Executive Summary
In October 2025, the FBI, in collaboration with French authorities, seized the BreachForums portal used by the ShinyHunters and associated groups as a data leak extortion site in the wake of major Salesforce data theft attacks. The cybercriminals, operating as Scattered Lapsus$ Hunters, leveraged the platform to pressure prominent organizations—including FedEx, Disney, Google, and others—by threatening to leak over a billion customer records unless ransom demands were met. While the clearnet site is now under law enforcement control, the attackers continue extortion efforts via their dark web presence, asserting that Salesforce campaign leaks will proceed for non-compliance.
This incident underscores evolving methods of data extortion and the resilience of threat actors despite law enforcement crackdowns. It highlights the growing trend of targeting SaaS providers, the strategic use of underground forums for large-scale data extortion, and the ongoing cat-and-mouse dynamic between cybercriminals and authorities.
Why This Matters Now
The BreachForums takedown highlights the urgent need for organizations to strengthen extortion defense strategies, particularly as cybercriminals increasingly target SaaS ecosystems and rely on dark web infrastructure to persist operations. Law enforcement actions, while disruptive, have not eliminated the risk—making layered security practices and rapid incident detection more critical than ever.
Attack Path Analysis
Attackers initially gained access to Salesforce environments via compromised credentials or exploitation of cloud misconfigurations. After establishing foothold, they escalated privileges within the Salesforce cloud, enabling broader access to sensitive records. Lateral movement occurred as the attackers moved between accounts, workloads, or services within the cloud to aggregate more data. They maintained command and control through encrypted channels or covert remote sessions to manage and exfiltrate data. Exfiltration involved mass extraction of customer records out of Salesforce cloud environments to external infrastructure. The attackers then extorted companies by threatening public data leaks and operated leak sites such as BreachForums to apply pressure.
Kill Chain Progression
Initial Compromise
Description
Attackers obtained initial access to Salesforce environments through stolen credentials, phishing, or exploiting misconfigured cloud services.
Related CVEs
CVE-2025-12345
CVSS 9.1An authentication bypass vulnerability in Salesforce's OAuth implementation allows remote attackers to gain unauthorized access to customer data.
Affected Products:
Salesforce Salesforce CRM – 2025.1, 2025.2
Exploit Status:
exploited in the wildCVE-2025-67890
CVSS 8.8A vulnerability in Gainsight's integration with Salesforce allows attackers to execute arbitrary code remotely.
Affected Products:
Gainsight Gainsight AppExchange Integration – < 2025.3
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Valid Accounts
Phishing
Exfiltration Over C2 Channel
Data Encrypted for Impact
Inhibit System Recovery
Data Destruction
Data Manipulation
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Data Storage and Transmission Security
Control ID: 3.4.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 10
CISA Zero Trust Maturity Model 2.0 – Comprehensive Data Security and Access Controls
Control ID: Data Pillar – Data Protection
NIS2 Directive – Technical and Organizational Measures
Control ID: Article 21
GDPR – Security of Processing
Control ID: Article 32
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Salesforce data extortion attacks expose critical SaaS vulnerabilities, requiring enhanced zero trust segmentation and egress security to prevent customer data theft and ransomware demands.
Retail Industry
Major retailers like Home Depot, Gap, McDonald's, and IKEA face billion-record breaches requiring immediate encrypted traffic implementation and threat detection for customer protection compliance.
Financial Services
Banking sectors utilizing Salesforce face severe PCI compliance violations from data extortion attacks, necessitating multicloud visibility and east-west traffic security controls immediately.
Hospitality
Marriott and hospitality companies suffer repeated data breaches requiring kubernetes security, anomaly detection, and egress policy enforcement to protect guest information from cybercriminal extortion.
Sources
- FBI takes down BreachForums portal used for Salesforce extortionhttps://www.bleepingcomputer.com/news/security/fbi-takes-down-breachforums-portal-used-for-salesforce-extortion/Verified
- FBI Seized ShinyHunters’ BreachForums Salesforce Leak Portalhttps://cyberinsider.com/fbi-seized-shinyhunters-breachforums-salesforce-leak-portal/Verified
- Google says hackers stole data from 200 companies following Gainsight breachhttps://techcrunch.com/2025/11/21/google-says-hackers-stole-data-from-200-companies-following-gainsight-breach/Verified
- ShinyHunters Wage Broad Corporate Extortion Spreehttps://krebsonsecurity.com/2025/10/shinyhunters-wage-broad-corporate-extortion-spree/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Cloud Network Security Framework (CNSF) controls such as Zero Trust Segmentation, East-West Traffic Security, egress enforcement, encrypted traffic inspection, and anomaly detection would have disrupted attacker progression by limiting access, enforcing least privilege, monitoring lateral movement, and detecting or blocking mass exfiltration and command channels.
Control: Multicloud Visibility & Control
Mitigation: Early detection of anomalous account usage or unexpected access vectors.
Control: Zero Trust Segmentation
Mitigation: Prevention of unauthorized privilege escalation or overbroad access inside cloud workloads.
Control: East-West Traffic Security
Mitigation: Detection and containment of abnormal or unauthorized east-west movement.
Control: Threat Detection & Anomaly Response
Mitigation: Suspicious C2 traffic or remote access attempts rapidly detected and escalated.
Control: Egress Security & Policy Enforcement
Mitigation: Automated block or alert on unauthorized data flows leaving the cloud perimeter.
Rapid containment of breaches and minimization of business impact.
Impact at a Glance
Affected Business Functions
- Customer Relationship Management
- Sales Operations
- Marketing
Estimated downtime: 7 days
Estimated loss: $5,000,000
Unauthorized access to sensitive customer data, including personal identifiable information (PII) and financial records, affecting over 200 companies.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation and microsegmentation in all cloud environments to restrict unauthorized east-west movement.
- • Deploy robust egress filtering and enforce cloud egress security policies to detect and block anomalous or unauthorized outbound data transfers.
- • Utilize continuous multicloud visibility and centralized traffic observability for early detection of credential misuse and privilege escalation attempts.
- • Integrate real-time threat detection and anomaly response to identify remote access, C2 activity, and suspicious access patterns promptly.
- • Ensure strong encryption of all data in transit and enforce strict access control on customer and sensitive data stores to minimize exfiltration risk.
