What are Lessons Learned From the Scattered LAPSUS$ Hunters’ Salesforce Breach?
Table of contents
One of the most sophisticated cybercrime alliances to have emerged in recent history, known as the Scattered LAPSUS$ Hunters, sent tremors last month with their attack on Salesforce. By exploiting trusted integrations within the Salesforce ecosystem, the hacker group was able to access and exfiltrate massive volumes of data linked to both Salesforce and about 40 other major companies that use this CRM platform.
The impacted companies, including Google and Disney, span industries, creating a cascading effect across the globe.
What was the Salesforce cybersecurity breach?
The hackers used social engineering tactics such as voice-phishing and OAuth token abuse to infiltrate Salesloft Drift, an AI chat agent that engages website visitors. This tool, being a popular connecting application into the Salesforce infrastructure, provided the perfect and inconspicuous roadmap to accessing the global CRM giant, Salesforce. Specifically, the Drift integration uses the OAuth tokens, which allow Drift to read and write data in Salesforce without needing user passwords.
Once the attackers obtained these long-term OAuth tokens from Drift’s environment, they logged into various users’ Salesforce instances as if they were the Drift application. As the connected application and the OAuth tokens were valid, the access appeared normal and blended with regular traffic.
Once infiltrated, the hackers were able to export data such as customer records, contact details, support ticket information, sales pipeline data, and internal notes, among others. Over several days, the attackers downloaded such large quantities of data linked to several companies that use the Salesforce platform.
Scattered LAPSUS$ Hunters created a data leak site on TOR where they listed the impacted companies and provided samples of the stolen data.
Who are the Scattered LAPSUS$ Hunters?
The Scattered LAPSUS$ Hunters, known by cybersecurity researchers as the “Trinity of Chaos,” are an alliance of three notorious cybercriminal groups: Scattered Spider (aka the Muddled Libra), ShinyHunters (Bling Libra), and LAPSUS$.
Known associated TTP:
- Achieving initial access through social engineering techniques such as voice phishing, leveraging personally identifiable information of corporate employees, and SMS phishing campaigns.
- MFA bypassing through MFA fatigue, SIM swapping, and OAuth abuse tactics such as going through connected applications.
- “Living off the Land” tactics in their use of legitimate and allowlisted software such as RMM tools, PowerShell, and native cloud administration consoles to blend in with normal administrative activities.
- Conducting internal reconnaissance, targeting corporate data repositories like Sharepoint, source codes, cloud data warehouses, among others.
So, what can we learn from this? If the prevalence of cyberattacks are linked to highly integrated tools in your stack, like the Drift application, serves as a chilling case study.
Here are five learnings, for every IT security manager to take away from this incident.
1. The weapon wasn’t a malware or a vulnerability, it was a “trusted” key
The attackers didn’t need a highly sophisticated or technically advanced virus or malware to execute this widespread breach. Instead, they weaponized the OAuth tokens. Designed for convenience and trust, these tokens are digital keys that grant applications delegated access to each other’s data, allowing them to communicate and share information without constantly asking for passwords.
Their danger lies in their persistence, as the tokens often outlast the employees, and even vendors, leaving a permanent forgotten key, the holy grail for an attacker.
By exploiting the Salesloft Drift OAuth tokens, they gained API-level access to the corporate Salesforce environments. Due to the validity of the tokens, the data exfiltration requests came from valid and authorized API integration queries, so the malicious activity was effectively masked, blending in with legitimate operations.
2. One vendor as a gateway to hundreds of companies.
The compromise of this single integration had a staggering blast radius, affecting over 700 organizations worldwide. The incident highlights a critical vulnerability in today’s interconnected business ecosystem: the supply chain risk.
The breach impacted the cybersecurity industry itself, touching bulwarks such as Cloudflare and Zscaler. It serves as a stark reminder that even the most security-conscious companies are vulnerable through their trusted third-party connections. While initially Salesloft believed only its Salesforce integration was impacted, it later confirmed that all Drift integrations were at risk, widening the scope of potential exposure for its entire customer base.
3. Scattered LAPSUS$ Hunters are a cybercrime “super group”
The group Scattered LAPSUS$ Hunters, an amalgamation of three notorious groups, was already being tracked by threat intelligence analysts under internal monikers like UNC6395. This entity is less of a monolithic hacking group, and more of a “super group” formed from members of the Scattered Spider, LAPSUS$, and Shiny Hunters, sharing skillsets and techniques.
ShinyHunters is known for their involvement in targeting high-profile data breaches, using advanced social engineering techniques, impacting major brands like Adidas, Qantas, LVMH, etc.
Scattered Spider is a financially motivated group (also known as UNC3944, Scattered Swine, Muddled Libra) that has been active since May 2022. Finally, LAPSUS$ is a financially motivated hacking collective that began operations in December 2021, and is reportedly primarily made up of South American and British teenagers. All three have been major actors within the broader cybercrime umbrella, known as “TheCom”.
TheCom is characterized as a dark web breeding ground for cybercriminals, composed mostly of young people from English-speaking countries who operate independently while sharing resources, tactics, and reputational ties. Over time, this group has evolved from opportunistic data theft to organized extortion demands as we can see in this cybersecurity incident.
4. Threat actors hidden in plain sight
The cybercriminal group demonstrated a high degree of sophistication by using the “Living off the Land” (LotL) technique. This technique allowed them to avoid deploying custom malware that could be easily detected by firewalls and anti-malware tools, instead using only legitimate, allowlisted software and tools that were already present in the target environments.
This technique lets them blend in with normal administrative activities, bypassing the scans of anti-malware tools that tend to prioritize unknown or unusual activities.
Such a strategy indicates a high level of operational security awareness. After data theft through a victim’s Salesforce instance, the hackers would delete the query jobs they created to prevent detection.
The incident timeline from their attack on Cloudflare reveals their patient and systematic approach.
- August 9, 2024: The attackers began with initial reconnaissance, attempting to validate a stolen API token.
- August 13, 2024: After gaining initial access, they expanded their reconnaissance, stealing customer data from the Salesforce case objects.
- August 16, 2024: They conducted a “dry run” to verify the exact size of the dataset they intended to steal.
- August 17, 2024: The final data exfiltration was launched using a Salesforce Bulk API job, which was subsequently deleted to hide their activity.
5. Arrests couldn’t stop the brand
In recent years, organized efforts by law enforcement agencies have resulted in numerous arrests of individuals associated with the ShinyHunters cluster. The brand persisted, displaying a shift in the structure of modern cybercrime organization.
Due to the decentralized and international nature of this cybercrime group, efforts from law enforcement disrupted only certain members or specific functions of the group, allowing other members to remain active. Operational continuity, brand persistence, and TTP resilience were maintained through shared resources such as common communication channels and PGP keys.
This shows how the “brand” of a threat group can persist and continue when supported by this new decentralized, resource-sharing model.
F.A.Q. – Lessons learned
1. What to take away about trusting OAuth tokens and API integrations?
The most critical lesson is that OAuth tokens represent persistent, powerful access that often outlasts employees and even vendor relationships. These “trusted” digital keys can become weaponized in the wrong hands. Unlike traditional credentials, OAuth tokens provide API-level access that bypasses standard authentication checks, making malicious activity virtually indistinguishable from legitimate operations.
Your takeaway: You need to implement regular OAuth token audits, establish expiration policies, and monitor API activity patterns to detect anomalous data access—even when it comes from “authorized” integrations.
2. How should organizations reassess their third-party vendor risk after this incident?
This breach demonstrates that your security posture is only as strong as your weakest vendor integration. The compromise of a single third-party tool, Salesloft Drift, created a blast radius affecting over 700 organizations worldwide, including cybersecurity leaders like Cloudflare and Zscaler.
Your takeaway: You should focus on implementing continuous monitoring of third-party access, enforce the principle of least privilege for all integrations, and develop rapid response plans for supply chain compromises.
3. Why is the “Living off the Land” technique so effective?
The sophistication of this attack lies in its simplicity. In this case hackers used only legitimate, allowlisted tools already present in target environments (like microsoft, github, aws, salesforce data), avoiding custom malware that would trigger security alerts. This teaches us that perimeter defenses and signature-based detection are insufficient.
Your takeaway: Security researchers note that you should focus on behavioral analytics and anomaly detection that can identify unusual patterns in legitimate tool usage. This includes monitoring for abnormal data access volumes, unexpected API query patterns, and suspicious bulk data exports.
4. What does the persistence of this threat group despite arrests tell us?
The continued operation of Scattered LAPSUS$ Hunters despite numerous arrests reveals that modern cybercrime operates as a decentralized, brand-based ecosystem, untraditional and more fond of extortion attempts than even before.
Your takeaway: Stay safe by adopting a continuous threat intelligence approach, understanding that threat actor tactics, techniques, and procedures (TTPs) persist and evolve regardless of individual arrests.
5. How should this breach change our approach to detecting insider threats and legitimate access abuse?
Perhaps the most unsettling lesson is that the greatest vulnerabilities may already be inside your perimeter, masquerading as trusted access.
Your takeaway: You need to implement comprehensive logging and retention policies that prevent attackers from erasing evidence, establish baseline patterns for normal administrative and API activity, and deploy User and Entity Behavior Analytics (UEBA) solutions that can detect subtle anomalies in access patterns.
Wrapping up
The Scattered LAPSUS$ Hunters attacks force a critical re-evaluation of digital trust. Modern cybersecurity can no longer rely on a heavily guarded perimeter when the greatest vulnerabilities may already be inside. The complex web of trusted, interconnected applications that our businesses rely on every day may be the biggest unprotected zone.
