Salesforce, one of the world’s largest cloud-based CRM providers, is investigating a data breach that led to extortion attempts against several of its enterprise customers.
Threat actors claim to have stolen sensitive customer records, access tokens, and API keys belonging to multiple organizations integrated with Salesforce’s cloud ecosystem. The attackers are reportedly demanding ransom payments to prevent data leaks, raising serious concerns about the security of cloud-hosted customer platforms.
How the Attack Began
According to SecurityWeek and other industry reports, the intrusion appears to have originated from a third-party application connector used by several Salesforce clients. The attackers exploited a misconfigured integration token to gain access to customer environments, exfiltrating data and configuration metadata.
Once inside, the threat actors moved laterally across connected instances using OAuth tokens that lacked proper scope restrictions. By chaining weak permissions with token reuse, they escalated privileges and accessed Salesforce customer datasets across multiple enterprises.
While the Salesforce core platform was not directly breached, the company confirmed that some clients experienced “unauthorized access to integrated environments.”
The Extortion Campaign
Following the intrusion, the hackers began contacting victims directly through corporate emails and dark-web messaging channels. They threatened to publish stolen datasets unless ransom demands ranging from $50,000 to $400,000 in cryptocurrency were paid.
According to a BleepingComputer report, at least 18 affected organizations received extortion messages containing samples of CRM exports, customer lists, and internal analytics files as proof of compromise.
Security analysts believe the campaign is tied to a cybercrime group known as Storm-0962, previously associated with data-extortion operations involving third-party SaaS connectors.
Salesforce’s Response
Salesforce issued a statement acknowledging that it was assisting affected customers and working with external forensic partners. The company emphasized that its “core systems remain uncompromised” and that the breach originated outside Salesforce’s internal network.
In its public security bulletin, Salesforce urged administrators to:
-
Rotate all OAuth tokens and API keys tied to external integrations.
-
Enforce multi-factor authentication (MFA) for administrative and API accounts.
-
Review connected apps to ensure minimum permission scopes.
-
Enable event monitoring to detect suspicious data-export activity.
These measures, combined with forensic analysis, aim to contain exposure and prevent further data theft.
Expert Analysis
Cybersecurity professionals note that this incident highlights the growing fragility of supply-chain integrations within cloud ecosystems. As companies expand their use of SaaS connectors, each API link becomes a potential entry point for exploitation.
According to Mandiant, the attack demonstrates “how third-party application tokens can undermine enterprise security even when core cloud systems remain protected.” The analysts emphasized that modern threat actors increasingly target trust relationships rather than vulnerabilities.
Experts recommend continuous token lifecycle management and scope limitation as key strategies for defending against similar attacks.
What Customers Should Do Next
Act immediately and sequence these steps so containment and assurance advance together:
-
Revoke and reissue all integration tokens issued before the incident window; then re-authorize with minimal scopes.
-
Harden connected apps: require MFA for admins, restrict IP ranges, and enable conditional access.
-
Instrument telemetry: track exports, large report runs, and anomalous API bursts; alert on off-hours spikes.
-
Search for reuse: identify where the same credentials or keys appear in other environments; rotate them as well.
-
Coordinate legal/IR: preserve logs, document timelines, and prepare notifications if laws or contracts require the
While the investigation continues, no evidence currently suggests the attackers have compromised Salesforce’s production environment or code repositories. However, customers remain at risk if exposed integration credentials are reused elsewhere.
FAQs
Q: Was Salesforce itself breached?
A: No. The attack targeted customer integrations through misconfigured tokens, not Salesforce’s internal infrastructure.
Q: How did attackers gain access?
A: They exploited insecure OAuth tokens and reused credentials linked to third-party connectors.
Q: What type of data was stolen?
A: CRM exports, analytics files, contact information, and customer metadata from integrated systems.
Q: Who is behind the attack?
A: The campaign is attributed to a cyber-extortion group known as Storm-0962, linked to previous SaaS exploitation incidents.
Q: How can organizations protect themselves?
A: Revoke and reissue all integration tokens, limit API permissions, and monitor outbound data flows.
One thought on “Salesforce Customers Targeted by Data-Theft Extortion Campaign”