Brinztech Alert: Hacker Group Leaks Salesforce and Customer Data After Ransom Deadline

Dark Web News Analysis

A hacker group calling itself “Scattered LAPSUS$ Hunters” has begun leaking a massive trove of data they claim was stolen from the cloud software giant Salesforce and its extensive customer base. The data release was reportedly initiated after a ransom deadline passed without payment. The group’s stated method of compromise is a sophisticated social engineering campaign that targeted employees with voice phishing (vishing). This technique was used to trick employees into approving malicious third-party application authentications, allowing the attackers to bypass Multi-Factor Authentication (MFA) and gain persistent access tokens to the Salesforce environment. The leaked data is said to include sensitive PII, confidential strategic business records, and data from over 100 different customer Salesforce instances.

This incident represents a supply-chain attack of the highest order. By breaching a central SaaS provider like Salesforce, attackers gain access to the “crown jewels” of countless other companies who rely on the platform to manage their most sensitive customer relationships, sales pipelines, and strategic operations. The leak of data from over 100 customer instances means that confidential business records and customer PII from a wide range of industries are now exposed. The attack vector is also highly significant, as it demonstrates that even well-implemented MFA can be defeated by skilled social engineers targeting the human element—a tactic that many organizations are not adequately prepared to defend against.

Key Cybersecurity Insights

This attack highlights several critical trends in the modern threat landscape:

• Social Engineering Bypassing Multi-Factor Authentication (MFA): This attack is a textbook example of how determined threat actors can circumvent modern technical security controls. By using high-pressure voice phishing (vishing) to trick employees, the attackers were able to get them to approve an MFA prompt for a malicious application. This effectively weaponizes the legitimate security process against itself to gain unauthorized access.
• Third-Party Application Risk as a Critical Attack Surface: The compromise was not of Salesforce’s core infrastructure, but of its interconnected ecosystem. The attackers targeted third-party application integrations, using the OAuth protocol to gain persistent access tokens. This underscores the immense risk posed by the web of SaaS applications and the critical need for rigorous security vetting of all third-party integrations.
• Widespread Breach of Strategic Business Data and Customer PII: The impact of this breach extends far beyond Salesforce to its vast customer base. The leaked data includes not only customer PII (leading to privacy violations and fraud risk) but also highly sensitive strategic business records. Competitors or other malicious actors could use this data for corporate espionage, to poach clients, or to disrupt sales and marketing operations.

Mitigation Strategies

In response to this evolving threat, all organizations, especially those using large SaaS platforms like Salesforce, must take proactive defensive measures:

• Implement Advanced, Vishing-Specific Security Awareness Training: Standard phishing training is no longer sufficient. Employees must be specifically trained to recognize and resist high-pressure social engineering tactics like vishing and MFA fatigue attacks. This training must include clear protocols for independently verifying any unexpected requests for MFA approval or application authorization through a separate, trusted communication channel (e.g., an internal chat message to the IT security team).
• Conduct a Rigorous Audit of All Third-Party Application Integrations: All Salesforce customers must immediately conduct a thorough security audit of every third-party application connected to their environment. The principle of least privilege must be rigorously enforced, granting applications only the absolute minimum permissions and data access they require to function. Any unused, overly permissive, or unrecognized applications should have their access revoked immediately.
• Strengthen Identity and Access Management (IAM) Controls: Companies should accelerate the adoption of stronger, phishing-resistant MFA methods, such as FIDO2/WebAuthn security keys, which are not susceptible to prompt bombing or social engineering. Additionally, conditional access policies should be implemented to scrutinize and potentially block or flag authentication attempts from unusual locations, networks, or devices.

Secure Your Organization with Brinztech As a cybersecurity provider, we can protect your business from the threats discussed here. Contact us to learn more about our services.

Questions or Feedback? For expert advice, use our ‘Ask an Analyst’ feature. Brinztech does not warrant the validity of external claims. For new inquiries or to report this post, please email us: contact@brinchtech.com