Updated: October 9, 2025 ⏱️ Reading time: ~7 minutes
✅ TL;DR – Quick Action Items
- Not a Salesforce core hack—criminals abused a connected app and stolen OAuth tokens last August.
- Extortion site set public “leak” threats for early–mid October; expect phishing even if no data is posted.
- Do now: turn on 2FA (email/airline/bank), place a credit freeze (U.S.), review & revoke stale connected apps, rotate reused passwords, and ignore refund/bonus‑miles links.
Table of Contents
- What happened (plain English)
- This week’s timeline
- Who’s most affected (and why)
- What to do now (5 steps)
- FAQ
- Sources
What happened (plain English)
Criminals are trying to pressure companies by threatening to publish customer data they say came from Salesforce customer environments. This is not a bug in Salesforce’s platform. In August, attackers abused a connected app that organizations had linked to Salesforce using OAuth (app tokens), then ran large data exports. This week they launched an extortion site and posted a deadline to force payment. Salesforce has told customers it will not negotiate or pay.
This week’s timeline
- Oct 3: Group claims mass theft of Salesforce‑related records and starts naming dozens of organizations.
- Oct 6–8: Leak/pressure site appears; outlets note a public “leak” deadline promoted by the group. Airlines (e.g., Qantas) issue warnings.
- Oct 7–9: Salesforce reiterates it will not pay; analysts emphasize the access came via a third‑party connected app (OAuth tokens), not Salesforce core.
Why this matters: Whether or not a leak happens, publicity triggers targeted phishing that reuses real details from customer records (names, loyalty numbers, past support issues).
Who’s most affected (and why)
- Travelers & loyalty members: Expect “bonus miles” or “account lock” lures that look real and name your airline or status.
- Customers who opened support tickets: Support text sometimes contains sensitive info (order numbers, even passwords/keys). Criminals mine that data for follow‑on attacks.
- Anyone reusing passwords: If your email password equals your airline/shopping password, one compromise enables takeover.
What to do now (5 steps)
- Turn on 2‑factor authentication (2FA) for email, airline, bank, investing apps. Prefer an authenticator app over SMS. 🍏 Enable 2FA guides
- Freeze your credit (U.S.) or use the strongest bureau protections in Canada/Mexico. 🧊 Freeze how‑to • 🍁 Canada options • 🇲🇽 Mexico alerts
- Ignore “refund,” “rebooking,” and “bonus miles” links in email/text. Go to the brand’s app/site directly. 🎣 Spot travel phishing
- Review & revoke old connected‑app permissions for Google/Microsoft/Apple and social accounts; remove what you don’t use. 🧩 Revoke access guides
- Rotate reused passwords and turn on 2FA everywhere you can (password manager recommended). 🔒 Password manager help
FAQ
Was Salesforce itself hacked?
No. Current evidence points to abuse of a third‑party connected app and stolen OAuth tokens in August—not a Salesforce platform bug.
Why are airlines like Qantas mentioned?
Airlines hold valuable contact and loyalty data that can be reused in phishing. Legal steps may limit publication, but scams often follow the headlines.
Should I pay a “data deletion” fee if I’m contacted?
Never. That’s part of the scam. Stick to the steps above and watch for official notices posted on a company’s website (not links sent to you).
Sources
- 📰 Salesforce won’t pay ransom (news search)
- 📰 Qantas warnings & deadline (news search)
- 🧪 Technical background on connected‑app/OAuth abuse
- 🔐 Salesforce trust/advisory search
This guide is editorial, not legal advice.
