What Happened: Stellantis, one of the world’s largest automakers, confirmed that a data breach compromised the PII of its North American customers. The breach occurred through a third-party SaaS integration connected to Salesforce, which was used in Stellantis’s customer service operations.
Attacks In-Depth: This attack is the latest of the Salesforce-related breaches, in which attackers have exploited third-party connections into the app. In previous attacks, the ShinyHunters has compromised integrations like Dataloader for data exfiltration and Salesloft Drift to launch higher-level supply chain attacks.
- This breach is reportedly tied to ShinyHunters, a well-known data extortion group that made headlines repeatedly this year for attacks through Salesforce. Notably, ShinyHunters claimed last week that they were ceasing operations, stating, “Our objectives having been fulfilled, it is not time to say goodbye.” These declarations are often disinformation tactics, meant to confuse defenders or simply create a splash.
- Earlier this month, Jaguar Land Rover (JLR), was hit by a similar attack, shutting down factories until October 1st and leading to a loss of $68M USD per week. Past victims include Air France, KLM, Google, Chanel, Qantas, and LVMH.
- In Stellantis’s case, attackers accessed customer contact data tied to their North American operations. The company activated incident response procedures and has begun notifying impacted customers and the authorities.
Why This Matters:
- Everything is connected—and that’s the risk. In today’s SaaS-driven environment, a single compromised tool out of thousands can give attackers a direct path into your most sensitive systems. This is the core danger of the modern SaaS supply chain, especially as many of these integrations are often invisible to security and IT.
- It is critical to note that these incidents do not indicate any inherent vulnerability in Salesforce. These breaches highlight the importance of the shared responsibility model, where organizations must properly secure their accounts, credentials, and access controls in addition to Salesforce’s built-in protections.
Taking a Step Back:
- The automotive industry is the new pressure point. Threat groups are moving methodically across industries, and the automotive sector is now firmly in the spotlight. Just as earlier waves hit tech, finance, and airlines, the breaches at Jaguar Land Rover and Stellantis show attackers deliberately exploiting the shared vendor stacks and SaaS integrations common to the automotive sector. For an industry already stretched by tight margins, EV transitions, and complex logistics, this makes cyber resilience a direct supply-chain and production risk.
- Supply-chain contagion is accelerating. Obsidian Security has found that by compromising a single SaaS vendor like Salesloft, attackers can amplify their reach 10x, pivoting downstream into hundreds of connected environments. This marks a new phase of SaaS exploitation—where one stolen OAuth token or integration doesn’t just breach one company, but cascades across entire industries. With more than 760 organizations already touched by this campaign, the JLR and Stellantis incidents are not isolated cases but early previews of systemic disruption at industrial scale.
Prevention Methods:
- General Strategies:
- Audit and monitor third-party access regularly.
- Restrict or rotate OAuth tokens and app permissions.
- Invest in SaaS security and third-party risk management.
- Organizations can also get a free Salesforce risk assessment from Obsidian today
- For Obsidian customers:
- Monitor Obsidian alerts for any related to Salesforce or Okta
- Consistently review native and 3rd-Party application integrations in your core SaaS applications. Obsidian's Integration Risk Management (IRM) capabilities allow you to not only monitor addition or modification of privileges/scopes but also allows you to gain visibility into how these integrations are being used or interacted with.
- Use Obsidian’s Browser Extension to detect and automatically block Identity Takeovers (ATO) from advanced phishing kits (such as Evilginx reverse proxy websites)
