Automotive manufacturing giant Stellantis recently confirmed they fell victim to a data attack on their Salesforce instance, with the hackers stealing North American customer information.
This follows a wave of ongoing attacks on Salesforce instances, with hackers conducting social engineering operations to convince victims to download malicious third-party apps.
Reports suggest that the ‘ShinyHunters’ are claiming to be behind the Stellantis attacks – a name also linked to the recent breaches at Google, Adidas, Allianz Life, Farmers Insurance, and more.
SF Ben note: The potential for compromised connected apps in Salesforce orgs is ongoing. We at Salesforce Ben strongly recommend that all admins and org owners prioritize auditing the connected apps currently in use in their orgs. This includes identifying the origin of all connected apps, removing any unused or unknown apps, setting permissions for access to remaining apps, and removing the ability for any user to add connected apps without approval. We’ve published an article to help.
Stellantis Hacks: What Happened?
On September 21, Stellantis released a statement acknowledging the incident, saying: “We recently detected unauthorized access to a third-party service provider’s platform that supports our North American customer service operations.
“Upon discovery, we immediately activated our incident response protocols, initiated a comprehensive investigation, and took prompt action to contain and mitigate the situation. We are also notifying the appropriate authorities and directly informing affected customers.
“We encourage customers to remain vigilant against potential phishing attempts and avoid clicking on suspicious links or sharing personal information in response to unexpected emails, texts, or calls. Customers with questions or who wish to verify communications should contact Stellantis directly through official channels.”
The company also stressed that the personal information involved in the breach was limited to contact information – the impacted platform does not store any financial or sensitive personal information, and none was accessed by the hackers.
According to BleepingComputer, Stellantis has been targeted by ‘ShinyHunters’, who are reportedly behind the ongoing Salesforce data breach.
Reports suggest that the group have been targeting Salesforce customers through vishing attacks, and used stolen OAuth tokens for Salesloft’s Drift AI chat integration with Salesforce to obtain sensitive information, such as passwords, AWS access keys, and Snowflake tokens, after gaining access to customers’ Salesforce instances.
This has led to a recent flash warning conducted by the FBI, which details some technical clues organizations should look for to identify if the attackers are inside their Salesforce environment.
We have reached out to Stellantis for comment.
Final Thoughts
We must again stress that Salesforce themselves have not been compromised and there are no vulnerabilities in the core platform.
At this point, it seems fair to say that security should be at the forefront of every Salesforce Administrator’s mind right now.
