Last week, the world’s fifth-largest automaker became the latest victim of the ongoing attack on corporate Salesforce instances.
Stellantis has provided little information, except to say that it occurred through a third-party service provider’s platform and not within their own infrastructure.
The data leaked was reportedly only contact information, but they advised customers to be wary of phishing attacks and not to click links or share info in unexpected communications from the company.
BleepingComputer further reported the attack was claimed by ShinyHunters, who also claimed to have stolen 18 million Salesforce records from the company.
With Britain’s largest automaker Jaguar Land Rover (JLR) already shut down by a related cyberattack since the end of August and just now beginning a phased manufacturing restart, it’s proving a risky time for automakers. (This attack, claimed by the same group, had shut down their factories, required a British government loan, and was believed to cost JLR some £50 million per week.)
In today’s PTP Report, we revisit this ongoing cybercrime campaign to profile another form of attack in use, update the shifting group behind it, and advise companies on the best ways to stay safe.
The Google Mandiant and FBI Salesforce Security Warnings
On September 12, the FBI released a FLASH alert updating companies to dual campaigns related to ongoing data thefts and extortion targeting company Salesforce platforms.
The two approaches use differing means, broken down as:
- UNC6040: Vishing-based, seeking to connect malicious apps, with extortion emails using the ShinyHunters name
- UNC6395: OAuth token abuse across platforms via Drift/Drift Email
Google Mandiant’s Threat Intelligence Group also issued releases on each, warning Salesloft Drift customers to “treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised.”
Their report also confirms an additional detail: the attackers have used Drift Email OAuth tokens to break into a small number of Google Workspace email accounts. While broader Workspace compromises are not known to have occurred, this is an example of the broader fallout from these attacks (see below).
The bottom line: This attack is ongoing and spreading, now taking advantage of third-party connections instead of relying on fooling employees with effective vishing.
The Campaign Evolves from Vishing to OAuth Token Abuse
While these threats are being tracked separately as two parallel campaigns, they converge in targeting Salesforce data and in the parties claiming responsibility (see below).
Last time out we profiled UNC6040 in some depth, but here’s an overview of the basics of both:
UNC6040: Vishing and Using Connected Salesforce Apps for MFA Bypass
Starting late last year, these attacks launch with clever and effective impersonations of affiliated staff, like IT departments. Often coordinating with other communications, they aim to get employees to make connections within the company Salesforce’s connected apps. These connections often appear completely legitimate and are in some cases modified versions of the Salesforce Data Loader (in others wholly custom applications).
There are also cases of fraudsters requesting credentials directly, including multi-factor authentication (MFA) codes, though the above approach can entirely bypass MFA.
Once a malicious app has been connected, they begin to exfiltrate data at scale, until being discovered and shut down.
There have been extortion requests with this campaign from the ShinyHunters group, though in many cases the data is purely contact information which can be used to further legitimize phishing and vishing attacks.
UNC6395: The Drift Salesloft Salesforce Breach
Reports of a more recent campaign tactic began to surface right after our last report on the Workday breach, and it doesn’t involve interacting with users at all.
It’s based on a hack of third-party vendor Salesloft, whose Drift AI chatbot is widely used by Salesforce clients for CRM integration with an email service also used with the CRM.
A Salesloft statement in September revealed hackers had compromised the company’s Github code repository earlier in 2025. These attackers downloaded content from several repositories in March and June and added guest users. Within the code, they found OAuth tokens.
Mandiant’s profile noted forays were made directly in the Salesloft and Drift environments, but the attackers moved to AWS, where they used these tokens to steal additional Drift authentication tokens for customer integrations.
With these, attackers gained direct, API-level access to hundreds of organizations in August without a need for login or MFA. During this time, the hackers were able to access Salesforce instances at numerous organizations, extracting data at scale.
And, as noted by Google above, these intrusions have also extended beyond Salesforce.
On August 20, Salesloft, collaborating with Salesforce, revoked all active access and refresh tokens with the Drift application, and Salesforce removed it from their AppExchange pending investigation.
But with weeks of access across systems, credentials and additional tokens have been stolen that will lead to more breaches still to come.
And from this prior access, the cyber criminals are already claiming a haul of 1.5 billion records.
Salesloft posted on September 12 that they are working to improve the defenses in the Drift environment.
“This process includes rotating credentials, temporarily disabling certain parts of the Drift application and strengthening security configurations. At this time, we are advising all Drift customers to treat any and all Drift integrations and related data as potentially compromised.”
The Claimed Salesforce Data Breach Prize: 1.5B Records
According to reporting by BleepingComputer’s Lawrence Abrams, the extortion group has claimed they’ve stolen 1.5 billion Salesforce records from some 760 organizations.
These Salesforce objects breakdowns come from the hackers, though source code stolen from Salesloft was shown to reporters and additional sources have verified their claims.
Google Mandiant’s investigation warned that data in Salesforce objects like Case, which stores information on support tickets, could include sensitive information. Their threat intelligence has observed AWS access keys, passwords, and Snowflake access tokens among the targeted data, and warned that any third-party integrations with Salesloft Drift should be considered compromised.
Confirmed Victims to Date
Numerous victims of varying size have been hit by this campaign, including (but not limited to) Stellantis, JLR, Google, Cisco, Quantas, Adidas, Allianz Life, Farmers Insurance, Workday, Dior, Louis Vuitton, and Tiffany & Co.
In addition, through stolen Drift OAuth tokens and downstream secrets, the hackers have claimed additional stolen sensitive data from companies like Google, Cloudflare, Zscaler, Tenable, Palo Alto Networks, CyberArk, Nutanix, Qualys, Rubrik, Elastic, BeyondTrust, Proofpoint, and Cato Networks.
On their blog in early September, Cloudflare confirmed its Salesforce instance was breached using stolen tokens and may have included support case data. They found 104 Cloudflare API tokens among the exposed data but identified no suspicious activity and immediately rotated them.
From reporting by CNET, one of the three credit bureaus, TransUnion, was also a party to these breaches, and leaked some 4.4 million customer records. This was, like many, a breach of a third-party application, in their case supporting US customer operations.
TransUnion reported this did not include credit reports, but it may have included social security numbers and birthdates.
Are These the First Scattered Lapsus$ Hunters Attacks?
Like the third-party partnerships and consolidation that’s going on in tech companies, with sharing of resources, mergers and acquisitions, a new criminal organization is believed to have been formed from various other groups associated with a network called The Com.
This new group is being called Scattered Lapsus$ Hunters after a Telegram channel and is believed to include members of the ShinyHunters and Scattered Spider groups we’ve profiled previously, along with former members of Lapsus$.
The latter is infamous for hacks of the Brazilian Ministry of Health (2021) and a number of companies in 2022 including Samsung, Nvidia, Microsoft, and T-Mobile.
Complicating matters, after a series of arrests (the hackers claim getting the wrong people) these groups and others posted on Telegram in September that they had “decided to go dark” and had obtained their objectives.
But their activity has continued apace, and as senior VP of Unit 42 Consulting and Threat Intelligence Sam Rubin told The Hacker News, this move away from social media is likely motivated by arrests and investigations and intended for misdirection rather a change of heart.
He added, “These declarations rarely signal a true retirement.”
Ensuring Salesforce Instance (and Third Party) Data Protection
Facing this varied approach of direct vishing and third-party tool leaks, it can be hard to know how best to ensure your own Salesforce third-party integrations stay secure.
For tracking exposure via UNC6395, Nudge Security has established the site driftbreach, which also includes a timeline of events.
As Salesforce has demonstrated (and as we covered last time out), their product itself has not been hacked, but rather integrations are being used to get the data stored in company Salesforce instances.
Shoring Up Against Vishing and Connections to Malicious Apps (UNC6040)
The first step is to make all employees aware of the risk.
This includes training them to resist phishing attacks in their many varying forms. Employees should: know who to contact; be drilled with unannounced tests; and be incentivized to speak up on potential mishaps.
They should never provide credentials or MFA codes over the phone, or at the least require supervisor signoff and callbacks to verify identities.
In addition, ensuring least privilege for data access and requiring limited administrator access for apps requesting API or refresh tokens is critical.
All connected apps need auditing, with alerts for new connections. In this era of expansive third-party partnerships, it can be tough to keep track of attack surfaces, which is why no trust principles, establishing baseline activities, and monitoring unusual behavior is critical.
Audit your integrations and ensure all unused connections are removed.
Ensuring Salesforce OAuth Scope Restriction (UNC6395)
First things first, if you haven’t done so, revoke all third-party integrations with Drift instances.
For both of these cases, enforcing IP-based access restrictions is widely recommended, including in Salesforce integrations, as well as monitoring API usage.
This includes Salesforce log monitoring, and alerting on bulk exports from objects like Contacts, Cases, or Users. Set session timeout values to limit their lifespan in the event of compromise.
Regular API key, credential, and authentication token rotation must be standard practice. Where possible, maintain short token lifespans overall and revoke unused or compromised tokens immediately.
For third-party vendors in this age of rapidly changing AI, diligence is more important than ever. Require demonstration of security and secret management and build a process for rapid revocation in the event of breaches.
General Protections Against Salesforce Supply Chain Attacks
Google Mandiant recommends scanning for sensitive data among Salesforce objects now, including AWS access key identifiers, Snowflake credentials, passwords, secrets, and keys.
Also look for organization-specific login URLs, like VPN or SSO login pages, and run tools like TruffleHog to find hardcoded secrets before hackers do. (The same tool the hackers claimed to use themselves on stolen Salesloft code.)
As mentioned, limit data access to the least privilege, including what third-party integrations can see.
Pay attention to deleted Salesforce jobs or queries and monitor for suspicious queries operating at an unusual scale.
Note that the Lapsus$ group has also made use of SIM-swapping and there have been threats hinted against telecom.
This method involves using telecom to port a target’s cell number to a hacker-controlled SIM card. The victim loses access to their phone, but in the meantime, hackers can intercept MFA and additional means of authenticating and recovering accounts.
Conclusion: Be Proactive and Contact PTP for Any Help You Need
With the JLR shutdown having halted operations for over a month (and only now ending), the power of these attacks to disrupt not only massive enterprises, but also long dependent supply chains, is painfully evident.
Even if you’re not among the massive list of impacted parties, it’s wise to prepare your organization now. Because whether it’s Scattered Lapsus$ Hunters or someone else, hackers are certain to make use of variations on these techniques until they are proved ineffective.
And for help from the cybersecurity professionals or Salesforce consultants you need to shore up and maintain your defenses, you can always call us. PTP has nearly three decades of experience in finding and vetting the best talent, onsite or off, onshore, offshore, or nearshore.
The Stellantis attack shows these attacks are ongoing. Prepare your staff for vishing and secure your Salesforce instance now, before a new form of attack in this campaign makes the news.
References
Automaker giant Stellantis confirms data breach after Salesforce hack, Bleeping Computer
JLR shutdown extended again as ministers meet suppliers and M&S hackers claim to be behind Jaguar Land Rover cyber attack, BBC
JLR’s UK factory stoppage from cyber attack stretches to three weeks, Reuters
FBI Warns of UNC6040 and UNC6395 Targeting Salesforce Platforms in Data Theft Attacks, The Hacker News
Scattered LAPSUS$ Hunters: The Cybercrime Group Redefining Threats, Container 7 Threat Intelligence
How the Salesforce breaches unfolded: root causes identified and Scattered Spider not dark after all: researchers see signs of life in new attacks, Cybernews
More Than 4.4 Million Exposed in Credit Bureau TransUnion Breach: What to Know, CNET
The impact of the Salesloft Drift breach on Cloudflare and our customers, The Cloudflare Blog
FAQs
Was Salesforce breached or does the CRM product have a vulnerability being exploited?
No. The Salesforce vulnerability comes from connecting it with third-party integrations. In one form of attack, hackers are trying to fool employees to connect their malicious app to the instances, and in another they’ve managed to break into a third party and steal authentication tokens. With these, they’re using integrations to break into other systems, like Salesforce.
What are OAuth tokens and how are they being used by the hackers?
OAuth is an open standard for delegating access and is used by companies to give third-party applications access to their information without sharing passwords. The tokens are like digital keys and come in the form of access (for temporary access) and refresh (to get new access tokens). By stealing these tokens, hackers have been able to get direct access via APIs and bypass login and MFA protections.
What’s the biggest risk to companies in this campaign?
The hackers have been stealing what information they can and using this either for additional attacks, or in direct extortion plays. This includes business contact information but also account and case data that can include support tickets and details such as API keys, passwords, and additional secrets. This exposes companies to smarter phishing, supply-chain attacks to partners and clients, direct extortion, and liabilities for exposed personally identifiable information.
