ShinyHunters, a prolific cybercrime crew, is attempting to ransom one billion customer records from organizations purportedly utilizing Salesforce, according to security analysts following the group. The threat actors have published a dark-web extortion site and are threatening to release the data unless payment demands are made to Salesforce or its customers.
What the Hackers Claim and What We Know So Far
The group’s leak site, according to security analysts, identifies a number of major brands victimized and advertises unrestricted troves of Salesforce-hosted data. As TechCrunch first indicated, the landing page makes references to data from top companies and uses the term “a much larger number of customers” several times. It claims that one hundred million records have been loaded into the “database” and that millions more are on the way. Although the totals are challenging to ascertain, the dimension — whether or not it is close to that scavenger hunt — would likely be one of the largest to focus on SaaS extortion up to now.
Additionally, a few organizations have already disclosed facts regarding Salesforce-related data events in recent days, indicating that more CRM data was leaked. Concurrently, the operators of the extortion site have instructed companies to contact them if they wish to avoid existing threats, following the double-extortion model.
Salesforce Response and the Evidence Observed So Far
“We’ve been tracking this issue and sharing details with law enforcement to help disrupt this malicious activity,” Salesforce said in a statement, adding that its investigation with external experts and the authorities had seen no evidence of the company’s platform or technology being breached. The company’s advisory highlights social engineering and phishing as probable causes of recent activity, and promises support to those end users impacted.
That stance echoes a trend observed across SaaS incidents: the attack surface is frequently identities, tokens, or misconfigured integrations — not the platform itself.
CISA and industry responders have repeatedly warned about sophisticated actors who combine help-desk social engineering, MFA fatigue, and token theft to pivot into cloud applications without ringing obvious alarms.
Who Are ShinyHunters and Why We Care Right Now
ShinyHunters has a track record of high-profile data theft, followed by monetization on dark-web markets and so-called extortion portals, where victims have the chance to pay for the nonrelease or destruction of their own data. Also today, ahead of the coming week’s content boost to Crypto Capitals’ weekly magazine, we’re stuck on Bad_DoerZ. The group has been tied by researchers to hulking credential and customer-data leaks and was an audible voice during Snowflake-adjacent ransackings at several enterprises. Even where attribution remains a matter of dispute — other aliases such as Lapsus$ and Scattered Spider circulating in the same ecosystem — the operational playbook is strikingly consistent: steal data, name victims, demand payment fast.
If the group does hold a large amount of Salesforce data, the fallout is severe. CRMs centralize meaningful information around valuable customers including contact information, deal history, support interactions, and potentially sensitive notes. Exposure at that layer allows for secondary fraud, highly targeted phishing, and partner supply-chain attacks that can resonate well outside the list of original victims.
How a Billion Records Might Be Stitched Together
There are several credible ways to assemble mass data collection without breaking into Salesforce directly.
- Steal credentials through phishing campaigns.
- Grab a browser session token to bypass authentication.
- Social-engineer support staff into resetting MFA.
- Leverage lightly controlled connected applications.
Once a wide-open account is breached, the script exports via REST or Bulk APIs are happy to pull down large datasets quietly and at scale — especially if your API rate limits are lax and you don’t have good monitoring on egress traffic.
Third-party integrations are another common point of exposure. Linked apps might have retained old OAuth tokens and reauthorization handling that survives a password change. Profile and permission set misconfigurations allow read permissions across the objects where leads, opportunities, and cases are stored. As we saw elsewhere with SaaS incidents, a single overprivileged integration account can mean millions of rows of data disappear in minutes.
The Risk Math of One Billion Exposed Records
Even if the top-line number is exaggerated — threats of harm are a common extortion technique — the risk gradient is still steep. Security organizations usually measure breach blast radius by uniqueness, sensitivity, and exploitability. CRM records hit all three of those boxes: “unique” identifiers (emails, phone numbers), business context (deals, support cases), and immediate value for social engineering. The Verizon Data Breach Investigations Report has routinely discovered that people are a factor, and these sets superpower the relationship.
What Should Companies That Use Salesforce Do Now?
- Assume some exposure and verify; don’t wait for a listing.
- For all Salesforce tenants and connected apps, rotate secrets and revoke any inactive OAuth tokens.
- Make Sarbanes-Oxley–mad happy — mandate phishing-resistant MFA (FIDO2/WebAuthn) via SSO, turn off legacy authentication flows, and require step-up auth for sensitive actions.
- Constrain data egress: allowlist API access to specific IPs, set sane API rate limits, and alert on unusual exports or large report runs.
- Review permission sets, adhere to least privilege, protect high-value objects, and enable field-level encryption where applicable. Salesforce Shield and Event Monitoring can help expose atypical login locations, token reuse, or bulk data downloads.
- Prepare for downstream abuse. Coordinate takedown and response playbooks with marketing, legal, and customer care; pre-draft notifications; and stand up brand protection against phishing using leaked data. Collaborate with law enforcement and disseminate indicators through trusted channels for quicker containment across your partner ecosystem.
The nutshell: Whether the billion-record claim will ultimately prove to be exact or exaggerated, the campaign calls attention to an elemental truth about SaaS security. The platform might be battle-hardened, but those other things — identity, integrations, and data governance — are a soft underbelly, and that’s where ShinyHunters is focused.