Salesforce
A cybercrime alliance tied to Lapsus$, Scattered Spider, and ShinyHunters is pre...
A new dark‑web leak site branded Scattered [LAPSUS$](https://www.secureblink.com/cyber-security-news/lapsus-hackers-elevate-sim-swapping-attacks-to-unprecedented-heights) Hunters is threatening to dump roughly a billion records allegedly stolen from companies using Salesforce, a pressure tactic typical of modern data‑extortion operations rather than encryption‑based ransomware.
Multiple enterprises have acknowledged recent Salesforce‑adjacent data theft, while [Salesforce](https://www.secureblink.com/cyber-security-news/salesforce-zero-day-exploited-to-phish-facebook-credentials) maintains there’s no evidence of a platform‑level compromise, aligning with reports that attackers targeted customers via social engineering and OAuth abuse, not a direct Salesforce breach.
The numbers are designed for shock value; the operational core is credentialed API access obtained through vishing and connected‑app authorization flows that grant durable exfiltration capability.
### New alliance: brand fusion, tactics convergence
Evidence points to a coordinated alliance blending Lapsus$, Scattered Spider, and [ShinyHunters](https://www.secureblink.com/cyber-security-news/1-1-m-affected-in-allianz-life-data-breach-via-social-engineering) into a single extortion machine that markets itself loudly, moves quickly, and leverages pooled playbooks: social engineering for initial access, OAuth for durable tokens, and public‑facing leak theater for leverage.
Public monitoring shows Telegram activity explicitly merging these brands, with a shared narrative that Scattered Spider specializes in initial access while ShinyHunters executes exfiltration and data dumps, echoing their advertised “shinysp1d3r” operations and joint claims tied to Salesforce and other SaaS ecosystems.
Third‑party threat profiles and incident recaps corroborate a mid‑2025 surge targeting Salesforce tenants across major enterprises, consistent with this merged identity.
### Why this works: trust edges, not zero‑days
This campaign preys on trust junctions in SaaS identity, not exotic exploits: a phone call to a help desk, a plausible app name, and a legitimate OAuth flow that converts a moment of social trust into long‑lived API access.
Desktop‑style OAuth and connected‑app experiences can be impersonated or repackaged to appear as standard Salesforce tooling (e.g., “Data Loader”), tricking staff into authorizing scopes like refresh_token + full that enable persistent bulk extraction with minimal noise.
This turns traditional perimeter and endpoint controls into bystanders; once a connected app is authorized, the attacker is “inside” through sanctioned API pathways until the token is revoked and the app is pruned.
### Exfil Blueprint
Incident forensics from multiple vendors describes a repeatable chain: vishing to the connected‑apps page, user‑supplied verification code, app authorization, and then scripted REST or bulk API queries that sweep high‑value objects at scale.
Threat hunters have observed iterative testing with small chunk sizes before pivoting to full‑table pulls, and app aliases like “My Ticket Portal” to match the social pretext, allowing attackers to blend into operational noise until export volumes spike.
Event Monitoring and REST API logs reveal patterned queries against PII‑rich objects with per‑request payloads in the megabytes, a signature that becomes obvious with the right telemetry but invisible without it.
### Extortion
The leak‑site model operationalizes marketing: timers, victim lists, and public taunts amplify pressure while letting groups walk back into the shadows when it suits their private negotiations.
Analysts note that these crews have shifted to selective media use—public enough to validate credibility, private enough to optimize ransom yield—making the “shutdown and reappear” cycles part of the business model rather than a sign of weakness.
The Salesforce‑specific branding is a force multiplier, collapsing dozens of discreet tenant incidents into one narrative that helps drive larger payouts and faster executive attention.
### Misconceptions that can sink a response
- “Platform breach” vs. tenant compromise: Reports and statements consistently indicate abuse of tenant‑level trust and identity flows, not a Salesforce core vulnerability, which changes the remediation locus from vendor patching to customer identity and app governance.
- “MFA solves this”: MFA reduces risk but does not stop a user from consenting to a malicious connected app; OAuth consent with high‑privilege scopes can outflank strong authentication if help‑desk workflows are not hardened.
- “If there’s no encryption ransomware, impact is limited”: Data theft alone can trigger regulatory exposure, customer churn, and downstream fraud; operational resilience does not equal privacy resilience.
### Make‑or‑break controls
- OAuth and connected‑app governance: Inventory, alert, and gate app creation and authorization events; flag apps with elevated scopes and ambiguous names; enforce reviews for Data Loader‑like tools and restrict to managed, signed binaries.
- Event Monitoring and anomaly detection: Continuously watch for API query bursts, unusual object access, sudden increases in data export sizes, and new app authorizations, using Event Monitoring logs as the primary signal source.
- Help desk and user verification: Script defenses against vishing—no codes over the phone, out‑of‑band verification for any app authorization, and tight playbooks that treat connected‑app approvals as security‑sensitive changes.
### Break the kill chain: high‑impact, low‑friction steps
- Enforce IP ranges and network‑based access policies for administrative sessions and high‑risk actions, reducing the surface for remote OAuth abuse to succeed unnoticed.
- Minimize and rotate API keys and integration users, review automated data export jobs, and adhere strictly to least privilege for both humans and non‑human identities connected to Salesforce.
- Monitor for unreviewed package installs and scope elevation events; alert when apps request refresh_token or full API access, and quarantine suspect apps pending review and forensic validation.
### SaaS sprawl meets identity debt
The Salesforce wave underscores a broader SaaS security problem: sprawling connected apps, unattended machine identities, and permissive scopes create an identity debt that adversaries monetize via phone‑based persuasion rather than code execution.
Training and MFA help, but durable fixes require continuous, identity‑aware monitoring across SaaS estates and controls that make “consent” a governed process, not a casual click. Expect copycats to transpose this playbook to other high‑value SaaS platforms where connected apps and delegated access are ubiquitous.
This campaign is not about a novel exploit; it is about industrialized persuasion weaponizing OAuth trust to convert a polite phone call into a high‑bandwidth data siphon, then monetizing the haul via sophisticated extortion theater.
Organizations that treat connected‑app governance, Event Monitoring, and help‑desk hardening as first‑class controls will deflate the business model behind the “billion records” headline, while those relying on traditional perimeter thinking will remain easy marks for the next branded leak countdown.
