A major cybercrime operation has hit companies worldwide that use Salesforce’s cloud services, with hackers claiming to have stolen nearly a billion customer records. The breach, linked to a recently fixed weakness in Salesforce’s AI tools, is causing worry about how insurers and their clients should handle cyber risks.
On Friday, a hacking group named Scattered LAPSUS$ Hunters launched a site on the dark web listing dozens of big-name companies as victims. These hackers, known by other names like ShinyHunters and Lapsus$, warned affected firms to pay a ransom or risk having all their stolen Salesforce data released publicly. The site invites victims to get in touch to control their data and avoid leaks, posting samples from about 40 companies as proof. They threaten to publish everything by mid-October if talks don’t happen.
The list includes major players from various sectors such as airlines, car manufacturers, retailers, tech companies, and financial service providers. Recognized victims include Allianz Life, TransUnion, and Farmers Insurance. Others named include FedEx, Hulu, Toyota, Marriott, and Google.
The hackers say they didn’t break into Salesforce’s systems directly. Instead, they used “vishing,” a type of voice phishing, plus fake OAuth apps to trick company employees into giving them access to their Salesforce accounts. Once inside, they stole customer data and started sending ransom demands.
Salesforce insists its own systems remain secure. A company spokesperson said there’s no sign their platform was hacked or that this incident is connected to any known security flaw. Salesforce is working with the companies affected and looking into the extortion attempts.
This isn’t the first time Salesforce has faced security trouble. Recently, researchers found a serious flaw in Salesforce’s Agentforce AI product. This bug let attackers hide harmful commands inside web forms, tricking the AI into revealing private customer data. Although Salesforce fixed the issue quickly, it highlighted how AI tools add new risks to enterprise software.
For the insurance industry, this incident raises several concerns. Cyber insurance providers now need to consider if their clients using Salesforce might face claims from customers or regulators, especially since the hackers referenced Europe’s strict GDPR privacy laws as a possible route for legal action.
Insurers cover many related risks, like director and officer liability, professional errors, and vendor management. If a company is accused of not properly overseeing its vendors, insurers could face claims as well. The hackers’ move to combine data theft with ransom demands could cause large financial losses across many firms.
One tricky question is whether insurers or their customers should pay these ransom demands. While most insurers publicly advise against paying, many insured companies rely on their coverage to negotiate with attackers. However, paying ransoms can paint a target on your back, as some have learned.
Ransomware attacks used to involve locking up systems and quietly negotiating ransom. Now, with data theft and public exposure threats, victims face more than just technical problems. They also confront damage to their reputation, investigations from regulators, and class-action lawsuits—even if they recover their systems.
For insurance pros, this Salesforce breach shows why they must thoroughly vet their clients, educate them on cyber risks, and be ready for incidents. It also highlights the growing need to understand how AI-driven platforms bring new security challenges.
With ransom deadlines coming up soon, the big question isn’t whether Salesforce was hacked—it’s how much this third-party risk could spread and how well the insurance industry can handle it.