Salesforce Breach: 1B Records Stolen, Oct 10 Deadline

Scale & Timeline
• Records claimed stolen: Approximately 1 billion
• Companies publicly named: 39+ victims
• Breach discovery: October 3, 2025
• Extortion deadline: October 10, 2025 (48 hours from today)
• Breach period: April 2024 - September 2025
• Attack vector: Salesforce CRM database compromise

Named Victim Companies Technology Giants:
• Google - Business contact information
• Workday - HR and employee data
• TransUnion - Credit bureau data

Retail & Hospitality:
• Home Depot - Customer purchase records
• Marriott International - Guest information
• Disney/Hulu - Subscriber data

Transportation:
• Toyota Motors - Customer and dealer data
• FedEx - Shipping and customer records
• Qantas - Frequent flyer and passenger data
• Stellantis (Jeep, Chrysler, Dodge) - Customer information

Luxury Brands:
• Kering Group (Gucci, Balenciaga, Saint Laurent) - Customer purchase history

Financial Services:
• Allianz Life - Policyholder information

Types of Data Compromised
• Personal identifiers: Full names, dates of birth
• Government IDs: Social Security numbers, passport numbers
• Contact information: Addresses, phone numbers, emails
• Account data: Account IDs, customer numbers
• Financial records: Purchase history, transaction data
• Communication logs: Live chat transcripts, support tickets
• Business data: Corporate contact lists, CRM records

Threat Actor Profile
• Group name: Scattered LAPSUS$ Hunters
• Composition: Combination of members from Scattered Spider, Lapsus$, and ShinyHunters groups
• Known for: Social engineering attacks, insider recruitment, high-profile breaches
• Previous targets: Microsoft, Nvidia, Samsung, Uber, Rockstar Games
• Tactics: Phone-based social engineering, employee impersonation, SIM swapping

The Scattered Spider Connection Scattered Spider (also tracked as UNC3944) is notorious for:
• Social engineering expertise: Exceptionally convincing phone calls to IT help desks
• Insider recruitment: Bribing or coercing employees for credentials
• Native English speakers: Unlike most cybercrime groups, highly effective at impersonating US/UK employees
• Living-off-the-land: Using legitimate IT tools to avoid detection

The LAPSUS$ Legacy Lapsus$ gained infamy in 2022 for breaching:
• Microsoft source code theft
• Nvidia employee data and proprietary GPU information
• Samsung Galaxy source code
• Ubisoft game development data
• Okta authentication service (via contractor)

Why This Combination Is Dangerous
• Scattered Spider's social engineering + Lapsus$'s audacity + ShinyHunters' data monetization
• Results: Sophisticated initial access + willingness to publicly extort + proven ability to sell/leak stolen data

The Extortion Leak Site
• Platform: Dark web site listing all 39 victims
• Evidence provided: Sample data files for each victim
• Contact method: Corporate email required to negotiate
• Threat: Public data release if demands aren't met by October 10
• Additional threat to Salesforce: Group claims they'll release documentation showing Salesforce "made little to no attempt to prevent unauthorised access to PII" if the company doesn't cooperate

The Salesforce CRM as Target Salesforce is the world's #1 CRM platform, used by:
• 150,000+ companies globally
• 90% of Fortune 500 companies
• Stores customer contact info, sales pipelines, support tickets, business communications
• Integrates with virtually every business system (email, analytics, marketing, support)

Why Salesforce Is a Gold Mine for Attackers 1. Centralized customer data: All customer interactions in one place 2. Trusted third-party: Legitimate access to customer environments 3. API-rich platform: Hundreds of API endpoints for data access 4. Custom app ecosystem: Third-party apps with varying security standards 5. Multi-tenant architecture: One vulnerability can affect thousands of customers

Possible Attack Vectors

1. Social Engineering (Most Likely) Based on Scattered Spider's known tactics:
• Target: Salesforce customer employee with admin privileges
• Method: Phone call impersonating IT/Salesforce support
• Objective: Trick employee into approving malicious Salesforce app or sharing credentials
• Outcome: Attacker gains access to organization's Salesforce environment
• Escalation: Access one customer, exploit configuration to access connected data

2. Malicious Salesforce App Similar to the Gmail/Salesforce attack from June 2025:
• Method: Employee approves malicious Salesforce-connected application
• Permissions: App requests broad data access ("Read all customer data")
• Legitimate appearance: App appears to be internal tool or approved integration
• Data exfiltration: App systematically extracts data via Salesforce APIs

3. Compromised Salesforce Partner/Contractor
• Target: Third-party Salesforce implementation partner or contractor
• Access: Partners often have admin access to multiple customer environments
• Weak security: Smaller partners may lack enterprise-grade security
• Multiplier effect: One compromised partner = access to dozens of customers

4. Stolen Salesforce Admin Credentials
• Source: Phishing, malware, password reuse, previous breach
• No MFA: If account lacks multi-factor authentication
• Privileged access: Admin accounts can export all customer data
• API abuse: Automated data extraction via Salesforce APIs

Why Detection Was Difficult
• Legitimate API usage: Data extraction via normal Salesforce APIs looks like regular business activity
• No malware: Attackers used built-in Salesforce features, not malicious code
• Trusted access: Activity appeared to come from authorized users/apps
• Distributed timeline: Breach occurred over 18 months (April 2024 - September 2025), small incremental extractions
• Multi-customer: 39+ organizations affected, each may have seen anomalies but didn't recognize coordinated campaign

Salesforce's Response Official Statement (October 3, 2025): "We have found no indication that the Salesforce platform has been compromised."

What This Means:
• Salesforce's core infrastructure wasn't breached (no zero-day exploit)
• Attack likely leveraged legitimate access methods (credentials, apps, misconfigurations)
• Responsibility may fall on individual customers' security practices
• Does NOT mean customer data is safe—it means customers' own security gaps were exploited

What the Hackers Demand
• Contact requirement: Victims must contact via corporate email to negotiate
• Deadline: October 10, 2025 (tomorrow)
• Threat: Public data release if demands not met
• Proof: Sample data already published for each victim
• Leverage: Additional threat to expose Salesforce's security failures

Typical Ransom Amounts for Breaches of This Scale
• Average ransom demand: $5-50 million per company (based on company size and data sensitivity)
• Small-mid companies: $1-10 million
• Fortune 500 companies: $20-100 million
• Total potential: With 39+ victims, total ransom demands could exceed $500 million - $1 billion

Likely Victim Responses

Option 1: Refuse to Pay (Most Likely)
• Public position: "We don't negotiate with criminals"
• Private reality: Data is already stolen, payment doesn't guarantee deletion
• Law enforcement: FBI and international agencies discourage payment
• Outcome: Data gets leaked publicly on October 10 or shortly after

Option 2: Pay Under the Table (Some Companies)
• Negotiation: Victims quietly negotiate reduced ransoms
• Payment: Cryptocurrency transfers to avoid detection
• NDA demands: Hackers agree not to leak data (no guarantee)
• Public stance: Company claims "no evidence of data misuse"
• Reality check: Payment doesn't delete already-distributed copies

Option 3: Legal Action & Disclosure
• Breach notification: Legally required disclosure to affected individuals
• GDPR/CCPA compliance: 72-hour notification deadlines
• Class action prep: Expect lawsuits from affected customers
• Regulatory investigation: FTC, state AGs, ICO (UK), CNIL (France) inquiries

What Happens After October 10

If Demands Aren't Met (Likely):
• October 10-11: Hackers publish stolen data on leak site
• October 11-15: Media frenzy, stock price impacts, customer panic
• October 15-30: Companies scramble to notify affected individuals
• November 2025: Wave of class action lawsuits filed
• 2026-2027: Regulatory investigations, fines, settlements

Precedent: Similar Extortion Campaigns

MOVEit Breach (2023)
• Victims: 2,700+ organizations
• Records: 93+ million individuals
• Ransom payments: Estimated $75-100 million total paid
• Public leaks: 60%+ of victims had data leaked publicly
• Legal costs: $10+ billion in total breach costs

Reality Check for Businesses Payment doesn't guarantee safety:
• Hackers can keep copies and extort again later
• Data may have already been sold to other criminals
• No legal recourse if hackers don't honor agreement
• Payment funds future criminal operations
• FBI strongly discourages paying ransoms

GDPR Article 28: Processor Liability

The Rule: GDPR Article 28 requires that data processors (like Salesforce) implement "appropriate technical and organizational measures" to ensure security. Customers (data controllers) are liable for their processors' failures.

Consequences for Salesforce Customers:
• Joint liability: Both Salesforce AND customers can be fined
• Up to €20 million OR 4% global revenue (whichever is greater)
• 72-hour breach notification: Required under GDPR Article 33
• Individual notification: Required if "high risk" to individuals (this qualifies)

Potential GDPR Fines for Named Victims
• Google: 4% of $305B revenue = $12.2 billion maximum
• Toyota: 4% of $275B revenue = $11 billion maximum
• Marriott: 4% of $23B revenue = $920 million maximum
• Home Depot: 4% of $157B revenue = $6.3 billion maximum

Precedent: Previous GDPR Fines for Vendor-Related Breaches
• British Airways (2020): £20 million for third-party breach
• H&M (2020): €35 million for excessive data collection via CRM
• Google (2019): €50 million for inadequate consent mechanisms

CCPA Implications (California)

California Consumer Privacy Act Requirements:
• Breach notification: Within "reasonable time" (courts interpret as 30-60 days max)
• Service provider liability: Salesforce as service provider must have contract requiring data protection
• Private right of action: Individuals can sue for $100-750 per incident
• Potential exposure: If 10 million California residents affected × $500 average = $5 billion

Other State Privacy Laws (2025)

8 New State Laws Active in 2025:
• Texas Data Privacy and Security Act: Breach notification + penalties
• Oregon Consumer Privacy Act: Similar to CCPA
• Montana Consumer Data Privacy Act: Penalties up to $10,000 per violation
• Iowa Privacy Act: Data security requirements
• Tennessee Information Protection Act: Mandatory security measures
• Indiana Consumer Data Protection Act: Breach disclosure
• Delaware Personal Data Privacy Act: Consumer rights
• Florida Digital Bill of Rights: Strict security standards

Cumulative Penalty Exposure:
• Each state law adds separate compliance burden
• Multi-state class actions likely
• 50-state AG investigations possible
• Estimated total exposure: $50-100 million PER COMPANY in regulatory fines alone

Industry-Specific Regulations

For Financial Services (TransUnion, Allianz):
• GLBA (Gramm-Leach-Bliley Act): Requires financial institutions to protect customer data
• FTC Safeguards Rule: Detailed security requirements
• State insurance regulators: Additional data security mandates
• Penalties: $100,000+ per violation

For Transportation (Airlines, FedEx):
• TSA security requirements: Passenger data protection mandates
• International regulations: GDPR applies to EU passengers
• DOT oversight: Department of Transportation consumer protection

Class Action Lawsuits: Inevitable and Expensive

Typical Class Action Outcomes for Breaches of This Scale:
• Equifax (2017): 147M records → $700M settlement
• Target (2013): 41M records → $18.5M settlement
• Home Depot (2014): 56M records → $17.5M settlement
• Marriott (2018): 383M records → $52M settlement (still ongoing)

Projected Costs for Salesforce Breach Victims:
• Legal defense: $10-50 million per company
• Class action settlements: $50-500 million per company (based on records exposed)
• Regulatory fines: $10-100 million per company
• Remediation costs: $20-100 million per company
• Brand damage: Incalculable long-term revenue impact
• Total per company: $100 million - $1 billion+

Who Bears the Cost?

The Liability Question: 1. Salesforce claims: "Platform not compromised" = Customer security failures 2. Customers claim: "We trusted Salesforce" = Vendor security failures 3. Reality: Both will share liability

Contract Terms That Matter:
• Data Processing Agreements (DPAs): Who's liable for what?
• Insurance coverage: Do cyber policies cover vendor breaches?
• Indemnification clauses: Does Salesforce indemnify customers or vice versa?
• Liability caps: Many SaaS contracts limit vendor liability to annual fees paid

Example: If a company pays Salesforce $500K/year, but breach costs are $100M, Salesforce's contract may cap their liability at $500K. Customer bears remaining $99.5M.

2025 Supply Chain Attack Statistics
• 79 supply chain attacks in H1 2025 (up 67% from 2024)
• 690 downstream entities affected via vendor compromises
• 78 million+ records exposed through supply chain
• Average impact: Each supply chain attack affects 8.7 victims
• Trend: Supply chain attacks now #1 breach vector, surpassing phishing

Why Attackers Target Vendors

1. Multiplier Effect
• Breach one vendor → access hundreds of customers
• Salesforce breach: 1 compromise = 39+ victims (and counting)
• ROI for attackers: 10x-100x more data per attack

2. Weaker Security Posture
• Large enterprises invest heavily in security
• Their vendors (especially smaller ones) often don't
• Attackers choose path of least resistance
• Result: Vendor becomes entry point to better-secured customer

3. Trusted Access
• Vendors have legitimate access to customer systems
• Activity from vendor accounts looks normal, evades detection
• No need to bypass perimeter security—already inside
• Can operate for months before discovery

4. Harder to Detect
• Customer security tools don't monitor vendor activity closely
• Vendor actions look like legitimate business operations
• No malware involved (living-off-the-land techniques)
• Detection requires sophisticated behavioral analytics

2025's Major Supply Chain Breaches

1. Salesforce CRM Compromise (Current)
• Date: October 2025
• Vector: CRM database access
• Victims: 39+ companies
• Records: ~1 billion claimed
• Status: Ongoing extortion

2. MOVEit Transfer Vulnerability (2023 - ongoing impact 2025)
• Vulnerability: Zero-day in file transfer software
• Victims: 2,700+ organizations
• Records: 93+ million individuals
• Industries: Healthcare, finance, government, education
• Cost: $10+ billion total

3. SolarWinds Orion (2020 - still being discovered in 2025)
• Attack: Compromised software update
• Victims: 18,000+ organizations initially, more discovered monthly
• Duration: 9+ months undetected
• Impact: Still finding compromised systems 5 years later

4. Kaseya VSA (2021 - template for 2025 attacks)
• Vector: MSP remote management software
• Victims: 1,500+ businesses via 50 MSPs
• Ransom: $70 million demanded
• Lesson: MSPs are high-value targets

The Modern Attack Kill Chain

Traditional Attack (Decreasing): 1. Phish employee → 2. Steal credentials → 3. Move laterally → 4. Exfiltrate data
• Success rate: 10-20% (employees trained, EDR deployed, MFA common)
• Detection time: 50-100 days

Supply Chain Attack (Increasing): 1. Target vendor → 2. Use legitimate access → 3. Exfiltrate customer data
• Success rate: 60-80% (less security, trusted access)
• Detection time: 200+ days (if detected at all)

Your Vendor Risk Assessment Checklist

Critical Vendors to Audit Immediately:
• CRM systems: Salesforce, HubSpot, Zoho, Microsoft Dynamics
• Cloud providers: AWS, Azure, Google Cloud, Oracle Cloud
• HR systems: Workday, ADP, BambooHR, Rippling
• Payment processors: Stripe, Square, PayPal, Authorize.net
• Marketing platforms: Mailchimp, Marketo, Constant Contact
• Support tools: Zendesk, Intercom, Freshdesk
• Analytics: Google Analytics, Mixpanel, Amplitude
• File storage: Dropbox, Box, Google Drive, OneDrive

Questions to Ask Every Vendor: 1. Do you have SOC 2 Type II certification? (Annual audit of security controls) 2. What's your breach notification SLA? (How fast will they tell you?) 3. Do you encrypt data at rest and in transit? (Basic security requirement) 4. What's your employee access policy? (Who can see my data?) 5. Do you conduct annual penetration testing? (Third-party security assessment) 6. What's your incident response plan? (How do they handle breaches?) 7. Do you have cyber insurance? (Can they cover breach costs?) 8. What's your data retention policy? (Do they delete data when you ask?) 9. Can we audit your security? (Right to verify their claims) 10. Do you use sub-processors? (Fourth-party risk assessment)

Red Flags That Should Disqualify a Vendor:
• ❌ Refuses to provide security documentation
• ❌ No SOC 2 and unwilling to pursue certification
• ❌ Can't explain their encryption practices
• ❌ Has had breaches with slow disclosure (check news)
• ❌ Limits liability to annual fees paid
• ❌ Stores data in countries with weak privacy laws
• ❌ Can't commit to breach notification within 72 hours
• ❌ Doesn't have cyber insurance
• ❌ Employees in high-risk countries with full data access
• ❌ No background checks for employees accessing your data

Day 1: Emergency Vendor Inventory (Today)

Immediate Actions: 1. List all SaaS vendors with access to customer/employee data 2. Identify critical vendors: CRM, HR, cloud storage, payment processing 3. Check if you use Salesforce: If yes, contact your account team immediately 4. Review data processing agreements: What does your contract actually say about liability? 5. Document data flows: What data does each vendor have access to?

Salesforce Users - URGENT:
• Enable all activity logging in Salesforce (Setup → Event Monitoring)
• Review API usage: Check for anomalous data exports (Setup → API Usage Notifications)
• Audit connected apps: Remove any apps you don't recognize (Setup → Connected Apps)
• Review user permissions: Apply principle of least privilege
• Enable MFA: If not already enabled, do it NOW (Setup → Identity → Multi-Factor Authentication)
• Contact Salesforce: Ask for confirmation that your environment wasn't affected
• Prepare breach notification: Draft communications in case you're affected

Day 2: Security Documentation Audit

Request from ALL Critical Vendors:
• SOC 2 Type II report (must be dated within last 12 months)
• Recent penetration test results (last 6-12 months)
• Incident response plan (how they handle breaches)
• Data Processing Agreement (DPA) review
• Cyber insurance certificate (proof of coverage)
• Breach history: Ask directly "Have you had any breaches in last 5 years?"

If Vendor Can't Provide Documents:
• 30-day deadline: Give them 30 days to provide or you begin migration
• Risk acceptance: If critical vendor, document the accepted risk in writing
• Additional controls: Implement compensating controls (data encryption, access monitoring)

Day 3: Access Control Hardening

Technical Measures:
• Enable MFA everywhere: All vendor accounts, no exceptions
• Review admin accounts: Remove unnecessary admin privileges
• API key rotation: Change all API keys/tokens for critical vendors
• IP whitelisting: Restrict vendor access to specific IP ranges where possible
• Session timeout policies: Shorter timeout periods for vendor access
• Remove stale accounts: Delete accounts for departed employees

Monitoring Setup:
• Enable SIEM alerts: Monitor for bulk data exports, unusual API calls
• Data loss prevention (DLP): Rules to detect large data transfers
• Anomaly detection: Alert on unusual login locations, times, data access patterns
• API rate limiting: Prevent bulk data extraction

Day 4-5: Contract Review & Legal Preparation

Legal Team Actions:
• Review vendor contracts: Focus on indemnification, liability caps, breach notification clauses
• Update DPAs: Ensure GDPR Article 28 compliance
• Negotiate better terms: Push for unlimited liability for security failures
• Insurance review: Does your cyber insurance cover vendor breaches?
• Breach response plan: Update to include vendor breach scenarios

Contract Clauses You MUST Have:
• 72-hour breach notification: Vendor must notify you within 3 days
• Right to audit: Annual security audits of vendor
• Data deletion: Vendor deletes your data within 30 days of request
• Sub-processor approval: Vendor can't use other vendors without your approval
• Liability: NOT capped at fees paid - must cover actual damages
• Security standards: Specific requirements (SOC 2, ISO 27001, encryption)

Day 6: Employee Training

Mandatory Security Training Topics:
• Social engineering recognition: Scattered Spider tactics (phone calls from "IT")
• App approval procedures: Never approve vendor apps without IT verification
• Credential protection: Never share passwords, even with "vendor support"
• Suspicious activity reporting: How to report weird requests
• Vendor communications: How to verify legitimate vendor contact

Specific Scenarios to Practice:
• Caller claims to be from Salesforce support, asks to approve an app
• Email from "IT" with urgent request to reset vendor password
• Vendor rep asks for customer data export "for analysis"
• Third-party requests admin access for "troubleshooting"

Day 7: Ongoing Monitoring Plan

Weekly Tasks:
• Review vendor access logs: Check for anomalies
• Monitor vendor news: Set Google Alerts for vendor breaches
• API usage review: Verify normal patterns

Monthly Tasks:
• Access recertification: Verify all vendor accounts are still needed
• Security questionnaire updates: Check for vendor security changes
• Penetration testing: Test vendor integrations

Quarterly Tasks:
• Vendor risk assessment: Re-score all vendors
• Contract review: Ensure compliance with security terms
• Tabletop exercise: Practice vendor breach response

Annual Tasks:
• SOC 2 report review: Verify vendor still certified
• Security audit: Exercise right to audit critical vendors
• Contract renegotiation: Update security terms

Budget Requirements

Small Business (Under $10M revenue):
• Vendor risk management tool: $5,000-15,000/year
• SIEM/monitoring: $3,000-8,000/year
• Cyber insurance: $2,000-6,000/year
• Legal review: $5,000-10,000 one-time
• Total: ~$20,000/year

Mid-Market ($10M-$100M revenue):
• Vendor risk platform: $25,000-50,000/year
• SIEM/SOC: $50,000-100,000/year
• Cyber insurance: $15,000-50,000/year
• Annual vendor audits: $30,000-60,000/year
• Legal/compliance: $20,000-40,000/year
• Total: ~$150,000/year

Enterprise ($100M+ revenue):
• Vendor risk management program: $200,000-500,000/year
• 24/7 SOC: $300,000-800,000/year
• Cyber insurance: $100,000-500,000/year
• Third-party audits: $150,000-300,000/year
• Dedicated vendor risk team: $500,000-1,000,000/year (salaries)
• Total: ~$1.5M-3M/year

Cost-Benefit Reality:
• Prevention cost: $20K-3M/year (depending on size)
• Breach cost from vendor failure: $50M-1B+
• ROI: Preventing one breach pays for 20-300+ years of security investment