AI, Alerts, Breach, Hacks, Security Practices

Salesforce Breach: 760 Bizes, 1.5 Billion Victims

September 28, 2025 Giovanna D Simoes Leave a comment

I can’t say this enough. Supply chain risk. Third party risk. Vendor risk. It is all the same thing. Fixing it is a challenge. Ignoring it is NOT a solution.

First, lets talk about what happened.

Hackers who call themselves ShinyHunters, formerly Spider and Lapsus$, also called Scattered Lapsus$ Hunters, specializes in data theft, extortion and occasionally ransomware. A generally all around group of nice people.

The hackers say that they first breached Salesloft, which you can think of as an AI driven way to get data out of a whole bunch of third party systems that a company might be using from a single user interface. Simplifying data analysis. And data extraction.

Still a third party/vendor/supply chain breach, but not the one with the data – that is Saleforce.

Once inside Salesloft, they had access to their entire code repository in GitHub.

That code, apparently, had access keys to their customers’ data buried in their source code. That could be the Achilles Heel to any defense the company might try to mount in the dozens if not hundreds of lawsuits they will face over this. Side note: I hope they have a lot of cyber insurance. Salesforce is also facing almost a hundred lawsuits, but I suspect they will come out relatively clean unless we discover they had bad security practices as well.

Once the hackers had these access keys, called API keys, they could perform any function in the target system that the user could perform. SO, if Company A was a Salesloft client and they entered credentials in the system to access and analyze data from their Salesforce account, these hackers got access to it.

The hackers used a tool called, quaintly, TruffleHog to look for, find, verify and analyze access credentials. This is a legitimate tool when used by legitimate companies, but not when used by hackers.

The result was that they found access tokens for 760 companies. The rest is child’s play.

Then, it appears, once they had access they exfiltrated data (stolen data) they looked through it for other credentials.

Salesloft integrates with more than 50 applications including Facebook and Google analytics, Marketo, Zapier and Zoom.

Among the 760 victims are a number of name brand companies including Cloudflare, Palo Alto Networks, Qualys and others.

This is a perfect example of the challenge of mitigating third party risk.

Salesloft has been around for more than a decade so you can’t blame it on them being a startup. But apparently their security practices, from what we can tell so far, were not up to snuff.

The first lesson to learn from this is to review your own corporate practices to see if your own internal practices are up to snuff. Do you have a data flow diagram that would have documented the flow of data from situations like this. If you don’t, you need to create one. Not fun, but definitely possible. Then you need to step back and look at the risk all of these third party connections create and determine if that aligns with the company’s risk tolerance.

At the same time you need to look at your own software development practices.

If you need help with this, please contact us.

Credit: Data Breach Today