Major Data Breach Exposes Salesforce Ecosystem: Over 1 Billion Records at Risk

A serious security incident is occurring in the tech world as a notorious hacker group called Scattered LAPSUS$ Hunters claims responsibility for breaching data belonging to Salesforce and its customers. With nearly 1 billion records allegedly stolen and leaked samples already posted online, this could become one of the most significant data breaches in recent years.

What Happened?

On October 3, 2025, the hacker group launched a dark web site titled “Trinity of Chaos”, where they began publishing samples of stolen data. According to their claims, most of the compromised organizations are Salesforce customers, and they are demanding Salesforce pay a ransom before October 10, 2025 to avoid the full release of the data.

The group has warned that failure to negotiate will result in:

• Public exposure of the full dataset
• Legal and regulatory consequences for affected companies
• Continued targeting of other Salesforce clients

Companies Impacted

The breach includes an alarming list of 39 Salesforce customers and 3 other global companies, many of which are household names:

Salesforce Customers:

• Toyota Motor Corporation
• FedEx
• Disney / Hulu
• Republic Services
• UPS
• Aeroméxico
• Home Depot
• Marriott
• Vietnam Airlines
• Walgreens
• Stellantis
• McDonald’s
• KFC
• ASICS
• GAP
• HMH (hmhco.com)
• Fujifilm
• Instructure (Canvas LMS)
• Albertsons
• Engie Resources
• Kering (Gucci, Balenciaga, Brioni, Alexander McQueen)
• HBO Max
• Instacart
• Petco
• Puma
• Cartier
• Adidas
• TripleA (aaa.com)
• Qantas Airways
• CarMax
• Saks Fifth Avenue
• 1-800 Accountant
• Air France & KLM
• Google AdSense
• Cisco
• net
• TransUnion
• Chanel
• IKEA

Other Affected Organizations:

• Red Hat
• Credit Institute of Vietnam
• S&P Global

Compromised Data: What’s at Risk?

According to the group, the stolen data includes:

• 254 million account records
  
• 579 million contact records
  
• 171 million opportunity records
  
• 59 million user records
  
• 458 million case records

The nature of the data—containing personally identifiable information (PII)—means the breach could have serious compliance implications under laws such as GDPR, CCPA, and others.

“Salesforce ignored our previous warnings. Now, they must act or face the consequences,” the group wrote on their site.

The Ransom Threat

The attackers are demanding direct negotiations with Salesforce, warning that if they don’t receive a response by October 10, 2025, they will:

• Release the full dataset to the public
• Add even more companies to their list (up to 760)
• Expose over 5 billion records across multiple Salesforce platforms

The group refers to this as a “mutually beneficial opportunity”, framing it as the last chance to avoid catastrophic data exposure. They have also invited affected companies to contact them directly via email using company domains to verify identities and receive further instructions.

Communication Channels Used

• Dark Web Leak Site: Trinity of Chaos
• Telegram Channel: “SLSH 6.0 Part 3” (new version created after multiple bans)
• Email: Provided on the leak site for victim contact

Data Samples Already Shared

The hackers have already posted data samples from several of the companies on the site to prove the legitimacy of their claims. The data includes actual customer records, internal CRM information, and user details.

They’ve also claimed that if Salesforce refuses to negotiate, they will:

• Update the site after October 10 with a full leak
  
• Continue expanding attacks on additional Salesforce customers
  

Avoid targeting organizations previously impacted in their past campaigns (UNC6395 and UNC6040)—but only if they now choose to cooperate

Latest Update – October 6, 2025

The Scattered LAPSUS$ Hunters group released a new statement on October 6, intensifying pressure:

• They now tie the breach to 39 separate data thefts
  
• Warn that law enforcement cannot stop them
  
• Urge affected companies to act immediately
  
• Emphasize that Salesforce cannot protect its clients

The group insists the only resolution is direct negotiation, giving Salesforce and victims until October 10 to respond.

Key Recommendations to Prevent Cyber Incidents

1. Assess third-party exposure: Regularly review all SaaS platforms, integrations, and connected applications.
2. Activate incident response protocols: Ensure internal cybersecurity teams are ready to respond immediately to any breach.
3. Engage legal and compliance teams: Stay informed about obligations under GDPR, CCPA, or other relevant data protection laws.
4. Report threats to authorities: Do not negotiate with hackers; notify local CERT, FBI, or other law enforcement agencies.
5. Monitor for suspicious activity: Continuously track system logs, user behavior, and anomalous access patterns.
6. Enforce strict access controls: Limit permissions and implement multi-factor authentication for all critical systems.
7. Deploy Gurucul SIEM: Detect unusual behavior, monitor integrations, and receive real-time alerts on potential threats.
8. Educate employees: Train staff on phishing, vishing, and social engineering attacks targeting SaaS platforms.

Final Thoughts

This incident highlights a vital truth: third-party risk in SaaS ecosystems can be as dangerous as direct breaches. While it’s still unclear whether Salesforce was directly compromised or if its customer integrations were the main attack vector, the scale and sophistication of this attack make it a pivotal moment for cloud security in 2025. With the October 10 ransom deadline now here, time is running out. The world is watching to see how Salesforce and the affected companies respond.