Salesforce says social engineering to blame for breaches leading to ransom demands

Salesforce said its platform wasn’t compromised, but that’s little consolation to the companies and consumers potentially impacted.

on October 6, 2025 at 11:24 am | Reading time: 2 minutes
Chat with MarTechBot

Hackers claiming to have accessed and stolen nearly 1 billion Salesforce records set up a site on the dark web late last week, demanding a ransom from 39 companies and Salesforce itself before releasing the records. The hackers gave a deadline of Oct. 10, 2025.

The hackers, who go by the moniker Shiny Hunters and published the list on a site they call Scattered Lapsus$ Hunters, published what they claimed were samples of stolen data from brands like Adidas, Cisco, FedEx, Disney and more. 

While the site and demands appeared last week, this is the latest in what one LinkedIn observer described as “like watching a slow-motion train wreck.”

For its part, Salesforce states that the data loss did not originate from a compromise of the Salesforce platform, but rather from social engineering attacks targeting Salesforce users. 

Salesforce security alert.
Salesforce security alert.

The “past or unsubstantiated incidents” refer to an ongoing series of social engineering and third-party app attacks reported over the past several months. 

In June 2025, Google Threat Intelligence reported on voice phishing attacks (i.e., phone calls from hackers) by members of the Shiny Hunters, who tricked people into installing malicious OAuth applications. (To get an idea of how something like this happens, see this scenario.)

Then, in late August, Google Threat Intelligence identified a security issue in which hackers exploited an integration between Salesloft Drift and Salesforce to gain access to sensitive data. Salesforce disabled the integration on Aug. 28, 2025, and reinstated it on Sept. 7, 2025.  

By September 2025, the problem of unauthorized access to Salesforce data was bad enough that 14 companies sued Salesforce over the issue.

Last week’s ransom demand appears to be something of a culmination of these efforts to obtain Salesforce records and demand a ransom.

Across online platforms like LinkedIn and Reddit, observers say, social engineering or not, Salesforce is not unaccountable for these incidents. 

LinkedIn post about Salesforce data breaches.
Reddit user's remarks on Saleforce data security.

Others find these attacks and their consequences ultimately inevitable and would prefer to cut out the middle men entirely.

Reddit user's remarks on security breaches in general.

Fuel up with free marketing insights.

Email:

See terms.

MarTech is owned by Semrush. We remain committed to providing high-quality coverage of marketing topics. Unless otherwise noted, this page’s content was written by either an employee or a paid contractor of Semrush Inc.

Add MarTech to your Google News feed.    Google News

Related stories

New on MarTech

About the author

Mike Pastore
Staff
Mike Pastore is the Head of Content & Media at Third Door Media, the publisher of the Martech and Search Engine Land websites and the producer of the SMX and MarTech Conferences. In nearly three decades in B2B marketing, Mike has worked as an editor, writer, and marketer. He first wrote about marketing in 1998 for internet.com (later Jupitermedia). He then worked with marketers at some of the best-known brands in B2B tech, creating content for marketing campaigns at both Jupitermedia and QuinStreet. Prior to joining Third Door Media as the Editorial Director of the MarTech website, he led demand generation at B2B media company TechnologyAdvice.

Related topics

Marketing privacyMarketing technologySalesforce