Home 
Date of Incident:
2025-05
Overview:
In May 2025, Stellantis experienced a data breach involving unauthorized access to a third-party Salesforce platform used for customer service operations in North America. Attackers stole over 18 million records containing customer contact information, including names and contact details. No financial or sensitive personal information was compromised. The breach was reported in September 2025, emphasizing the importance of vigilance against phishing attempts. The breach likely involved compromised credentials or a supply chain vulnerability and included unauthorized data export via Salesforce APIs. The incident mainly impacts Stellantis and highlights potential risks for similarly structured automotive companies.
>>Outpace Attackers With AI-Based Automated Penetration Testing
Impact:
Attackers stole customer contact information from a third-party service provider’s platform supporting North American customer service operations. Over 18 million Salesforce records including names and contact details were stolen. No financial or sensitive personal information was compromised. Customers were advised to be cautious of phishing attempts.
Details:
The breach involved unauthorized access to a third-party Salesforce platform used for customer service operations. MITRE ATT&CK techniques likely include Initial Access (T1078: Valid Accounts) through compromised credentials or a third-party supply chain vulnerability, and Exfiltration (T1041) of data, specifically customer contact information. Proof-of-concept includes unauthorized API calls or SQL-like queries extracting over 18 million records. IOCs may include suspicious IP addresses connecting to Salesforce APIs, unusual login timestamps, and anomalous access logs showing bulk data export. Relevant logs from Salesforce API gateways and event monitoring would show large volumes of data requested and transferred, plus possible anomalies in user agent strings or session tokens indicating misuse. Registry or endpoint changes are less likely due to the cloud-based nature of Salesforce. No financial or sensitive personal information was accessed, limiting the scope of data and impact to contact details only.
Remediation:
Salesforce recommends applying the latest security patches and access controls, enabling multi-factor authentication (MFA) for all accounts, and regularly reviewing third-party application integrations and permissions. Temporary mitigations include enforcing IP whitelisting for API access, monitoring for unusual data export activities, and immediately revoking compromised credentials. Known workarounds involve implementing stricter OAuth token management and real-time anomaly detection on user activities tied to Salesforce.
Takeaway for CISO:
The breach highlights the risks from third-party platform integrations and the need for stringent access controls and continuous monitoring. CISOs should prioritize securing third-party access, enforcing MFA, and implementing anomaly detection to mitigate data leakage risks. Prompt response and customer advisory communications are critical to manage phishing threats resulting from exposure of contact data.
Outpace Attackers With AI-Based Automate Penetration Testing With FireCompass:
FireCompass is a single platform for AI-Powered Continuous Automated Red Teaming (CART), Pen Testing & NextGen Attack Surface Management
