A Billion Records Stolen Through a Phone Call
In March 2025, a group called Scattered LAPSUS$ Hunters initiated a campaign that sounded like science fiction. They didn't hack servers or exploit code. Instead, they picked up the phone. Using polished English and convincing pretexts, they tricked employees at major companies into linking malicious apps to their Salesforce accounts. The result: approximately one billion records, from customer data to business secrets, were siphoned off from 39 major organizations including Google, Toyota, FedEx, Home Depot, Chanel, Cisco, and several luxury, automotive, and technology firms. This was a human failure rather than a technical one, exposing a weak link in the cloud era: trust.
The attackers, a coalition of cybercriminals including remnants of LAPSUS$ and ShinyHunters, didn't need fancy malware. They relied on voice phishing, posing as IT support to persuade employees to authorize apps mimicking Salesforce's Data Loader tool. Once connected, these apps used legitimate OAuth tokens to access data undetected. On September 30, 2025, the group launched a dark web extortion site naming 39 victims and demanding Salesforce pay a ransom by October 11 to prevent leaks. Salesforce has publicly stated it will not negotiate or pay the ransom, affirming its position as of October 8, 2025, but the damage from the breach is already significant.
Google and Toyota: A Tale of Two Breaches
The impact varied significantly across victims, with technology and automotive sectors illustrating different risk profiles. Google, a tech titan with robust security, fell victim when an employee authorized a malicious app, exposing corporate Salesforce data. The breach didn't compromise Google's core systems, but it dented its reputation as a security leader. Sensitive business information, potentially including strategic plans, was at risk. This shows even the most fortified companies can stumble when humans are targeted.
Toyota's breach exposed supply chain and dealer network details. For an automotive giant, this data is a goldmine for competitors or fraudsters. The compromise could disrupt operations or enable targeted scams against dealers. Unlike Google, Toyota's breach highlighted how non-tech firms, reliant on SaaS platforms for efficiency, face unique risks when their data is centralized in the cloud. Both cases underscore a hard truth: no company, regardless of size or expertise, is immune to social engineering.
The Hidden Flaw in Cloud Trust Models
At the heart of this breach lies a critical flaw in how cloud platforms like Salesforce operate. OAuth tokens, designed to simplify integrations, became the perfect backdoor. Once an employee granted access, attackers gained persistent entry, bypassing multi-factor authentication and blending in with normal activity. Cybersecurity researchers point out that the trust model in SaaS ecosystems, where third-party apps are assumed safe, creates a sprawling attack surface. With enterprises often using hundreds of connected apps, tracking permissions is challenging.
Salesforce wasn't technically at fault; the platform itself wasn't breached. Customers like Home Depot and Chanel faced real consequences, with Home Depot's systems exposing government employee contact information and luxury brands like Chanel having high-net-worth customer purchase histories compromised. This raises a thorny question: who's responsible when trust is exploited? Customers manage access, but Salesforce's ecosystem enables the integrations. The shared responsibility model, meant to clarify roles, often leaves companies confused about where their defenses begin and end.
Lessons From the Chaos
The Salesforce breach offers hard-won lessons. Social engineering is evolving faster than traditional defenses. Voice phishing, now enhanced by AI to mimic real voices, exploits human psychology in ways standard training can't counter. Companies need to rethink employee education, focusing on real-time decision-making under pressure. OAuth governance is no longer optional. Organizations must audit connected apps, enforce allowlists, and limit permissions to reduce risks.
Some might suggest employees bear the blame for falling for scams, but this ignores the sophistication of modern attacks. Attackers used tailored scripts, leveraging public data to sound credible. Punishing employees risks eroding trust. Instead, firms should invest in behavioral analytics to catch anomalies early. Salesforce Shield's real-time monitoring helped some victims detect data exfiltration, proving technical controls can make a difference when paired with vigilance.
What's Next for Cloud Security?
This incident is a wake-up call for the SaaS industry. As cloud adoption grows, so does the attack surface. Cybersecurity vendors are racing to develop tools for SaaS security posture management, focusing on monitoring integrations and detecting rogue apps. Zero trust architectures, emphasizing continuous verification, are gaining traction to limit damage from compromised credentials. Regulators are watching closely, with GDPR and CCPA enforcers scrutinizing whether companies met data protection standards.
For consumers, the stakes are personal. Exposed data from airlines like Qantas or retailers like IKEA could fuel phishing scams or identity theft. Salesforce's refusal to pay the ransom may deter future attacks, but it doesn't erase the harm to individuals whose data is now in criminal hands. The future demands tighter integration controls, smarter detection, and a cultural shift toward skepticism of unsolicited IT requests. Without action, the next billion-record breach could be just a phone call away.