Scattered Spider claims another Salesforce instance—albeit three months ago.
A subsidiary of Zurich Insurance (SIX:ZURN) admitted to a huge leak: More than one million customers’ data. Farmers Group is the latest corporation ’fessing up to its data going AWOL via Salesforce vishing.
Farmers also trades as Foremost, Bristol West, Farmers Life and 21st Century Insurance. In today’s SB Blogwatch, we wonder what their Swiss masters will think.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Star Wars filming locations.
ShinyHunters Hunt Again
What’s the craic? Eduard Kovacs reports: Farmers Insurance Data Breach Impacts Over 1 Million People
“Farmers has not named the vendor”
Farmers Group [has] disclosed a data breach impacting the personal information of more than one million individuals. … The compromised data includes names, addresses, dates of birth, driver’s license numbers, and last four digits of Social Security numbers.
…
Farmers Insurance was not directly targeted by hackers. Instead, the insurer learned from a third-party vendor on May 30 that it had detected unauthorized access to a database containing Farmers customer information. … Farmers has not named the vendor.
Oh, come on. Isn’t it obvious who it was? Lawrence Abrams confirms your suspicions: Salesforce
“1,111,386 customers”
The data was stolen in the widespread Salesforce data theft attacks that have impacted numerous organizations this year. … Threat actors classified as ‘UNC6040’ or ‘UNC6240’ have been conducting social engineering attacks on Salesforce customers. [They] conduct voice phishing (vishing) to trick employees into linking a malicious OAuth app with their company’s Salesforce instances.
…
The extortion demands come from the ShinyHunters cybercrime group, who told [me], “ShinyHunters and Scattered Spider are one and the same.” … Farmers began sending data breach notifications to impacted individuals on August 22. [A] total of 1,111,386 customers were impacted.
Horse’s mouth? Farmers VP Gillian Vaughn buries the lede: NOTICE OF SECURITY INCIDENT
“Free identity-monitoring services”
On May 30, 2025, one of Farmers’ third-party vendors alerted Farmers to suspicious activity involving an unauthorized actor accessing one of the vendor’s databases. … Farmers immediately launched a comprehensive investigation … and notified appropriate law enforcement authorities. [We] determined that an unauthorized actor accessed the vendor’s database on May 29, 2025, and acquired certain data.
…
Farmers takes protecting your personal information seriously. … We are providing you with access to … 24 months of free identity-monitoring services. … We encourage you to remain vigilant for instances of identity theft and fraud, and we encourage you to notify your financial institution of any unauthorized transactions or suspected identity theft. … You should also be on guard for schemes where malicious actors may pretend to represent Farmers or reference this Incident.
…
We sincerely regret any inconvenience or concern caused by this Incident.
That’s almost three months. What took them so long? skogs eyerolls thuswise:
It isn’t a harvest that you have to wait for. … Other organizations have acted a little quicker.
…
Sure, Google was faster to report. But companies like the middle eastern branch of Coca-Cola and Chanel don’t exactly strike me as quick business or cyber response teams.
But it’s OK, because Farmers takes protecting your PII “seriously.” dizlexic waxes excoriating:
Am I the only one whose been so desensitized to these that … they barely register anymore? Is there any company that actually protects the data that they mandate we give them?
Although, Salesforce should take much of the blame, right? Tony Isaac, for one, agrees:
Must be some of that AI vibe code. Salesforce is pushing their AI really hard. And they have a software development environment that only a Salesforce salesperson could love.
…
Either way … is not going to be done using a quality SDLC process, and will almost certainly not have a proper QA or security certification process. It’s a wonder it took this long for somebody to use Salesforce as an attack vector.
Would this have happened to the Amish? VoiceOfTruth spots an oxymoron:
Just imagine if this was the old days, when files existed on paper only. Unless the data-thieves had trucks lining up, they might be able to snaffle a couple of hands full of files. “Computer security” is not a valid collocation.
And are you wondering what ssczoxylnlvayiuqjx’s wondering?
Wonder if they have considered insurance policies for such risks? Then they can write a huge check to themselves when breached.
Meanwhile, bleedingobvious lets the anger flow through them:
What kind of Salesforce attack? The Dark Side of the Salesforce kind.
And Finally:
Incredible shot-by-shot comparisons
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites—so you don’t have to. Hate mail may be directed to @RiCHi, @richij, @[email protected], @richi.bsky.social or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image sauce: Logowik
