All news with #salesforce tag

Salesforce Flags Unauthorized Access via Gainsight OAuth

🔒 Salesforce reported detected 'unusual activity' involving Gainsight-published applications that used OAuth connections to its platform and said the activity may have enabled unauthorized access to some customers' Salesforce data. The company revoked all active access and refresh tokens for affected apps and temporarily removed those listings from the AppExchange while it investigates. Gainsight also pulled its app from the HubSpot Marketplace as a precaution. Security analysts have linked the activity to the ShinyHunters (UNC6240) group and are urging customers to review and revoke suspicious third-party integrations.

Salesforce Probes Customer Data Theft via Gainsight Apps

🔒 Salesforce says it revoked active access and refresh tokens tied to Gainsight-published applications after detecting unusual activity that may have enabled unauthorized access to some customers' CRM data. The company says the issue stems from the app's external connection rather than a vulnerability in Salesforce itself and temporarily removed those apps from the AppExchange. Affected customers have been notified and can contact Salesforce Help for assistance.

Vietnam Actors Use Fake Job Postings to Hijack Ad Accounts

🔎 GTIG describes a targeted campaign by a Vietnam-based cluster tracked as UNC6229 that uses fake job postings on legitimate platforms to socially engineer remote digital advertising workers. Victims are enticed to open password-protected attachments or visit convincing phishing portals that harvest corporate credentials and can bypass MFA. The actors abuse reputable CRM and SaaS services to increase trust, deliver remote access trojans, and ultimately take over high-value advertising and social media accounts for sale or resale.

Dreamforce Highlights Salesforce Amid OAuth Security Storm

🛡️ At Dreamforce, Salesforce emphasized shared responsibility for securing customer environments and introduced new AI agents for security and privacy. The conference largely avoided discussion of recent OAuth-based supply-chain breaches that exposed data from hundreds of companies and led to extensive litigation. Analysts warn the incidents — driven by compromised tokens from third-party apps like Salesloft Drift and spoofed tools such as malicious Data Loader instances — underscore systemic risks as AI integrations demand broader data access. Recommended mitigations include IP whitelisting, DPoP or mTLS, and tighter vendor governance.

FBI Seizes BreachForums Servers as Salesforce Deadline Nears

🔒 The FBI, US Department of Justice and French authorities seized the BreachForums domain and parts of its backend on Oct. 9, disrupting infrastructure tied to an alliance of threat actors including ShinyHunters, Scattered Spider and LAPSUS$. The action followed threats to publish alleged Salesforce customer data unless a ransom was paid by Oct. 10. Although the primary forum domain now displays a takedown notice, a separate leak site remains active and the extortion campaign appears to be continuing. Experts advise organizations to audit Salesforce configurations, enable OAuth app governance, and enforce token and session hygiene immediately.

BreachForums Seized; Hackers Promise Salesforce Leak

🚨 Law enforcement in the United States and France have seized domains tied to the BreachForums hacking forum, and the seized site now displays an official takedown banner pointing victims to an IC3 subdomain. Observers caution the action may be largely symbolic because a dark‑web instance remains active and no public arrests of administrators were confirmed. A collective calling itself Scattered LAPSUS$ Hunters says it will still release one billion records allegedly taken from Salesforce customers on 10 October 2025, while Salesforce has reportedly told clients it will not pay a ransom.

it-sa Highlights: Vendor Security and Access Solutions

🔒 At it-sa vendors unveiled a slate of security, privacy and access offerings aimed at strengthening enterprise controls. Salesforce expanded its AI Agentforce into the Security Center and Privacy Center to automate threat detection, incident remediation and compliance prioritization. Ivanti reengineered Connect Secure 25.x with a security‑by‑design architecture including SELinux, WAF, secure boot and disk encryption. Additional launches included Samsung Knox mobile credentials, KOBIL mPower and a Zurich/Deutsche Telekom cyber insurance plus MDR integration.

FBI Seizes BreachForums Portal Used in Salesforce Extortion

🔒 The FBI, in coordination with French authorities, seized BreachForums domains used by the ShinyHunters group as a portal for leaking corporate data and facilitating extortion. Nameservers were updated on October 9 and law enforcement reports they obtained backups and backend servers dating back to 2023, though the actors' dark‑web leak site remains online. ShinyHunters confirmed the takeover via a PGP‑signed Telegram post and warned the Salesforce campaign will continue.

Salesforce launches AI security and compliance agents

🔒 Salesforce introduced two AI agents on its Agentforce platform that monitor security activity and streamline compliance workflows for the Security Center and Privacy Center. The security agent analyzes event logs to detect anomalous behavior, accelerates investigations by assembling context and remediation plans, and can autonomously freeze or isolate suspicious accounts when authorized. The privacy agent maps metadata and policies against frameworks like GDPR and CCPA, surfaces exposures, and can reclassify or apply erasure policies to reduce compliance risk.

Salesforce Refuses Ransom After Massive Data Theft

🔒 Salesforce confirmed it will not engage with or pay extortion demands after a large-scale theft of customer data this year. Threat actors calling themselves Scattered Lapsus$ Hunters published a data-leak site to extort 39 companies, claiming nearly one billion records stolen. The breaches stemmed from two campaigns: late-2024 social engineering using malicious OAuth apps and an August 2025 campaign abusing stolen SalesLoft/Drift tokens to exfiltrate CRM and support-ticket data. The leak site appears to have been shut down and its domain redirected to nameservers previously associated with law enforcement seizures.

ShinyHunters Launch Extortion Site Targeting Corporates

🔓 A cybercrime collective known as ShinyHunters has launched a public extortion blog threatening to publish data stolen from dozens of major companies if ransoms are not paid. The group claims to have harvested Salesforce customer records via a May voice-phishing campaign, and also says it exfiltrated terabytes of files from a Red Hat GitLab server and Discord user data tied to a third-party provider. Security firms and affected vendors including Salesforce, Red Hat and Discord are investigating, while Google and other investigators link the activity to several related UNC clusters and warn of additional token thefts tied to Salesloft. Victim shaming, published exploit scripts for an Oracle E-Business Suite zero-day, and malware-laced threats have amplified the incident’s severity.

Trinity of Chaos Launches TOR Data Leak Site, Exposes Data

🔓 The Trinity of Chaos collective has opened a data leak site on the TOR network, publishing previously undisclosed records tied to past breaches and listing 39 major global firms. Resecurity says the group claims more than 1.5 billion records across 760 companies and has set an October 10 negotiation deadline. Samples reportedly contain substantial PII and appear to stem from compromised SaaS environments via stolen OAuth tokens and vishing; the FBI has issued a flash alert. The group also threatened to leverage existing litigation and regulatory complaints against Salesforce, which has denied new vulnerabilities.

Extortion Gang Reveals Alleged Salesforce Victims List

🔓 The Scattered Lapsus$ Hunters gang opened a public data-leak site claiming it stole Salesforce data from dozens of global companies, including Salesforce, Toyota, FedEx, Disney/Hulu, Marriott and Google. The group set an Oct. 10 deadline for ransom payments and threatened to publish or even use stolen documents in legal actions if demands are not met. Salesforce says its investigation found no indication the platform itself was compromised and attributes the incidents to past or unsubstantiated claims. Researchers link many breaches to vishing that installs malicious connected apps and to compromised OAuth tokens in Salesloft Drift, underscoring a broader SaaS supply-chain risk.

AWS Glue Adds Write Support for Four Application Connectors

🔁 AWS Glue now supports write operations for SAP OData, Adobe Marketo Engage, Salesforce Marketing Cloud, and HubSpot connectors, allowing ETL jobs to create and update records directly in those applications. Announced Oct 3, 2025, the enhancement lets teams sync leads and CRM records, update subscribers and campaign data, and manage contacts, companies, and deals without custom scripts or intermediate systems. This capability simplifies end-to-end ETL pipelines and reduces integration complexity and latency. The feature is available in all Regions where AWS Glue is offered; consult the AWS Glue documentation for supported entities.

ShinyHunters Leak Salesforce Data; Many Companies Exposed

🔓 An extortion group claiming affiliation with ShinyHunters, Scattered Spider, and Lapsus$ has launched a public data leak site listing 39 companies allegedly compromised via Salesforce breaches. The site publishes sample records and urges victims to pay before an October 10 deadline, while also demanding that Salesforce pay to prevent disclosure of roughly 1 billion records. The attackers say they used OAuth-based voice-phishing and stolen tokens to access customer data. Victims named include FedEx, Disney/Hulu, Google, Cisco, and many other major brands.

Smashing Security 437: ForcedLeak in Salesforce AgentForce

🔐 Researchers uncovered a security flaw in Salesforce’s new AgentForce platform called ForcedLeak, which let attackers smuggle AI-readable instructions through a Web-to-Lead form and exfiltrate data for as little as five dollars. The hosts discuss the broader implications for AI integration, input validation, and the surprising ease of exploiting customer-facing forms. Episode 437 also critiques typical breach communications and covers ITV’s phone‑hacking drama and the Rosetta Stone story, with Graham Cluley joined by Paul Ducklin.

Allianz Life July Data Breach Affects Nearly 1.5 Million

🔐Allianz Life has completed its investigation into a July cyberattack and says 1,497,036 people were impacted. A malicious actor accessed a third-party cloud-based CRM on July 16, 2025, and obtained names, addresses, dates of birth, and Social Security numbers. While some reporting linked the intrusion to a Salesforce-targeted wave attributed to ShinyHunters, Allianz Life has not confirmed that attribution. Notified individuals are offered two years of free identity monitoring from Kroll and guidance to enable credit monitoring or consider freezing credit.

UNC6040: Proactive Hardening for SaaS and Salesforce

🔒 Google Threat Intelligence Group (GTIG) tracks UNC6040, a financially motivated cluster that uses telephone-based social engineering to compromise SaaS environments, primarily targeting Salesforce. Operators trick users into authorizing malicious connected apps—often a fake Data Loader—to extract large datasets. The guidance prioritizes identity hardening, strict OAuth and API governance, device trust, and targeted logging and SIEM detections to identify rapid exfiltration and cross‑SaaS pivots.

Critical ForcedLeak Flaw Exposed in Salesforce AgentForce

⚠️ Researchers at Noma Security disclosed a critical 9.4-severity vulnerability called ForcedLeak that affected Salesforce's AI agent platform AgentForce. The chain used indirect prompt injection via Web-to-Lead form fields to hide malicious instructions within CRM data, enabling potential theft of contact records and pipeline details. Salesforce has patched the issue by enforcing Trusted URLs and reclaiming an expired domain used in the attack proof-of-concept. Organizations are advised to apply updates, audit lead data for suspicious entries, and strengthen real-time prompt-injection detection and tool-calling guardrails.

Salesforce Patches Critical 'ForcedLeak' Prompt Injection Bug

⚠️ Salesforce has released patches for a critical prompt-injection vulnerability dubbed ForcedLeak that could allow exfiltration of CRM data from Agentforce. Discovered and reported by Noma Security on July 28, 2025 and assigned a CVSS score of 9.4, the flaw affects instances using Web-to-Lead when input validation and URL controls are lax. Researchers demonstrated a five-step chain that coerces the Description field into executing hidden instructions, queries sensitive lead records, and transmits the results to an attacker-controlled, formerly allowlisted domain. Salesforce has re-secured the expired domain and implemented a Trusted URL allowlist to block untrusted outbound requests and mitigate similar prompt-injection vectors.