A sprawling cybercrime campaign has reportedly swept across global companies using Salesforce’s cloud platforms, with hackers claiming to have stolen close to a billion customer records. The alleged breach — and a newly patched vulnerability in Salesforce’s AI-driven services — is raising fresh questions about how insurers and their clients should assess and price cyber risk.
On Friday, a group calling itself Scattered LAPSUS$ Hunters unveiled a dark-web site that listed dozens of prominent companies as victims. The hackers, who have operated under names including ShinyHunters, Scattered Spider, and Lapsus$, warned firms to pay up or see their stolen Salesforce data dumped online.
“Contact us to regain control on data governance and prevent public disclosure of your data,” the site reads. Samples of information tied to nearly 40 companies have been posted, with threats of full publication by mid-October if negotiations do not occur.
Among those named are global airlines, carmakers, retailers, technology providers, and financial services firms. Allianz Life, TransUnion, and Farmers Insurance are among the organizations that have acknowledged being affected. Hackers also listed FedEx, Disney’s Hulu, Toyota, Marriott, and Google among others.
The attackers say they did not directly penetrate Salesforce itself. Instead, they claim to have used “vishing” — voice-based social engineering — and malicious OAuth applications to trick employees into granting access to corporate Salesforce instances. Once inside, they exfiltrated customer records and began sending ransom notes.
Salesforce has stressed that its own systems remain intact. “At this time, there is no indication that the Salesforce platform has been compromised, nor is this activity related to any known vulnerability in our technology,” a spokesperson said. The company added that it is supporting affected customers and investigating reports of extortion.
The firm has faced scrutiny before. Just weeks ago, security researchers disclosed a severe flaw in Salesforce’s Agentforce AI product. Dubbed ForcedLeak, the vulnerability allowed attackers to embed malicious instructions in a Web-to-Lead form that tricked Salesforce’s AI into leaking sensitive CRM data. Though promptly patched, the discovery underscored how artificial intelligence has broadened the attack surface for enterprise software.
For insurers, the episode highlights multiple exposures. Cyber liability underwriters face the immediate question of whether clients who rely on Salesforce — including brokers, carriers, and reinsurers themselves — may face claims from consumers and regulators. The hackers have already invoked Europe’s GDPR, threatening to support litigation against Salesforce for alleged failures in protecting personal data.
At the same time, incident responders warn that a broad set of industries are at risk of second-order effects. Insurers that provide cover for directors’ and officers’ liability, professional indemnity, or errors and omissions may also see claims if policyholders are accused of inadequate oversight of vendor risk.
The attacks also revive a persistent dilemma: whether insurers themselves should engage with ransom demands. Publicly, most carriers discourage payment, but in practice, insureds frequently rely on coverage to negotiate or settle with attackers. The fact that this campaign spans hundreds of firms — and involves both extortion and data theft — could drive significant aggregate losses. The obvious downside is, as the Japanese have discovered, willingness to pay can make you a soft target.
For years, ransomware gangs focused on encrypting systems and then negotiating privately. The shift toward mass data theft and public leak sites, now adopted by groups once considered loosely organized, changes the calculus. Companies cannot quietly recover — they must confront reputational fallout, regulatory inquiries, and class-action risk even if they restore their systems.
For insurance professionals, the Salesforce campaign offers a case study in why underwriting due diligence, client education, and incident response readiness are paramount. It also underscores the urgency of building new models to account for the vulnerabilities tied to AI-driven platforms, which are only beginning to be understood.
As the deadline for ransom negotiations approaches, the real question for insurers and their clients is not whether Salesforce itself was compromised — but how far the contagion of third-party risk can spread, and how well the industry is prepared to absorb it.
