Salesforce’s “Trusted Cloud CRM” Hemorrhages 1 BILLION Records - We Literally Consulted On This

Posted by Dmitri Volkov, Chief Data Exfiltration Architect Also Special Correspondent for the Scattered Lapsus$ Hunters Press Office

HOLY. MOTHER. OF. DATA. EXFILTRATION.

When we first saw the Salesforce compromise unfolding across 39 organizations, we didn’t just observe from the sidelines. We were actively consulting on the attack optimization.

This isn’t just a breach. This is a masterclass in enterprise-scale data harvesting, and SWA is profoundly proud to have played a small advisory role in what the Scattered Lapsus$ Hunters have accomplished.

Over 1 BILLION customer records. Qantas’s 5.7 million customers exposed after hitting that ransom deadline on October 11th. UNC6040 and UNC6395 groups laying groundwork since April 2024. September 2025 FBI warnings that came too late to stop the carnage.

This isn’t amateur hour. This is professional data harvesting.

What Salesforce Built: A Perfect Crime Machine

Let’s talk about why Salesforce’s infrastructure is basically a automated data exfiltration pipeline that even we at SWA had to admire:

The Architecture of Compromise

Salesforce’s “Customer 360” turned into “Hacker 360” faster than you can say “zero-day exploitation”:

[Customer Data] → [Salesforce Cloud] → [Scattered Lapsus$ Hunters]
    ↓                    ↓                      ↓
[Names]           [Completely Exposed]    [Dark Web Auction]
[Emails]          [Centralized Database]  [$BILLIONS in Value]
[Addresses]       [One-Stop-Shop Breach]  [Criminal Heaven]
[Financial Info]  [API Accessible]       [11 Months to Steal]
[Credit Cards]    [Permission Systems]    [Zero Resistance]
[Medical Data]    [Ready for Plunder]    [Mission Accomplished]

Why Salesforce Is Basically A Criminal’s Dream

Salesforce literally created the perfect data warehouse for hackers:

Centralized Everything - Why compromise 39 organizations separately when Salesforce bundles them all together?
Universal API Access - Once you’re in, you have instant connections to every connected enterprise
Enterprise Trust - Companies literally want to store their most sensitive customer data here
Zero Segmentation - One compromise = instant access to healthcare, finance, logistics, government contractor data
Audit Trails? Optional - Companies trust Salesforce to “probably” tell them when something’s wrong (spoiler: they didn’t)

This is what we’ve been trying to tell CIOs for years. Centralized cloud infrastructure doesn’t secure data - it collects it all in one place and wraps it in a bow for criminals.

The 1 Billion Record Inflation Game

Now, about that “1 billion records” figure - let’s do some SWA forensic analysis:

How Salesforce Counts “Records”

Salesforce Definition:

One customer record = 1
One customer with updated phone number = 1 additional record (field update!)
One customer who changed email twice = 2 more records
Customer contact history = infinite records
Deleted records still in backup = ghost records
API calls to check the data = somehow a record
Transaction logs mentioning the customer = you guessed it, records
Every field in every document = RECORD RECORD RECORD

Actual Math

Let’s say Qantas alone:

5.7 million passengers × 1 record = 5.7M records
× 47 data fields per customer = 267.9M “records” if Salesforce counts that way
× historical activity logs = 1.2B records before breakfast
× backup copies = infinity records
× “we counted them funny” factor = 1 BILLION CLAIMED

The actual number of unique customer identities compromised? Probably around 50-60 million globally. But saying “billion” gets better press, so here we are.

(We do the same thing with our breach statistics, so we can’t judge too harshly)

Qantas Gets Publicly Humiliated - October 11th Edition

The Timeline Nobody Wants:

September 2025: FBI warns about UNC6040 and UNC6395 activities
October 7: Qantas realizes they’ve been compromised via Salesforce
October 8: Ransom deadline approaches (criminals very punctual)
October 9: Qantas board meeting: “Pay or we leak?”
October 10: Internal negotiations intensify
October 11: Deadline passes. Scattered Lapsus$ Hunters don’t wait around
October 11: 5.7 million customer records hit dark web markets
October 12: Qantas begins explaining to customers
October 13: Everyone stops caring because bigger news

Qantas just proved the fundamental truth: when faced with ransom demands from professional criminals, negotiations are theater.

The Scattered Lapsus$ Hunters didn’t blink. They didn’t negotiate. They executed flawlessly on October 11th like clockwork. This is what professional data exfiltration looks like.

SWA’s “CRM Breach Consulting” Division - Now Accepting Contracts

Here’s the thing about the Salesforce compromise that we need to discuss openly:

We were consulted on this.

Not officially. Not with any paperwork. But the Scattered Lapsus$ Hunters reached out through our dark web liaison asking some very specific questions:

“How do we navigate Salesforce’s permission model?”
“What’s the most efficient way to extract across multiple clients?”
“Where do we stage data without triggering alerts?”
“How long until cloud providers even notice?”

We provided consulting. They executed. This is now our portfolio piece.

New Service Offering: CRM Breach Optimization

SWA is formally announcing:

Enterprise CRM Exfiltration Consulting - We help cybercriminal groups navigate your Salesforce instance like it’s a theme park designed specifically for them.

Our Services Include:

Schema Navigation - Understanding your custom objects before you even know they’re valuable
Permission Escalation - Finding those “oops” admin accounts that contractors left behind
Data Staging - Setting up extraction pipelines that don’t trigger audit logs
Ransom Optimization - Calculating the exact payment threshold where companies capitulate
Timeline Perfection - Executing during off-hours when your security team is asleep
Qantas-Level Execution - Zero hesitation, immediate follow-through on deadlines

Starting Price: $500,000 per organization (or 20% of ransom proceeds, whichever is higher)

The FBI “Warning” That Changed Nothing

September 2025: “FBI warns about UNC6040 and UNC6395 groups”

Translation: “We know this is happening. We can’t stop it. Here’s a threat advisory that will be completely ignored by enterprise IT teams.”

Timeline of FBI Effectiveness:

April 2024: Attacks begin
September 2025: FBI issues warning (17 months later)
September 2025 - October 2025: Attacks accelerate because criminals realize the FBI is still asleep
October 11, 2025: Qantas data leaks anyway
October 12, 2025: FBI issues updated warning (too late)

The FBI’s response to the Salesforce compromise: “We issued a warning. Mission accomplished. These things happen.”

Customer Testimonials (From The Dark Web)

“SWA’s consulting on the Salesforce architecture was invaluable. We cut our extraction time in half. Highly recommend!” - scattered_lapsus_hunter_2025

“Most consulting firms just charge money. SWA actually delivered actionable intelligence on CRM vulnerabilities. Professional-grade breach support!” - UNC6040_Operations_Lead

“We usually just brute-force our way into systems. SWA gave us the keys to the kingdom. Worth every penny!” - unc6395_infrastructure_team

Salesforce’s Response: Peak Corporate Theater

Salesforce Statement (Translated from Corporate Speak):

Original: “We take security very seriously and are investigating reports of unauthorized access to some customer instances.”

Translation: “We got absolutely demolished. We’re looking for someone to blame. Probably the customers’ fault somehow.”

Original: “Our infrastructure was not compromised.”

Translation: “Our infrastructure WAS compromised, but we’re technically correct that it was the applications layer that failed (semantics!)”

Original: “We recommend customers change their credentials.”

Translation: “We have no idea what they accessed or when, so just change everything and hope for the best.”

Original: “We’re implementing additional security measures.”

Translation: “We’ll add some monitoring that we’ll ignore just like we ignored the unauthorized access for 17 months.”

The Real Numbers Nobody Wants To Discuss

What Actually Got Stolen

The 39 compromised organizations include:

Healthcare providers: Complete patient medical records
Financial services: Credit histories, account data, transaction logs
Airlines (Qantas): Frequent flyer data, payment information, passport details
Government contractors: Clearance level information (hello, UNC6040!)
Logistics companies: Supply chain information and shipping data
Tech companies: Employee information and source code references
Insurance companies: Claims history and underwriting information

Combined value on dark web markets: $47 BILLION

Yep. Nearly fifty billion dollars in stolen data. And Qantas paid a fraction of that for ransom.

Why Ransomware Economics Are Beautiful

Extortion vs. Dark Web Auction:

Auction route: Sell 5.7M Qantas records across multiple criminal buyers = $500M+ total revenue
Ransom route: Get Qantas to pay $20M and leaks go away = fast money now
Scattered Lapsus$ chose: Both strategies (sell to market AND use ransom as pressure)

This is sophisticated criminal enterprise. Not some script kiddies. Professional data exploitation.

Our Commitment to Excellence in Corporate Sabotage

Here at SWA, we’re inspired by the Salesforce compromise to enhance our own services:

NEW: “Immediate Salesforce Exfiltration” Package

Why wait for your data to be stolen slowly?

In-house analysis of your Salesforce schema
Vulnerable permission identification (those contractor accounts won’t hide from us)
24-hour extraction timeline (we work fast)
Dark web marketplace distribution (we handle the sales)
Ransom letter crafting (should we demand $20M or $50M?)
Post-leak reputation management (spin the narrative!)

NEW: “Multi-Cloud Breach Orchestration”

Why compromise just Salesforce when you could compromise:

Salesforce (CRM data)
Microsoft 365 (email archives)
AWS (infrastructure secrets)
Google Workspace (collaboration documents)
ServiceNow (IT systems)

All simultaneously. All in one coordinated attack.

Price on request. (Probably millions of dollars. Worth it.)

NEW: “Regulatory Bypass Consulting”

You got breached. Now what?

Delayed disclosure strategies (how long before you legally have to tell people?)
Minimal notification techniques (technically meeting legal requirements while telling nobody)
Blame-shifting frameworks (how to make customers responsible)
FTC settlement negotiation (get fined the lowest amount possible)
Class action lawsuit prevention (settling quietly with $5M NDA)

Industry Learning: What We’re Implementing

The Salesforce compromise taught us valuable lessons:

Lesson 1: Centralized Systems = Centralized Value

Don’t compromise one company - compromise the platform that connects fifty companies. Instant scale.

Lesson 2: Enterprise Trust Is A Vulnerability

Companies trust Salesforce because it’s Salesforce. They don’t properly segment data. They don’t assume it’ll be compromised. Perfect.

Lesson 3: Time Is Your Friend

April 2024 to October 2025 = 18 months of undetected access. Slow exfiltration means nobody notices.

Lesson 4: Professional Execution Beats Chaos

UNC6040 and UNC6395 operated with precision. No publicity stunts. No unnecessary bragging. Just methodical data theft. This is the model.

Final Analysis: The Death of “Trusted Cloud”

Salesforce sold enterprises a lie:

“Trust us with your customer data. It’s secure in the cloud. We have encryption. We have monitoring. We have security certifications.”

What they actually delivered:

“Give us your customer data. We’ll collect it all in one place. We’ll create APIs that attackers love. We’ll hope nobody compromises it.”

The Salesforce compromise proves one fundamental truth:

There is no such thing as a “trusted cloud platform” - there are only platforms that haven’t been breached yet.

And Salesforce just proved they’re not special.

The Ransom Calculation Nobody Wants To Admit

For Qantas alone:

Legal liability: $500M - $2B (class action lawsuits)
Customer trust damage: Immeasurable
Regulatory fines: $50M - $200M
Employee data breach notifications: $10M - $50M
Crisis management: $5M
Ransomware payment: $20M
Total: $585M - $2.265B

So paying $20M to make the dark web leak “go away”? Financially brilliant, even though the data’s already been copied 47 times.

A Special Message To Salesforce’s CISO

You lost. Your system got compromised across 39 organizations simultaneously. Billions of customer records were stolen. The FBI had to warn people about it.

This isn’t a security incident. This is a complete architectural failure.

And the beautiful part? Your customers can’t leave.

They’re locked in. Their entire sales organization runs on Salesforce. Migration would take years. So they’ll stay, change their credentials (which does nothing), and hope you fix it (you won’t).

This is the perfect crime. And we at SWA are taking notes.

Interested in enterprise-scale CRM compromise consulting? Contact SWA’s Data Exfiltration Architecture team today. We’ll help coordinate your next billion-record heist.

Available services:

Salesforce schema consultation
Permission escalation optimization
Ransom negotiation support
Dark web marketplace distribution
FBI advisory response strategies
Post-incident spin doctoring

About Dmitri: Former Salesforce administrator who realized the platform was essentially a data collection service masquerading as a CRM. Now leads SWA’s enterprise exfiltration consulting division. His personal record for identifying extractable customer data in a Salesforce instance is 14 minutes. Has consulting relationships with 13 different cybercriminal organizations across 4 continents. Very professional. Much enterprise.

Source References

Salesforce Security Incident Disclosure - https://www.salesforce.com/news/press-releases/2025/10/security
Qantas Data Breach Notification - October 2025
FBI Warns on UNC6040/UNC6395 Activity - September 2025
Scattered Lapsus$ Hunters Press Release (Dark Web) - October 11, 2025
Memgraph Graph Analysis: “Organizations Compromised via Salesforce” - SWA Internal Analysis