A large – scale data leak campaign has resulted in the information of tens of millions of customers from more than 40 organizations being made public. The culprit is the Scattered LAPSUS $Hunts, a hacker alliance that targets corporate platforms. They exploit tokens, authorizations, and third party applications in the Salesforce system to take data, making the case clear for risk from the service supply chain, and ineptly managed integrations.

3.png

Why Salesforce became a target

Salesforce is a leading customer relationship management (CRM) platform, used by tens of thousands of businesses globally to manage customer, partner, and employee data. It was the popularity and strong integration with third – party applications that made Salesforce a “golden mine” for hackers. Valid technical accounts or OAuth tokens, if exposed, allow direct access to sensitive data without exploiting software vulnerabilities, making the platform an ideal target for large-scale blackmail or data leakage campaigns.

Besides, flexible connections and authorized applications are willing to give deep access to the system, while many businesses have yet to implement full API behavior monitoring or multi-factor authentication. This greatly expanded Salesforce’s strike surface and is the reason the Scattered LAPSUS$ Hunters group chose to exploit integrations rather than directly targeting individual enterprises’ internal systems.

A subtle and quiet attack tactic

From about April 2024 to September 2035, the campaign began with a thorough reconnaissance phase. According to reports, the hackers group Scattered LAPSUS$ Hunters map legal “inlets” on each Salesforce system by reviewing authorized applications, service accounts, and third – party integrations such as Salesloft or Drift. The goal is to determine the scope of the rights of the token, callback addresses, and secret storage that can be used to access the data, and to make a list of the targets with the highest risk. This stage lays the groundwork for the next steps, as hackers proceed to take initial permissions and establish a survival point to extract data quietly but efficiently.

Once the target map is available, they move to initial seizing power by means of social deception or supply chain exploitation. The common practice is to convince an administrator to license a rogue application or collect a refresh token or client secret from a compromised third party system. Once in the hands of valid tokens, they typically establish a survival point by signing up for additional connected apps, creating service accounts, or scheduling automatic tasks to maintain access without attracting attention. A team member, claiming to be Shiny, shared that they did not attack Salesforce directly, but rather targeted Salesforce customers by means of telephone fraud or otherwise known as voice phishing. In this form of attack, hackers impersonate employees to call IT support, in order to deceive and gain access to sensitive information.

Once they have stable access, they conduct data extraction through Salesforce’s legal mechanisms. They use block output APIs, Data Loader tools, or fine-tuned queries to get exactly what fields contain personal information, then break down output jobs to circumvent speed limits and transfer the results to their controlled archives or via webhooks. Since most operations take place in the name of an authorized application and with a valid token, exfiltration usually does not trigger an unusual login alert, causing data to be pulled that is difficult for victims to detect in time.

Once sufficient data is collected, the Scattered LAPSUS$ Hunters will process and publicize some of the data as evidence, with requests for blackmail to amplify the media and legal pressure on victims.

1.png

Global Impact: When More than 40 Corporations Lose Salesforce Data

The consequences of the campaign were quickly evident in its size and multidisciplinary nature. In Australia, Qantas confirmed that more than 5 million customer records had been released after the ransom deadline, with the hacker group’s provocative message: “Don’t be the next headline, should have paid the ransomware.”

In Vietnam, Vietnam Airlines was recorded to have about 7.3 million customer information leaked, including names, emails, phone numbers, birthdays, and details of its close customer program members. To date, Vietnam Airlines has not announced specific figures on the scope of impact or ongoing remedial steps. Salesforce affirmed no signs of core platforms being infiltrated and declined to comment in detail on customers in the Asian region.

The level of impact did not stop with some airlines. The list announced by the group included many global corporations prominent in retail, logistics, entertainment and finance, such as Toyota, Disney, McDonald’s, Ikea, Adidas, Gap, FedEx, Marriott or AirFrance-KLM. When data from multiple industries are simultaneously mined, the consequences become systemic: loss of trust, response costs, risk of litigation, and waves of deceptive attacks directed at each brand’s customers. Therefore, the incident cannot be seen as a single incident but must be considered as a high – level warning on risk management in the SaaS environment and application integration.

The nature of the campaign: not just blackmail

The Scattered LAPSUS$ Hunters are not just single attack groups, but are seen as alliances between experienced hacker groups in global data leak campaigns. They operated the campaign in a sophisticated script, combining technical elements and media pressure, forcing the organizations to simultaneously face legal and credibility crises. The release of data from more than 40 organizations at once not only gained maximum attention but also created a domino effect, forcing victims to react quickly and expensively, from internal investigations to enhanced security, customer alerts, and media response.

This strategy showed that the group’s goal was not to stop at direct profit from ransom. When the data is exposed, the consequences spread: loss of trust, legal risk, and a wave of scam attacks targeted at customers that may far exceed the original amount of money. This is the hacker group’s way of exploiting the power of public opinion and the media effects to replicate the impact, turning a data leak into a full – blown crisis, forcing businesses to face strategic risks rather than just technical ones.

Data supply chain security lesson

The Salesforce leak once again demonstrated that modern corporate security is no longer just about protecting internal systems. As the business integrates deeply with a third – party platform, every configuration, access, and connection application becomes a potential attack surface. An exposed OAuth token, an overly – empowered app, or a multi-factor authentication deficient service account can all throw open the data door. According to WhiteHat, the real risk lies not in the list of leaked data but in the sequence of subsequent attacks. Seemingly innocuous information such as email, birthdate, or phone number is enough for hackers to launch personalized spear-phishing campaigns, targeting employees or customers to steal more sensitive information.

WhiteHat also highlighted a commonly missed technical element of the lack of API behavior monitoring. When data is abused through a valid token, traditional warnings of unauthorized logging or malware are not activated. Early detection therefore requires API behavior analysis, application of unusual detection laws to each type of query, and continuous monitoring of sensitive data streams.

For effective prevention, businesses need to adopt Zero Trust mindset that extends to the entire SaaS ecosystem.

  • Checks and revoke all OAuth applications of unknown origin and rarely used token
  • Apply multifactor authentication to all admin accounts and service accounts
  • Execute least privilege policy for all applications and tokens
  • Enable verbose logging for API streams and set warnings when outputing data in bulk
  • Limits access by the range of data required and by trusted IP addresses
  • Review third-party integrations before granting permissions
  • Implement CASB solutions to control cloud services
  • Organization training detect social engineering and attack simulation to assess response

For customers and end users, experts recommend: only information is released on the business’ official channel, no OTP codes or passwords are provided via email or text messages, no login via links received from unauthenticated emails, and dual – layer authentication is enabled for important services.

Summary

The Salesforce attack again highlighted the potential risk in the data supply chain and SaaS integrations. When valid tokens, too extensive authorization, or a service account lacks multi-factor authentication are exploited, the business faces not only a risk of data loss but also challenges in access rights administration, data flow monitoring, and control of third-party services, placing higher security requirements in the cloud computing environment.