Hackers stole 1 billion records from Salesforce customer databases with this simple trick - don't fall for it

NurPhoto / Contributor / Getty Images Follow ZDNET: Add us as a preferred source on Google. ZDNET's key takeaways Hackers claim theft of 1 billion records from Salesforce databases. Major firms like Google, Qantas, and TransUnion confirm breaches. FBI says attackers used vishing, not Salesforce vulnerabilities. A hacking group is claiming it stole roughly 1 billion records from dozens of companies that store their customer data in cloud databases hosted on Salesforce. The hackers reportedly created a site on the dark web, which security researchers and TechCrunch have seen. It lists the victim companies and threatens to release stolen data if it doesn't get paid. Who is behind this attack? The campaign is tied to a new cybercrime alliance called Scattered Lapsus$ Hunters, which brings together members of Scattered Spider, Lapsus$, and ShinyHunters -- three of the most notorious English-speaking hacking groups active today. The group allegedly broke into cloud databases used by numerous companies on the Salesforce platform and stole massive amounts of customer data. According to TechCrunch, they claim to be holding about 1 billion records in total. On their site, they posted a warning telling companies to "contact us to regain control... and prevent public disclosure of your data." Also: Data-stealing cyberattacks are surging - 7 ways to protect yourself and your business Resecurity reported that Scattered Lapsus$ Hunters also operated a Telegram channel, now banned, where members coordinated threats, teased leaks, and promoted new Ransomware-as-a-Service tools. Scattered Spider reportedly provided initial access to targets, ShinyHunters managed data theft and dumps, and LAPSUS$ members also participated, with all three groups working together on high-profile campaigns such as the Salesforce database breaches. Which companies were hit? Several companies recently confirmed that hackers stole customer data from their Salesforce-based databases. Below is a list of confirmed incidents so far. Insurance giant Allianz Life confirmed a breach affecting most of its 1.4 million US customers. Google's Threat Intelligence group acknowledged a Salesforce-based data leak. Luxury goods conglomerate Kering confirmed a similar breach. Qantas disclosed that about 5.7 million customer records were impacted. Carmaker Stellantis admitted to a "third-party data incident." Credit bureau TransUnion revealed that 4.4 million US consumers' data were exposed. Workday acknowledged that its customers' data was stolen. TechCrunch said the hackers' leak site names other big brands like FedEx, Hulu, and Toyota, but they have yet to publicly comment. How does this impact you? If you're a customer of any of the companies involved, your personal data may have been exposed in a breach. That data could include names, email addresses, phone numbers, and in some cases, Social Security numbers. Also: Battered by cyberattacks, Salesforce faces a trust problem - and a potential class action lawsuit Allianz Life said its breach, which affected 1.4 million people, included sensitive details such as Social Security numbers. The company is offering two years of free identity theft and credit monitoring services to those affected. Credit bureau TransUnion also reported that personal data belonging to 4.4 million customers -- including names and Social Security numbers -- was exposed. It's worth reviewing each company's notice to see what types of data were stolen and how to check if you were affected. How did the hackers break in? On September 12, the FBI issued a FLASH alert about the threat actors who had gained initial access to organizations' Salesforce accounts. It said they used social engineering tactics like voice phishing (or vishing). Google's security researchers explained how a hacker impersonated IT support personnel over the phone to gain access to a Salesforce database, for instance. Also: What is vishing? Voice phishing is surging - expert tips on how to spot it and stop it Once the attackers had valid login credentials, they could use Salesforce's own data export tools to pull large amounts of information. In other words, the attackers exploited human error, not any vulnerability in Salesforce itself. Is Salesforce's platform compromised? Salesforce said no, its platform wasn't compromised by these attacks. While the hackers did mention Salesforce by name on their leak site -- basically demanding that Salesforce negotiate or else all "your customers' data will be leaked," as TechCrunch reported -- Salesforce maintains that its infrastructure wasn't directly breached. Also: Cybercriminals are stealing business Salesforce data with this simple trick - don't fall for it In a public statement, Salesforce confirmed it is "aware of recent extortion attempts," but so far, there is no indication that the Salesforce platform has been compromised, nor is this activity "related to any known vulnerability in our technology." All evidence points to the attackers abusing stolen credentials and impersonating users via vishing to get into the databases, rather than hacking Salesforce's systems. Salesforce said it has been working with the affected companies to provide support. Have we seen this kind of extortion before? Unfortunately, yes -- this playbook is all too familiar. CrowdStrike's 11th annual 2025 Global Threat Report, for example, found that vishing attacks rose 442% in the second half of 2024 compared with the first. Over the course of the year, the company tracked at least six separate campaigns where attackers posed as IT staffers and called employees at various organizations. Also: Someone used AI to impersonate a secretary of state - how to make sure you're not next CrowdStrike said companies can strengthen their defenses against vishing by requiring stricter verification for password resets, such as video authentication and government ID, and by training help desk staff to spot suspicious requests, especially those outside normal hours. It also advised using advanced authentication methods like FIDO2 and keeping systems updated with patches. Get the morning's top stories in your inbox each day with our Tech Today newsletter.