‘’75M Salesforce Records Exposed’’ in Loblaw Breach: Hacker’s Deadline Approaches 


Canada’s largest grocer and pharmacy retailer, Loblaw, has been affected by a data breach that allegedly includes 75.1M Salesforce customer records, 19.3M Oracle IDCS user identity records, and more. 

The attack, which started being investigated by Loblaw last week, has allegedly been carried out by a threat actor who claims the retailer has until March 19 to reach out to them, or the data will be publicly leaked. 

SF Ben note: The potential for compromised connected apps in Salesforce orgs is ongoing. We at Salesforce Ben strongly recommend that all admins and org owners prioritize auditing the connected apps currently in use in their orgs. This includes identifying the origin of all connected apps, removing any unused or unknown apps, setting permissions for access to remaining apps, and removing the ability for any user to add connected apps without approval. We’ve published an article to help.

A New Breach 

According to a notice posted by Loblaw on March 10, the company began investigating the breach after “identifying suspicious activity on a contained, non-critical part of its IT network”. This investigation has revealed that a threat actor was able to access basic customer information, including names, phone numbers, and email addresses. This data was accessed on a “contained, non-critical part of its IT network”, the company said. 

In response to this, Loblaw secured its network, which meant that customers were automatically logged out of their accounts. The retailer stresses that no passwords, health information, or credit card data were compromised in this breach. 

Lobclaw has declined to comment.

75M Salesforce Records at Risk

Although Loblaw has assured customers that it will continue to provide further updates as its investigation continues, the alleged threat actor claims that there is more at stake. 

On March 13, X user Dark Web Informer posted that the breach reportedly contains over 75M Salesforce records alongside:

  • 724.9M Shoppers Drug Mart Hybris rows with payment info and credit card details
  • 129.9M pharmacy fill request records with prescription numbers and patient IDs
  • 120.4M e-commerce fraud-feed records, 20.2M Delivery Ops Portal rows
  • 3,014 GitLab projects with full source code
  • 19.3M Oracle IDCS user identity records, and 55.3M SFMC marketing/email records across 673 tables

The threat actor has also allegedly claimed that Loblaw has until March 19 to reach out to them, otherwise “all this data (& more) will be publicly leaked”. 

SF Ben has reached out to Salesforce for comment.

The alleged notice of the Loblaw breach from the threat actor. Source: Dark Web Informer on X.
READ MORE: Salesforce Data Theft Roundup: Everything You Need to Know

Final Thoughts: This Will Not Be The Last Hack

The Salesforce-adjacent breaches that plagued the sector for a large proportion of last year do not appear to be slowing down anytime soon, reiterating the importance of org-wide security across internal and external platforms. 

Although this particular breach once again is not a reflection of any Salesforce vulnerability, it illustrates just how much sensitive customer information can be at risk if it isn’t securely protected. 

This will not be the last breach, and protective measures will not protect your business from every attack, but let this be another reminder to ensure your org and your data are as watertight as it can be during this time.

Leave a Reply

Your email address will not be published. Required fields are marked *