequent investigations have tied incidents at Adidas, Chanel, Allianz Life, Pandora, Workday, and Farmers Insurance back to Salesforce environments.
Salesforce has issued multiple advisories stressing that these attacks stem from credential theft and malicious connected apps – not from a breach of its infrastructure. On September 12, the FBI published a FLASH alert warning linking the threat activity to groups UNC6050 and UNC6395, urging companies to audit OAuth connections and monitor for any suspicious tokens.
The escalating fallout has already triggered 14 lawsuits naming Salesforce as a defendant, as well as renewed debate over the shared-responsibility model for SaaS security.
Final Thoughts
Amidst this ongoing wave of attacks, Salesforce Ben further advises that all admins and org owners to audit connected apps immediately by:
- Identifying every app linked to you and its origin.
- Remove unused or unverified integrations.
- Limit access scopes for those that remain.
- Disable the ability for ordinary users to add connected apps without admin approval.
We’ve published a detailed guide on auditing connected apps and preventing OAuth abuse, which you can read here.
