In early October 2025, a group calling itself Scattered LAPSUS$ Hunters began publishing claims of a large-scale data theft targeting organisations using Salesforce environments. The collective – believed to involve members of previously active groups Lapsus$, Scattered Spider, and ShinyHunters – says it obtained roughly one billion customer records from dozens of companies worldwide.
Salesforce has stated there is no evidence of any breach of its core platform.
Current investigations suggest the attackers instead focused on individual customer tenants, using voice-phishing (“vishing”) to trick IT support staff into installing or approving a tampered version of a legitimate administrative tool. Once active, the malware harvested credentials and initiated bulk data exports.
While the full scope remains under review, this campaign reinforces a growing reality:
the weakest point in cloud security is no longer the platform – it’s the people and processes around it.
These incidents highlight how supply-chain attacks are evolving. Instead of breaching cloud providers directly, attackers exploit the trusted connections, apps, and permissions clients rely on to run their businesses.
01
Enforce phishing-resistant MFA on all privileged SaaS accounts and use just-in-time admin rights to limit standing privilege.
02
Include vishing scenarios in phishing simulations and teach help-desk teams to verify any caller’s identity through a separate channel.
03
Only allow approved installers and monitor for unusual use of built-in utilities such as Data Loader or large-scale data exports.
04
Treat CRM fields containing PII as sensitive and enable field-level encryption or tokenisation wherever possible.
05
Use user-behaviour analytics to flag abnormal bulk-export activity and connect alerts into your SIEM/SOAR tooling for rapid response.
06
Update your incident-response playbooks to include vendor coordination, notification timelines, and clear policies on ransom response.
07
Request current SOC 2 Type II or ISO 27001 certifications and agree contractual notification clauses within 24 hours of any confirmed incident.
Extortion-driven data theft has become a mainstream business risk. The economic incentive now extends beyond ransom – stolen data is resold, traded, and reused across the criminal ecosystem.
For boards, that makes data confidentiality a balance-sheet issue, not just an IT concern.
Protecting the SaaS layer is no longer optional. Every connected app, user, and process must be verified and monitored under a zero-trust model that assumes compromise until proven otherwise.
Our team works with organisations to strengthen SaaS security and resilience, including:
If you’re concerned about what this latest threat means for your business, contact the WILLIS GB Cyber Risk Solutions team to arrange a short review session.
Information contained in this article is based on publicly available reports. Sources include public statements from Salesforce and multiple open-source cybersecurity briefings as of October 2025. WILLIS makes no representation as to the ongoing accuracy of threat-actor claims or victim disclosures. Salesforce has publicly stated there is no evidence of a compromise to its core systems. Organisations should verify all threat intelligence through official channels before acting.
