Billion Records Stolen in Salesforce Customer Database Hacks

A massive cybercrime consortium took credit for stealing roughly 1 billion customer records from businesses that used Salesforce-hosted databases to keep their files, and the way cops say they did it was painfully simple: They’d place calls to company employees, pretend to be with IT, and talk those workers into granting them access.

It’s not clear what type of information got stolen in any of these instances; a rep for Salesforce’s security team is pointing to its contract with customers in declining comment on the matter.

Investigators say the attack deployed voice phishing, or vishing, then exploited Salesforce’s own data-exporting features to haul off huge volumes of information.

Dozens of brands were named by the attackers, who threatened to release material unless they’re paid, according to a review of the group’s leak site on the dark web by security researchers. A few organizations have already confirmed compromises of their Salesforce-integrated systems, and others are named on the list but have yet to comment publicly.

How attackers used vishing to mass-export Salesforce data

Threat actors called employees and corporate help desks, posing as corporate IT personnel, according to an FBI FLASH alert and Google security researchers. After persuading someone to reset a password or MFA method, they logged in as the real account holder and used built-in export tools and APIs to extract data en masse.

This was not a loophole in Salesforce software. It was classic social engineering followed by genuine functionality deployed for illegitimate purposes. With legitimate login details and new sessions, the attackers would open exports of leads, contacts, cases, and more objects without triggering obvious alarms.

The alliance behind the campaign and its participants

Resecurity ties this to a newly named alliance dubbed Scattered Lapsus$ Hunters, comprising personnel and tactics from Scattered Spider, Lapsus$, and ShinyHunters.

The teams include:

• Scattered Spider operators, who excel at initial access and social engineering
• ShinyHunters workers specializing in data theft and leaks
• Lapsus$ extortionists — a potent division of labor when mounting high-profile raids

Several companies have reported incidents involving Salesforce-integrated systems. Allianz Life said 1.4 million customers had been impacted and that names and Social Security numbers were exposed, and it offered identity protection to victims. TransUnion said personal information for approximately 4.4 million members, including names and Social Security numbers, was accessed. Other big names listed on the leak site included FedEx, Hulu, and Toyota — none of which have publicly reported breaches.

The simple help-desk trick that enabled massive theft

It’s the playbook, just better rehearsed. Attackers call the help desk, saying someone has an emergency issue and needs their password reset or MFA replaced for a remote user or executive. They might drop an internal buzzword sponged from LinkedIn or past breaches, and they frequently push after hours when staffing is thin.

With credentials in tow, the intruders log into Salesforce via SSO or direct login and take straightforward steps like running standard exports, making Data Loader jobs, or executing Bulk API pulls. Since these are standard administrative activities, they can be lost in the background noise of normal traffic unless organizations look for discrepancies in volume (such as high-volume transactions), after-hours access, or irregular IP addresses.

Salesforce denies a breach and warns of credential theft

Salesforce noted that it had received reports of extortion attempts related to customer incidents but said there was no indication that the platform itself had been compromised or that any product vulnerability had been exploited. The company says it is working with affected customers and emphasizes that the attackers leveraged hijacked credentials, not a compromise of Salesforce infrastructure.

What types of customer data may have been compromised

Stolen datasets differ from company to company, but generally include common contact details, and in some cases, more sensitive identifiers.

• Names
• Email addresses
• Phone numbers
• Physical addresses
• Social Security numbers (in some incidents)

For consumers, that raises risks of identity theft and targeted phishing. For businesses, it reveals pipeline information and support histories, as well as partner information that could be involved in post-fraud.

Why vishing-led social engineering attacks are surging

Voice-led social engineering is surging. CrowdStrike’s new Global Threat Report noted a 442% increase in vishing attacks in the second half of the year compared to the first, including many cases where attackers posed as IT to reset MFA and take over cloud accounts. The lesson, plain and simple: phishing-resistant authentication is near-meaningless if a phone call can reduce the protections.

Immediate steps to harden Salesforce and help desks

• Harden account recovery. Ensure strong out-of-band verification for password and MFA resets — for example, government ID checks, secure video verification, and call-backs to numbers on file. Don’t allow resets using only inbound calls, especially after hours.
• Roll out phishing-resistant MFA for Salesforce and SSO, prioritizing FIDO2/WebAuthn security keys over SMS or voice codes.
• Apply device trust and conditional access to prohibit unknown locations and unmanaged devices.
• Restrict data export. Limit access to Data Export, Data Loader, report exports, and Bulk API to only a few selected admins. Disable weekly and monthly exports, and use field-level security to keep sensitive identifying fields out of general reports.
• Monitor for abuse. Send Salesforce event logs — especially login anomalies, new MFA enrollments, password resets, and data export events — to a SIEM. Configure alerts for unusual volumes, after-hours access, and abrupt permission changes, then investigate right away.
• Train for vishing. Provide employees with specific scripts for how to legitimize internal callers, publish the numbers of known help desk lines, and allow staff to hang up and call back. Regularly practice drills that include phone-based social engineering, not just email phishing.

If you’re a consumer affected

If you’re a consumer who has been alerted to exposure, consider freezing your credit with major bureaus, turning on account alerts, and treating unsolicited phone calls and emails — particularly those that include real personal details — as potential bait.

The takeaway is uncomfortable but with implications: An attacker didn’t need a zero-day to steal a billion records. They merely needed a telephone, a good script, and lax verification. Close the help-desk gap, and you close the portal they walked through.