Hackers Stole 1 Billion Records From Salesforce Customer Databases With This Simple Trick - Don't Fall For It

NurPhoto / Contributor / Getty Images

Follow ZDNET: Add america arsenic a preferred source connected Google.

ZDNET's cardinal takeaways

• Hackers declare theft of 1 cardinal records from Salesforce databases.
• Major firms for illustration Google, Qantas, and TransUnion corroborate breaches.
• FBI says attackers utilized vishing, not Salesforce vulnerabilities.

A hacking group is claiming it stole astir 1 cardinal records from dozens of companies that shop their customer information successful unreality databases hosted connected Salesforce. The hackers reportedly created a tract connected the acheronian web, which information researchers and TechCrunch person seen. It lists nan unfortunate companies and threatens to merchandise stolen information if it doesn't get paid.

Who is down this attack?

The run is tied to a caller cybercrime confederation called Scattered Lapsus$ Hunters, which brings together members of Scattered Spider, Lapsus$, and ShinyHunters -- 3 of nan astir notorious English-speaking hacking groups progressive today.

The group allegedly collapsed into unreality databases utilized by galore companies connected nan Salesforce level and stole monolithic amounts of customer data. According to TechCrunch, they declare to beryllium holding astir 1 cardinal records successful total. On their site, they posted a informing telling companies to "contact america to regain control... and forestall nationalist disclosure of your data."

Also: Data-stealing cyberattacks are surging - 7 ways to protect yourself and your business

Resecurity reported that Scattered Lapsus$ Hunters besides operated a Telegram channel, now banned, wherever members coordinated threats, teased leaks, and promoted caller Ransomware-as-a-Service tools. Scattered Spider reportedly provided first entree to targets, ShinyHunters managed information theft and dumps, and LAPSUS$ members besides participated, pinch each 3 groups moving together connected high-profile campaigns specified arsenic nan Salesforce database breaches.

Which companies were hit?

Several companies precocious confirmed that hackers stole customer information from their Salesforce-based databases.

Below is simply a database of confirmed incidents truthful far.

• Insurance elephantine Allianz Life confirmed a breach affecting astir of its 1.4 cardinal US customers.
• Google's Threat Intelligence group acknowledged a Salesforce-based information leak.
• Luxury equipment conglomerate Kering confirmed a akin breach.
• Qantas disclosed that astir 5.7 cardinal customer records were impacted.
• Carmaker Stellantis admitted to a "third-party information incident."
• Credit bureau TransUnion revealed that 4.4 cardinal US consumers' information were exposed.
• Workday acknowledged that its customers' information was stolen.

TechCrunch said nan hackers' leak tract names different large brands for illustration FedEx, Hulu, and Toyota, but they person yet to publically comment.

How does this effect you?

If you're a customer of immoderate of nan companies involved, your individual information whitethorn person been exposed successful a breach. That information could see names, email addresses, telephone numbers, and successful immoderate cases, Social Security numbers.

Also: Battered by cyberattacks, Salesforce faces a spot problem - and a imaginable people action lawsuit

Allianz Life said its breach, which affected 1.4 cardinal people, included delicate specifications specified arsenic Social Security numbers. The institution is offering 2 years of free personality theft and in installments monitoring services to those affected. Credit bureau TransUnion besides reported that individual information belonging to 4.4 cardinal customers -- including names and Social Security numbers -- was exposed. 

It's worthy reviewing each company's announcement to spot what types of information were stolen and really to cheque if you were affected. 

How did nan hackers break in?

On September 12, nan FBI issued a FLASH alert astir nan threat actors who had gained first entree to organizations' Salesforce accounts. It said they utilized social engineering tactics for illustration sound phishing (or vishing). Google's security researchers explained really a hacker impersonated IT support unit complete nan telephone to summation entree to a Salesforce database, for instance. 

Also: What is vishing? Voice phishing is surging - master tips connected really to spot it and extremity it

Once nan attackers had valid login credentials, they could usage Salesforce's ain information export devices to propulsion ample amounts of information. In different words, nan attackers exploited quality error, not immoderate vulnerability successful Salesforce itself.

Is Salesforce's level compromised?

Salesforce said no, its level wasn't compromised by these attacks.

While nan hackers did mention Salesforce by sanction connected their leak tract -- fundamentally demanding that Salesforce discuss aliases other each "your customers' information will beryllium leaked," arsenic TechCrunch reported -- Salesforce maintains that its infrastructure wasn't straight breached.

Also: Cybercriminals are stealing business Salesforce information pinch this elemental instrumentality - don't autumn for it

In a nationalist statement, Salesforce confirmed it is "aware of caller extortion attempts," but truthful far, location is nary denotation that nan Salesforce level has been compromised, nor is this activity "related to immoderate known vulnerability successful our technology."

All grounds points to nan attackers abusing stolen credentials and impersonating users via vishing to get into nan databases, alternatively than hacking Salesforce's systems. Salesforce said it has been moving pinch nan affected companies to supply support.

Have we seen this benignant of extortion before?

Unfortunately, yes -- this playbook is each excessively familiar. CrowdStrike's 11th yearly 2025 Global Threat Report, for example, recovered that vishing attacks roseate 442% successful nan 2nd half of 2024 compared pinch nan first. Over nan people of nan year, nan institution tracked astatine slightest six abstracted campaigns wherever attackers posed arsenic IT staffers and called labor astatine various organizations.

Also: Someone utilized AI to impersonate a caput of authorities - really to make judge you're not next

CrowdStrike said companies tin fortify their defenses against vishing by requiring stricter verification for password resets, specified arsenic video authentication and authorities ID, and by training thief table unit to spot suspicious requests, particularly those extracurricular normal hours. It besides advised utilizing precocious authentication methods for illustration FIDO2 and keeping systems updated pinch patches.

Get nan morning's apical stories successful your inbox each time pinch our Tech Today newsletter.