Human Risk Roundup: A Salesforce campaign and Rapper Bot sandwich

In this edition of the Human Risk Roundup, we dive into three high-profile recent newsworthy events – keep reading for more information.

Workday Data Breach Bears Signs of Widespread Salesforce Hack

Workday disclosed a data breach during which attackers accessed a third-party CRM system, obtaining business contact information through a social engineering campaign targeting employees. This incident is part of a broader attack on Salesforce instances, potentially linked to cybercrime groups like Scattered Spider and ShinyHunters, affecting multiple major organizations.

What happened

During the breach attackers obtained business contact information like names, phone numbers, and email addresses. The attackers used tactics like impersonating IT or HR to trick employees into revealing sensitive information. Workday confirmed no access to customer tenants or internal data and has implemented additional safeguards. Other major organizations including Adidas, Cisco, and Google have also been targeted in this campaign.

Why it matters

The Workday data breach underscores the importance of robust employee training and multi-layered security measures to counter social engineering tactics. It also emphasizes the need for cybersecurity personnel to monitor third-party systems and implement safeguards against unauthorized access. 

Four practical tips for security leaders

1. Educate employees about social engineering tactics, such as fake IT or HR calls, to prevent attackers from gaining access to sensitive information.
2. Regularly audit and monitor third-party systems, like CRM platforms, to ensure they are not weak links in your security chain.
3. Add extra layers of security, such as multi-factor authentication and access controls, to protect against unauthorized access.
4. Stay informed about ongoing campaigns and threat actors, like Scattered Spider and ShinyHunters, to proactively adjust your security strategies.

Read more about the breach.

Oregon Man Charged in ‘Rapper Bot’ DDoS Service

A 22-year-old Oregon man, Ethan J. Foltz, was arrested for operating "Rapper Bot," a botnet of tens of thousands of hacked IoT devices used for massive DDoS attacks, including one that disrupted Twitter/X in March 2025. The botnet, rented to extortionists, conducted over 370,000 attacks globally, while Foltz and his partner took measures to avoid detection by law enforcement.

What happened

The botnet was rented out to extortionists and targeted various businesses, primarily in China. Foltz and his co-conspirator, known as "Slaykings," maintained the botnet at a manageable size to avoid detection while conducting over 370,000 attacks between April and August 2025. Investigators tracked Foltz through PayPal and Google records, revealing his efforts to monitor security blogs and evade law enforcement. The botnet's attacks often exceeded six terabits per second, causing significant financial and operational damage to victims. If convicted, Foltz faces up to 10 years in prison for aiding and abetting computer intrusions.

Why it matters

Leveraging tens of thousands of IoT devices, Rapper Bot executed massive DDoS attacks. The case underscores the vulnerabilities of IoT devices and the need for robust security measures to prevent their exploitation. It also reveals how cybercriminals attempt to evade detection by maintaining a "Goldilocks" botnet size and avoiding high-profile targets like KrebsOnSecurity. The financial and operational impact of such attacks, which can cost victims thousands of dollars per minute, emphasizes the importance of proactive defense strategies. Finally, the case serves as a reminder of the critical role of collaboration between law enforcement and cybersecurity experts in combating these sophisticated threats.

Four practical tips for security leaders

1. Ensure all IoT devices in your network are secure and updated.
2. Invest in robust DDoS defense technologies, such as load balancers, overprovisioning, or services like Google’s Project Shield.
3. Stay informed about new exploits and malware strains by monitoring cybersecurity news and threat intelligence reports.
4. Regularly audit and minimize the exposure of your network to potential threats, including enforcing strict access controls, using passkeys, and implementing standardized policies to prevent unauthorized devices from interfacing with critical systems.

Read more about the botnet.

Massive Allianz Life data breach impacts 1.1 million people

A data breach at Allianz Life linked to a Salesforce-targeted attack by the ShinyHunters extortion group (who are also possibly responsible for the first breach in today’s Human Risk Roundup) exposed PII of 1.1 million individuals, including names, email addresses, and tax IDs. This breach involved attackers exploiting malicious OAuth apps to steal databases and extort victims.

What happened

The breach occurred on July 16, 2025, much like the one at Workday, through a third-party cloud CRM system. Stolen data included names, email addresses, phone numbers, physical addresses, and sensitive details like tax IDs. ShinyHunters leaked 2.8 million records, affecting customers, financial advisors, and business partners. The attack exploited malicious OAuth apps to access Salesforce databases. Allianz Life confirmed the breach but declined further comment due to an ongoing investigation.

Why it matters

This breach highlights critical vulnerabilities in third-party cloud systems like Salesforce. Cybersecurity personnel must note that attackers exploited OAuth app connections to access sensitive customer data. This breach underscores the growing sophistication of cybercriminals targeting high-profile companies, as well as the cascading risks of supply chain attacks given multiple global organizations were affected in this campaign. 

Four practical tips for security leaders

1. Regularly assess and monitor the security practices of third-party vendors, especially those managing critical systems like cloud-based CRMs.
2. Educate employees about the risks of linking unauthorized OAuth apps to company systems and deploy tools to monitor and restrict such connections to prevent unauthorized access.
3. Prepare for potential data breaches by developing and testing comprehensive incident response plans, including clear communication strategies for affected customers and stakeholders.
4. Stay informed about emerging threats, such as extortion groups like ShinyHunters, and implement measures to detect and mitigate these risks before they impact your organization.

Read more about the breach.