Hackers Claim to Have Stolen 1B Salesforce Records

Voice phishing hackers are claiming to have stolen nearly 1B Salesforce records, according to reports.

The hacking group, known as ‘Scattered LAPSUS$ Hunters’, told Reuters that it had obtained Salesforce records containing personally identifiable information. One hacker, who identified themselves as ‘Shiny’, said in an email to the news organization that they did not directly hack Salesforce, but targeted Salesforce customers using “vishing,” or voice phishing.

The hacking group reportedly published a leak site on the dark web on Friday, listing dozens of companies it claimed to have hacked. 

Salesforce says there is no indication that the Salesforce platform has been compromised.

Note: The potential for compromised connected apps in Salesforce orgs is ongoing. We at Salesforce Ben strongly recommend that all admins and org owners should prioritize auditing the connected apps currently in use in their orgs. This includes identifying the origin of all connected apps, removing any unused or unknown apps, setting permissions for access to remaining apps, and removing the ability for any user to add connected apps without approval. We’ve published an article to help.

Salesforce Data Hacks: What Happened? 

Security researchers at Google’s Threat Intelligence Group (GTIG) had earlier this year said the group, which it tracks as “UNC6040,” had “proven particularly effective at tricking employees” into installing a modified version of Salesforce’s Data Loader.

Google had stressed that, in all observed cases, attackers relied on manipulating end users, not exploiting any vulnerability inherent to Salesforce.

The hackers had tricked victims into opening the connected apps setup page and entering a code, linking an attacker-controlled replica of the Data Loader app – which is used for importing, exporting, and bulk managing Salesforce data – to their Salesforce environment. 

Once downloaded, the malicious app granted hackers extensive access, allowing them to query and exfiltrate sensitive data directly from compromised Salesforce customer accounts.

A Salesforce spokesperson told Salesforce Ben on October 6: “We are aware of recent extortion attempts by threat actors, which we have investigated in partnership with external experts and authorities. 

“Our findings indicate these attempts relate to past or unsubstantiated incidents, and we remain engaged with affected customers to provide support. 

“At this time, there is no indication that the Salesforce platform has been compromised, nor is this activity related to any known vulnerability in our technology.”

Salesforce Ben has asked for clarification about what is meant by ‘past or unsubstantiated incidents’. 

Final Thoughts

Throughout the news of the hacking campaign in recent days, Salesforce has continuously stressed that there is no indication that their platform has been compromised, and the activity is not related to any known vulnerability in their technology.

Still, with Dreamforce just around the corner, it’s far from ideal for the cloud giant to be dealing with yet more news of Salesforce hacks. 

Read our hub post about the Salesforce data theft campaign here. 

Have you been affected by the hacks? Email tips@salesforceben.com.

The post Hackers Claim to Have Stolen 1B Salesforce Records appeared first on Salesforce Ben.