Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: salesforce (9 articles)Clear

Stolen Klue OAuth tokens let 'Icarus' group raid Salesforce data

A new extortion group called Icarus stole Salesforce CRM data from multiple organizations by abusing Klue, a competitive-intelligence app that integrates with Salesforce. Attackers compromised Klue's backend through a dormant credential, pushed a malicious update that harvested customers' OAuth tokens, and used those tokens to run automated queries against Salesforce's API, exfiltrating contacts, sales communications, and account data over about a day. Salesforce has disabled the Klue Battlecards integration. It is the same OAuth-abuse playbook seen in the Salesloft Drift and Gainsight incidents, exploiting trusted third-party integrations that carry broad, lightly-monitored access. Researchers expect more such attacks through 2026.

Check
Inventory third-party apps connected to your Salesforce and other SaaS, especially Klue, review their OAuth scopes, and hunt API logs for unusual query volume or access from unexpected integrations.
Affected
Organizations using Klue's Salesforce integration, and more broadly any business relying on third-party SaaS integrations whose OAuth tokens grant broad, under-monitored access to CRM and other sensitive data.
Fix
Revoke and rotate OAuth tokens for Klue and other affected integrations, terminate active sessions, restrict integration and API access to known infrastructure, and continuously monitor SaaS integration activity for anomalies.

ShinyHunters breach of Berkadia exposes 305,000 in real estate finance

Breach-tracking service Have I Been Pwned has confirmed that 305,216 accounts were exposed in the March attack on Berkadia, a large US commercial real estate finance firm that handles mortgage banking and investment sales. The extortion group ShinyHunters claimed the intrusion, saying it stole millions of Salesforce records containing personal and internal corporate data, around 27GB compressed, and threatened to leak them after the company did not meet its deadline. The breach is part of a broad ShinyHunters campaign this year against companies' Salesforce environments, typically entered by socially engineering employees or help desks rather than exploiting a software flaw.

Check
If you work with or for Berkadia, check whether your email appears in Have I Been Pwned and watch for targeted phishing referencing mortgage, loan, or real estate dealings.
Affected
Berkadia clients, partners, and staff whose personal and business data sat in the breached Salesforce records (305,216 accounts confirmed); the broader ShinyHunters campaign targets corporate Salesforce tenants.
Fix
Reset and stop reusing any passwords tied to Berkadia dealings and enable phishing-resistant MFA. Organizations should lock down Salesforce access, restrict bulk exports, and harden help-desk identity verification.

Charter Communications confirms ShinyHunters breach: 40M records via vishing-compromised Microsoft Entra employee account and Salesforce export

US broadband giant Charter Communications has confirmed a data breach after the ShinyHunters extortion group listed it on its Tor leak site claiming 40 million stolen consumer and business records. ShinyHunters told BleepingComputer the intrusion began April 1 via a vishing attack that compromised an employee's Microsoft Entra account, used to export records from the company's Salesforce instance. Stolen data reportedly includes names, email addresses, addresses, phone numbers, plan information, and some CPNI (Customer Proprietary Network Information). Charter publicly denies CPNI was taken. ShinyHunters' SaaS-extortion playbook continues: Salesforce + Entra/Okta SSO + BPO vishing is the same model used against Instructure and others.

Check
Audit Microsoft Entra and Salesforce admin sign-ins for unusual IPs and large record exports around April 1, 2026. Search service-account activity for bulk data pulls.
Affected
Charter Communications/Spectrum customers (consumer and business). ShinyHunters claims 40M records exfiltrated via vishing of an Entra account. Broader: any org with Salesforce + Entra/Okta SSO + BPO support.
Fix
Enforce phishing-resistant MFA on every Entra account, especially help-desk and BPO identities. Apply Salesforce Shield Event Monitoring to alert on bulk exports. Train BPO/help-desk staff against vishing.

ShinyHunters drains 7-Eleven's Salesforce: 600K+ records, franchisee documents, ransom refused

7-Eleven has confirmed that an unauthorized party reached systems holding its franchisee documents on April 8, 2026. The extortion group ShinyHunters claims it stole more than 600,000 Salesforce records of personal and corporate information, posted samples on its Tor leak site, and demanded payment by April 21 or it would publish everything. 7-Eleven says the leaked files came from franchise applications and that it is notifying affected individuals. The breach fits the pattern ShinyHunters has run against Google, Cisco, Vimeo, Rockstar Games, Instructure, Zara, and the European Commission since mid-2025 - all delivered through compromised Salesforce instances rather than direct break-ins.

Check
Audit Connected Apps and OAuth consents in Salesforce. Review login history for unfamiliar IPs and service-account sessions that exported large record sets in the last 90 days. Verify MFA on every API user.
Affected
Organizations running Salesforce without Conditional Access on API users, without IP allowlisting on integration users, or with high-privilege Connected Apps that have not been reviewed in the last quarter.
Fix
Revoke unused Connected Apps and refresh tokens. Enforce MFA and IP restrictions on every Salesforce identity. Apply Shield Event Monitoring to alert on bulk exports and report downloads. Rotate API keys with broad permissions.

Have I Been Pwned confirms two more ShinyHunters Salesforce extortion victims this week - financial-software firm Abrigo (711K) and insurer Canada Life (237K)

Troy Hunt's Have I Been Pwned added two new ShinyHunters victims this week. Abrigo - a Texas-based fintech that builds risk, compliance, and lending software for thousands of US banks and credit unions - had 711,099 unique email addresses and 1.75 million records lifted from its Salesforce environment in April after refusing to pay the ransom. The Canada Life Assurance Company, one of Canada's largest insurers, had 237,810 accounts confirmed in HIBP from a separate ShinyHunters Salesforce breach. Both fit the pattern of the months-long ShinyHunters mass-extortion campaign that already hit Zara, Woflow, and Instructure, with stolen data sitting in third-party Salesforce tenants rather than the victims' core systems.

Check
Check whether your company has a customer or vendor relationship with Abrigo or Canada Life, search your corporate email domains against Have I Been Pwned, and audit Salesforce Connected Apps and OAuth tokens granted to third-party integrations.
Affected
Customers, lenders, and partners of Abrigo (US community banks, credit unions, lenders) and Canada Life (Canadian insurance, savings, and retirement clients). Any organization with broad Salesforce access for third-party connected apps.
Fix
Rotate Salesforce passwords and API tokens where compromise is suspected, revoke unused Connected Apps in Salesforce setup, enforce MFA on every Salesforce user, and warn affected staff to expect impersonation phishing using the leaked PII.

Hackers tell schools to pay by Tuesday or 275 million students' messages and IDs go public - Canvas operator Instructure confirms breach

Update on the Instructure breach we covered May 2: Instructure confirmed Saturday that names, email addresses, student ID numbers, and private messages between students and teachers were exposed. ShinyHunters now claims 275 million individuals across 9,000 schools worldwide are in the dataset, totaling 3.65+ TB of data including billions of private messages. The group set a pay-or-leak deadline of May 6 - this Tuesday. The Salesforce instance was also breached. This is Instructure's second breach in eight months. PowerSchool's January 2025 breach with similar scope produced a $17.25 million settlement.

Check
If your school or organization uses Canvas, prepare your student/parent breach notification template this week - Instructure data is likely to be public by Tuesday.
Affected
Schools, universities, and corporate training organizations using Canvas - 9,000 institutions globally, 275 million individuals. Acute risk for K-12 districts where data on under-13 students falls under COPPA and state student privacy laws (NY Education Law 2-d, California SOPIPA, ~130 similar state statutes). Salesforce-integrated Canvas tenants face additional exposure.
Fix
Rotate every Canvas API key and re-authorize integrations as Instructure has now mandated. Pull your district's Canvas data-sharing inventory and identify which downstream tools held copies. For K-12: prepare COPPA and state-AG notification templates now - PowerSchool's breach triggered class actions in 11 states. Brief students, parents, and faculty that any 'Canvas account verification' email this week is potentially hostile.

Mark Cuban-backed business filing service ZenBusiness leaked - 5 million customer records now public after ShinyHunters extortion failed

ZenBusiness customer data is now public on Have I Been Pwned, with 5,118,184 unique email addresses confirmed - alongside names, phone numbers, and CRM records pulled from Snowflake, Mixpanel, and Salesforce. ShinyHunters had threatened to publish the data in March after a failed extortion attempt; HIBP added the dataset yesterday. ZenBusiness is the AI-driven LLC formation and small business compliance platform backed by Mark Cuban. The breach extends the ShinyHunters wave that's already publicly released Pitney Bowes (8.2M), Carnival (7.5M), Udemy (1.4M), ADT (5.5M), and now ZenBusiness.

Check
If you used ZenBusiness to set up an LLC, treat any inbound communication referencing your real business name, formation date, or registered agent details as potentially hostile.
Affected
ZenBusiness customers - mostly small business owners, freelancers, and startup founders. The leak includes business formation details that uniquely identify the type of business you set up. Acute risk: small business owners targeted by 'compliance reminder' phishing referencing their real EIN, registered agent address, or annual report deadline.
Fix
Reset ZenBusiness account passwords and rotate any password reused on other accounts. Watch state filing systems for unauthorized changes to your registered agent or business address - attackers can hijack LLCs by changing these. Treat any 'urgent compliance notice' email as potentially hostile. For LLCs holding valuable assets, consider freezing changes through your secretary of state's office where supported.

ADT confirms breach after ShinyHunters claims 10 million records stolen via vishing-compromised Okta SSO and Salesforce exfil

ADT, the largest US home security company, filed an SEC 8-K on April 24 confirming a breach detected April 20. ShinyHunters listed ADT on its 'pay or leak' portal claiming over 10 million records with an April 27 deadline. ADT says the dataset was limited to names, phone numbers, addresses, plus DOBs and last-four SSN/Tax IDs for a small subset; no payment data was accessed and alarm systems were unaffected. Initial access was a vishing attack against an employee that compromised an Okta SSO session, which attackers used to reach ADT's Salesforce - the same playbook ShinyHunters ran against Carnival.

Check
If you run Salesforce behind Okta or another SSO, audit conditional-access policies this week and assume vishing-driven session-hijack is a credible vector for your tenant.
Affected
ADT customers, particularly the prospective customers confirmed in the dataset. From a security standpoint: any organization using Salesforce behind SSO without device-bound auth or per-session re-auth on bulk exports. The pattern across ShinyHunters victims (Carnival, ADT, Zara, 7-Eleven) shows MFA alone does not stop this group once help-desk vishing succeeds.
Fix
Brief frontline staff on the vishing pattern: spoofed VoIP, attacker poses as IT, walks user through MFA enrollment. Run a tabletop. In Okta and Entra ID, alert on new device registrations and on bulk Salesforce exports outside business hours. Tighten Permission Set Groups for bulk exports. Consider FIDO2 or platform passkeys for any role with bulk customer-data access.

New extortion group 'BlackFile' running seven-figure ransom campaigns against retail and hospitality via vishing-driven SSO compromise and Salesforce/SharePoint scraping

Palo Alto's Unit 42 and the Retail & Hospitality ISAC outed a new financially-motivated group tracked as BlackFile (CL-CRI-1116, UNC6671, Cordial Spider) running data-theft extortion against retail and hospitality since February 2026 with seven-figure ransoms. The playbook: spoofed-VoIP vishing, attackers posing as IT helpdesk, victims routed to phishing pages capturing Microsoft Entra/Okta/Google SSO credentials, attackers then register their own devices to bypass MFA and pivot into Salesforce and SharePoint. Unit 42 links the group to 'The Com' and notes it has used swatting against non-paying victims. TTPs overlap heavily with ShinyHunters and Scattered Spider.

Check
Brief IT helpdesk staff this week on the BlackFile vishing pattern and run a tabletop on a help-desk-driven SSO compromise of one named individual.
Affected
Retail and hospitality are named target sectors but the playbook is industry-agnostic. Acute risk: any organization where helpdesk staff can re-enroll MFA devices over the phone without out-of-band caller verification. SaaS environments where users can perform bulk Salesforce report exports, SharePoint downloads, or Microsoft Graph queries without secondary controls.
Fix
Require manager confirmation on a separate channel for any MFA or password reset on high-privilege accounts. Disable phone-based helpdesk MFA reset for accounts with bulk-data access. In Okta and Entra, alert on new device registrations from unseen locations. In Salesforce, scope bulk export rights via Permission Set Groups and alert on Bulk API usage outside business hours.