In mid-2025, a series of strategic cyber intrusions compromised the Salesforce systems of numerous prominent companies across multiple sectors, including Technology, Retail, Luxury Fashion, Aviation, and Insurance. The attackers, associated with a financially motivated group tracked by Google as UNC6040, claimed that data from 91 organizations had been breached globally. The list of victims includes brands like Adidas, Cartier, Google, Louis Vuitton, Dior, Chanel, Tiffany & Co., Qantas Airways, Air France–KLM, Allianz Life, Cisco, and Pandora.
The nature of the breach speaks to the growing sophistication of cybercriminal tactics. “This campaign relied entirely on social engineering rather than exploiting flaws in Salesforce’s infrastructure,” said a representative from Google's Threat Intelligence Group (GTIG). This highlights a troubling reality: even without technical vulnerabilities, attackers can manipulate users to achieve their goals.
The tactics used in the breach included voice phishing, or vishing, wherein attackers posed as corporate IT staff and convinced employees to follow instructions for what they claimed were urgent troubleshooting steps. Victims were instructed to access Salesforce’s Connected Apps authorization page and enter an eight-digit code provided during the call, ultimately granting the attackers unwitting access to sensitive information.
“By entering this code, the victim unknowingly authorized a malicious OAuth application controlled by the attackers,” explained the GTIG representative. Often, these malicious applications were disguised as legitimate tools, such as a trojanized version of Salesforce’s own Data Loader, and sometimes used names like “My Ticket Portal” to appear credible.
Once authorized, the attackers gained API-level access, allowing them to query and extract large volumes of Salesforce data that included customer profiles, contact lists, and internal business information. Google further emphasized that the attackers did not exploit any technical vulnerabilities but rather capitalized on user manipulation and misconfigured third-party app settings, making multi-factor authentication ineffective against their methods.
Impact and Legacy
Impact and Legacy
Impact and Legacy
The initial data queries appeared small to avoid detection, but quickly escalated into significant data exfiltration. “This breach not only impacts Salesforce users but also extends to other cloud platforms, such as Office 365, feeding into a more extensive data theft network,” the GTIG noted, warning about the interconnected nature of modern data systems.
To exert further pressure on their victims, the attackers established a Telegram channel titled Scattered Lapsu$ Hunters, where they disseminated samples of purportedly stolen data and listed targeted companies. “These public 'teaser leaks' serve as psychological tools, warning organizations that similar or more damaging disclosures could follow if our demands are not met,” the group explained in communications shared via the channel.
The group first gained attention on August 8 when they became active on Telegram, unveiling their operations by sharing leaked data as well as screenshots of negotiation discussions with some targeted firms. The interactive nature of these communications adds another layer to the extortion pressure faced by affected organizations.
Initially, the social engineering methods employed in this breach led some analysts to suspect the involvement of Scattered Spider, a group infamous for executing the 2023 MGM Resorts breach. Their similar tactics—conducting phone-based social engineering—sparked speculation, yet the unique nature of this recent attack has distinguished it as a notable and distinct breach event.
As the repercussions from this incident continue to unfold, organizations must reevaluate their security protocols, emphasizing user awareness and training as pivotal steps in safeguarding sensitive data. The apparent reliance of attackers on human error illustrates the continued necessity for vigilance in cybersecurity frameworks.
With this breach acting as a stark reminder of the vulnerabilities inherent in social engineering, the importance of robust cybersecurity measures targeting both technology and human behavior cannot be overstated. Companies must actively enhance their defenses to better prepare for and thwart these increasingly sophisticated tactics employed by cybercriminals.