Found 4 bookmarks
Newest
ShinyHunters launches Salesforce data leak site to extort 39 victims
ShinyHunters launches Salesforce data leak site to extort 39 victims
bleepingcomputer.com By Sergiu Gatlan October 3, 2025 An extortion group has launched a new data leak site to publicly extort dozens of companies impacted by a wave of Salesforce breaches, leaking samples of data stolen in the attacks. The threat actors responsible for these attacks claim to be part of the ShinyHunters, Scattered Spider, and Lapsus$ groups, collectively referring to themselves as "Scattered Lapsus$ Hunters." Today, they launched a new data leak site containing 39 companies impacted by the attacks. Each entry includes samples of data allegedly stolen from victims' Salesforce instances, and warns the victims to reach out to "prevent public disclosure" of their data before the October 10 deadline is reached. The companies being extorted on the data leak site include well-known brands and organizations, including FedEx, Disney/Hulu, Home Depot, Marriott, Google, Cisco, Toyota, Gap, McDonald's, Walgreens, Instacart, Cartier, Adidas, Sake Fifth Avenue, Air France & KLM, Transunion, HBO MAX, UPS, Chanel, and IKEA. "All of them have been contacted long ago, they saw the email because I saw them download the samples multiple times. Most of them chose to not disclose and ignore," ShinyHunters told BleepingComputer. "We highly advise you proceed into the right decision, your organisation can prevent the release of this data, regain control over the situation and all operations remain stable as always. We highly recommend a decision-maker to get involved as we are presenting a clear and mutually beneficial opportunity to resolve this matter," they warned on the leak site. The threat actors also added a separate entry requesting that Salesforce pay a ransom to prevent all impacted customers' data (approximately 1 billion records containing personal information) from being leaked. "Should you comply, we will withdraw from any active or pending negotiation indiviually from your customers. Your customers will not be attacked again nor will they face a ransom from us again, should you pay," they added. The extortion group also threatened the company, stating that it would help law firms pursue civil and commercial lawsuits against Salesforce following the data breaches and warned that the company had also failed to protect customers' data as required by the European General Data Protection Regulation (GDPR).
#bleepingcomputer.com#EN#2025#Breach#Data-Breach#Leak#Salesforce#Scattered-Lapsus$-Hunters#ShinyHunters
·bleepingcomputer.com·
ShinyHunters launches Salesforce data leak site to extort 39 victims
Cloudflare hit by data breach in Salesloft Drift supply chain attack
Cloudflare hit by data breach in Salesloft Drift supply chain attack
bleepingcomputer.com By Sergiu Gatlan September 2, 2025 Cloudflare is the latest company impacted in a recent string of Salesloft Drift breaches, part of a supply-chain attack disclosed last week. The internet giant revealed on Tuesday that the attackers gained access to a Salesforce instance it uses for internal customer case management and customer support, which contained 104 Cloudflare API tokens. Cloudflare was notified of the breach on August 23, and it alerted impacted customers of the incident on September 2. Before informing customers of the attack, it also rotated all 104 Cloudflare platform-issued tokens exfiltrated during the breach, even though it has yet to discover any suspicious activity linked to these tokens. "Most of this information is customer contact information and basic support case data, but some customer support interactions may reveal information about a customer's configuration and could contain sensitive information like access tokens," Cloudflare said. "Given that Salesforce support case data contains the contents of support tickets with Cloudflare, any information that a customer may have shared with Cloudflare in our support system—including logs, tokens or passwords—should be considered compromised, and we strongly urge you to rotate any credentials that you may have shared with us through this channel." The company's investigation found that the threat actors stole only the text contained within the Salesforce case objects (including customer support tickets and their associated data, but no attachments) between August 12 and August 17, after an initial reconnaissance stage on August 9. These exfiltrated case objects contained only text-based data, including: The subject line of the Salesforce case The body of the case (which may include keys, secrets, etc., if provided by the customer to Cloudflare) Customer contact information (for example, company name, requester's email address and phone number, company domain name, and company country) "We believe this incident was not an isolated event but that the threat actor intended to harvest credentials and customer information for future attacks," Cloudflare added. "Given that hundreds of organizations were affected through this Drift compromise, we suspect the threat actor will use this information to launch targeted attacks against customers across the affected organizations." Wave of Salesforce data breaches Since the start of the year, the ShinyHunters extortion group has been targeting Salesforce customers in data theft attacks, using voice phishing (vishing) to trick employees into linking malicious OAuth apps with their company's Salesforce instances. This tactic enabled the attackers to steal databases, which were later used to extort victims. Since Google first wrote about these attacks in June, numerous data breaches have been linked to ShinyHunters' social engineering tactics, including those targeting Google itself, Cisco, Qantas, Allianz Life, Farmers Insurance, Workday, Adidas, as well as LVMH subsidiaries Louis Vuitton, Dior, and Tiffany & Co. While some security researchers have told BleepingComputer that the Salesloft supply chain attacks involve the same threat actors, Google has found no conclusive evidence linking them. Palo Alto Networks also confirmed over the weekend that the threat actors behind the Salesloft Drift breaches stole some support data submitted by customers, including contact info and text comments. The Palo Alto Networks incident was also limited to its Salesforce CRM and, as the company told BleepingComputer, it did not affect any of its products, systems, or services. The cybersecurity company observed the attackers searching for secrets, including AWS access keys (AKIA), VPN and SSO login strings, Snowflake tokens, as well as generic keywords such as "secret," "password," or "key," which could be used to breach more cloud platforms to steal data in other extortion attacks.
#bleepingcomputer.com#EN#2025#Breach#Cloudflare#Data-Breach#Salesforce#Salesloft#Salesloft-Drift#Supply-Chain-Attack
·bleepingcomputer.com·
Cloudflare hit by data breach in Salesloft Drift supply chain attack
Farmers Insurance data breach impacts 1.1M people after Salesforce attack
Farmers Insurance data breach impacts 1.1M people after Salesforce attack
bleepingcomputer.com By Lawrence Abrams August 25, 2025 - U.S. insurance giant Farmers Insurance has disclosed a data breach impacting 1.1 million customers, with BleepingComputer learning that the data was stolen in the widespread Salesforce attacks. Farmers Insurance is a U.S.-based insurer that provides auto, home, life, and business insurance products. It operates through a network of agents and subsidiaries, serving more than 10 million households nationwide. The company disclosed the data breach in an advisory on its website, saying that its database at a third-party vendor was breached on May 29, 2025. "On May 30, 2025, one of Farmers' third-party vendors alerted Farmers to suspicious activity involving an unauthorized actor accessing one of the vendor's databases containing Farmers customer information (the "Incident")," reads the data breach notification on its website. "The third-party vendor had monitoring tools in place, which allowed the vendor to quickly detect the activity and take appropriate containment measures, including blocking the unauthorized actor. After learning of the activity, Farmers immediately launched a comprehensive investigation to determine the nature and scope of the Incident and notified appropriate law enforcement authorities." The company says that its investigation determined that customers' names, addresses, dates of birth, driver's license numbers, and/or last four digits of Social Security numbers were stolen during the breach. Farmers began sending data breach notifications to impacted individuals on August 22, with a sample notification [1, 2] shared with the Maine Attorney General's Office, stating that a combined total of 1,111,386 customers were impacted. While Farmers did not disclose the name of the third-party vendor, BleepingComputer has learned that the data was stolen in the widespread Salesforce data theft attacks that have impacted numerous organizations this year. BleepingComputer contacted Farmers with additional questions about the breach and will update the story if we receive a response. The Salesforce data theft attacks Since the beginning of the year, threat actors classified as 'UNC6040' or 'UNC6240' have been conducting social engineering attacks on Salesforce customers. During these attacks, threat actors conduct voice phishing (vishing) to trick employees into linking a malicious OAuth app with their company's Salesforce instances. Once linked, the threat actors used the connection to download and steal the databases, which were then used to extort the company through email. The extortion demands come from the ShinyHunters cybercrime group, who told BleepingComputer that the attacks involve multiple overlapping threat groups, with each group handling specific tasks to breach Salesforce instances and steal data. "Like we have said repeatedly already, ShinyHunters and Scattered Spider are one and the same," ShinyHunters told BleepingComputer. "They provide us with initial access and we conduct the dump and exfiltration of the Salesforce CRM instances. Just like we did with Snowflake." Other companies impacted in these attacks include Google, Cisco, Workday, Adidas, Qantas, Allianz Life, and the LVMH subsidiaries Louis Vuitton, Dior, and Tiffany & Co.
#bleepingcomputer.com#EN#2025#Data-Breach#Data-Theft#Farmers-Insurance#Insurance#Salesforce#ShinyHunters
·bleepingcomputer.com·
Farmers Insurance data breach impacts 1.1M people after Salesforce attack
Hackers leak Allianz Life data stolen in Salesforce attacks
Hackers leak Allianz Life data stolen in Salesforce attacks
bleepingcomputer.com - Hackers have released stolen data belonging to US insurance giant Allianz Life, exposing 2.8 million records with sensitive information on business partners and customers in ongoing Salesforce data theft attacks. Last month, Allianz Life disclosed that it suffered a data breach when the personal information for the "majority" of its 1.4 million customers was stolen from a third-party, cloud-based CRM system on July 16th. While the company did not name the provider, BleepingComputer first reported the incident was part of a wave of Salesforce-targeted thefts carried out by the ShinyHunters extortion group. Over the weekend, ShinyHunters and other threat actors claiming overlap with "Scattered Spider" and "Lapsus$" created a Telegram channel called "ScatteredLapsuSp1d3rHunters" to taunt cybersecurity researchers, law enforcement, and journalists while taking credit for a string of high-profile breaches. Many of these attacks had not previously been attributed to any threat actor, including the attacks on Internet Archive, Pearson, and Coinbase. One of the attacks claimed by the threat actors is Allianz Life, for which they proceeded to leak the complete databases that were stolen from the company's Salesforce instances. These files consist of the Salesforce "Accounts" and "Contacts" database tables, containing approximately 2.8 million data records for individual customers and business partners, such as wealth management companies, brokers, and financial advisors. The leaked Salesforce data includes sensitive personal information, such as names, addresses, phone numbers, dates of birth, and Tax Identification Numbers, as well as professional details like licenses, firm affiliations, product approvals, and marketing classifications. BleepingComputer has been able to confirm with multiple people that their data in the leaked files is accurate, including their phone numbers, email addresses, tax IDs, and other information contained in the database. BleepingComputer contacted Allianz Life about the leaked database but was told that they could not comment as the investigation is ongoing. The Salesforce data-theft attacks The Salesforce data theft attacks are believed to have started at the beginning of the year, with the threat actors conducting social engineering attacks to trick employees into linking a malicious OAuth app with their company's Salesforce instances. Once linked, the threat actors used the connection to download and steal the databases, which were then used to extort the company through email. Extortion demands were sent to the companies via email and were signed as coming from ShinyHunters. This notorious extortion group has been linked to many high-profile attacks over the years, including those against AT&T, PowerSchool, and the SnowFlake attacks. While ShinyHunters is known to target cloud SaaS applications and website databases, they are not known for these types of social engineering attacks, causing many researchers and the media to attribute some of the Salesforce attacks to Scattered Spider. However, ShinyHunters told BleepingComputer the "ShinyHunters" group and "Scattered Spider" are now one and the same. "Like we have said repeatedly already, ShinyHunters and Scattered Spider are one and the same," ShinyHunters told BleepingComputer. "They provide us with initial access and we conduct the dump and exfiltration of the Salesforce CRM instances. Just like we did with Snowflake." It is also believed that many of the group's members share their roots in another hacking group known as Lapsus$, which was responsible for numerous attacks in 2022-2023, before some of their members were arrested. Lapsus$ was behind breaches at Rockstar Games, Uber, 2K, Okta, T-Mobile, Microsoft, Ubisoft, and NVIDIA. Like Scattered Spider, Lapsus$ was also adept at social engineering attacks and SIM swap attacks, allowing them to run over billion and trillion-dollar companies' IT defenses. Over the past couple of years, there have been many arrests linked to all three collectives, so it's not clear if the current threat actors are old threat actors, new ones who have picked up the mantle, or are simply utilizing these names to plant false flags.
#bleepingcomputer.com#EN#2025#llianz-Life#Data-Breach#Lapsus$#Personal-Information#Salesforce#Scattered-Spider#ShinyHunters
·bleepingcomputer.com·
Hackers leak Allianz Life data stolen in Salesforce attacks