Stellantis customer data breach: Difference between revisions

Latest revision as of 02:32, 17 March 2026

❗Article Status Notice: This Article is a stub

This article is underdeveloped, and needs additional work to meet the wiki's Content Guidelines and be in line with our Mission Statement for comprehensive coverage of consumer protection issues. Learn more ▼

Stellantis customer data was exposed in a breach through a third-party platform on September 21, 2025. The hackers accessed contact information of customers in North America.

Background

The Bleeping Computer reports that the ShinyHunters group accessed Stellantis data as part of a larger effort targeted at Salesforce, which included data stolen from many other large companies in 2025, such as Google, Cisco Systems, Inc., and Workday.^[1] The group did not reveal to Bleeping Computer the methods used to gain access in this incident, however, their tactics in the similar attacks on Salesforce included social engineering^[2] and stolen credentials that allowed access through the Salesloft Drift AI chat integration with Salesforce.^[3]

Customer data breach

On September 21, 2025, Stellantis North America reported the data breach on their website.^[4] They stated that the data was limited to contact information and that the breach did not involve any financial or sensitive personal information. They did not include an estimate of impacted customers. Bleeping Computer reported that extortion group ShinyHunters took credit for the breach, stating that they stole over 18 million Salesforce records pertaining to contact information.^[1]

Stellantis's response

In their initial report, Stellantis North America remarked on their response to the incident:^[4]

Upon discovery, we immediately activated our incident response protocols, initiated a comprehensive investigation, and took prompt action to contain and mitigate the situation. We are also notifying the appropriate authorities and directly informing affected customers.

Consumer response

Some consumers reacted to the news of the data breach in the context of the broader conversations around privacy concerns in the automotive industry and the proposed REPAIR Act (H.R. 906) legislation in the United States. Online comments from consumers include criticism towards Stellantis for characterizing Right to repair as a security vulnerability while failing to keep their customers' contact info secure, expressions of gratitude for owning vehicles from the early 2000's and older that don't collect consumer data to begin with, and statements of distrust in Stellantis and a lack of surprise at the incident.^[5] ^[6]^[7]

References

↑ ^1.0 ^1.1 Gatlan, Sergiu (2025-09-22). "Automaker giant Stellantis confirms data breach after Salesforce hack". Bleeping Computer. Archived from the original on 2025-09-24. Retrieved 2025-09-28.
↑ Toulas, Bill (2025-06-04). "Google: Hackers target Salesforce accounts in data extortion attacks". Bleeping Computer. Archived from the original on 2025-09-19. Retrieved 2025-09-29.
↑ Abrams, Lawrence (2025-08-28). "Google warns Salesloft breach impacted some Workspace accounts". Bleeping Computer. Archived from the original on 2025-09-12. Retrieved 2025-09-29.
↑ ^4.0 ^4.1 "Third-Party Platform Data Incident". Stellantis North America. 2025-09-21. Archived from the original on 2025-09-23. Retrieved 2025-09-28.
↑ Knutsson, Kurt (2025-10-07). "Jeep and Chrysler parent Stellantis confirms data breach". Fox News. Archived from the original on 7 Oct 2025. Retrieved 2025-10-15.
↑ "Automaker giant Stellantis confirms data breach after Salesforce hack". Reddit. 2025-09-22. Archived from the original on 22 Feb 2026. Retrieved 2025-10-15.
↑ "Stellantis suffers data breach during campaign against independent repair". Reddit. 2025-09-26. Archived from the original on 22 Feb 2026. Retrieved 2025-10-15.

[:1-1] 1.0 ^1.1 Gatlan, Sergiu (2025-09-22). "Automaker giant Stellantis confirms data breach after Salesforce hack". Bleeping Computer. Archived from the original on 2025-09-24. Retrieved 2025-09-28.

[2] Toulas, Bill (2025-06-04). "Google: Hackers target Salesforce accounts in data extortion attacks". Bleeping Computer. Archived from the original on 2025-09-19. Retrieved 2025-09-29.

[3] Abrams, Lawrence (2025-08-28). "Google warns Salesloft breach impacted some Workspace accounts". Bleeping Computer. Archived from the original on 2025-09-12. Retrieved 2025-09-29.

[:0-4] 4.0 ^4.1 "Third-Party Platform Data Incident". Stellantis North America. 2025-09-21. Archived from the original on 2025-09-23. Retrieved 2025-09-28.

[5] Knutsson, Kurt (2025-10-07). "Jeep and Chrysler parent Stellantis confirms data breach". Fox News. Archived from the original on 7 Oct 2025. Retrieved 2025-10-15.

[6] "Automaker giant Stellantis confirms data breach after Salesforce hack". Reddit. 2025-09-22. Archived from the original on 22 Feb 2026. Retrieved 2025-10-15.

[7] "Stellantis suffers data breach during campaign against independent repair". Reddit. 2025-09-26. Archived from the original on 22 Feb 2026. Retrieved 2025-10-15.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

@@ Line 7: / Line 7: @@
 |Type=Security, Third Party
 |Description=Stellantis customer data was exposed in a breach through a third-party platform.
-}}Stellantis customer data was exposed in a breach through a third-party platform on September 21, 2025. The hackers accessed contact information of customers in North America.
+}}
+[[Stellantis]] customer data was exposed in a breach through a third-party platform on September 21, 2025. The hackers accessed contact information of customers in North America.
-==Customer Data Breach==
+==Background==
-On September 21, 2025, Stellantis reported the data breach on their website<ref>{{Cite web |title=Third-Party Platform Data Incident |url=https://media.stellantisnorthamerica.com/newsrelease.do?id=27079}}</ref>.  They did not reveal how many customers were impacted. The Entrepreneur reported that hacker group ShinyHunters took credit for the breach, claiming to have stolen over 18 million Salesforce records<ref>{{Cite web |last=Shibu |first=Sherin |title=A Data Breach Reportedly Affecting 18 Million Customers Hits Jeep, Chrysler, and Dodge Parent Company |url=https://www.entrepreneur.com/business-news/stellantis-data-breach-affects-millions-of-car-buyers/497439}}</ref>.
+The Bleeping Computer reports that the ShinyHunters group accessed Stellantis data as part of a larger effort targeted at Salesforce, which included data stolen from many other large companies in 2025, such as [[Google]], [[Cisco Systems, Inc.]], and Workday.<ref name=":1" /> The group did not reveal to Bleeping Computer the methods used to gain access in this incident, however, their tactics in the similar attacks on Salesforce included social engineering<ref>{{Cite web |last=Toulas |first=Bill |date=2025-06-04 |title=Google: Hackers target Salesforce accounts in data extortion attacks |url=https://www.bleepingcomputer.com/news/security/google-hackers-target-salesforce-accounts-in-data-extortion-attacks/ |url-status=live |archive-url=https://web.archive.org/web/20250919162222/https://www.bleepingcomputer.com/news/security/google-hackers-target-salesforce-accounts-in-data-extortion-attacks/ |archive-date=2025-09-19 |access-date=2025-09-29 |website=Bleeping Computer}}</ref> and stolen credentials that allowed access through the Salesloft Drift AI chat integration with Salesforce.<ref>{{Cite web |last=Abrams |first=Lawrence |date=2025-08-28 |title=Google warns Salesloft breach impacted some Workspace accounts |url=https://www.bleepingcomputer.com/news/security/google-warns-salesloft-breach-impacted-some-workspace-accounts/ |url-status=live |archive-url=https://web.archive.org/web/20250912100941/https://www.bleepingcomputer.com/news/security/google-warns-salesloft-breach-impacted-some-workspace-accounts/ |archive-date=2025-09-12 |access-date=2025-09-29 |website=Bleeping Computer}}</ref>
+==Customer data breach==
+On September 21, 2025, Stellantis North America reported the data breach on their website.<ref name=":0">{{Cite web |date=2025-09-21 |title=Third-Party Platform Data Incident |url=https://media.stellantisnorthamerica.com/newsrelease.do?id=27079 |url-status=live |archive-url=https://web.archive.org/web/20250923153055/https://media.stellantisnorthamerica.com/newsrelease.do?id=27079 |archive-date=2025-09-23 |access-date=2025-09-28 |website=Stellantis North America}}</ref> They stated that the data was limited to contact information and that the breach did not involve any financial or sensitive personal information. They did not include an estimate of impacted customers. Bleeping Computer reported that extortion group ShinyHunters took credit for the breach, stating that they stole over 18 million Salesforce records pertaining to contact information.<ref name=":1">{{Cite web |last=Gatlan |first=Sergiu |date=2025-09-22 |title=Automaker giant Stellantis confirms data breach after Salesforce hack |url=https://www.bleepingcomputer.com/news/security/automaker-giant-stellantis-confirms-data-breach-after-salesforce-hack/ |url-status=live |archive-url=https://web.archive.org/web/20250924065416/https://www.bleepingcomputer.com/news/security/automaker-giant-stellantis-confirms-data-breach-after-salesforce-hack/ |archive-date=2025-09-24 |access-date=2025-09-28 |website=Bleeping Computer}}</ref>
+===Stellantis's response===
+In their initial report, Stellantis North America remarked on their response to the incident:<ref name=":0" />
+<blockquote> Upon discovery, we immediately activated our incident response protocols, initiated a comprehensive investigation, and took prompt action to contain and mitigate the situation. We are also notifying the appropriate authorities and directly informing affected customers. </blockquote>
+==Consumer response==
+Some consumers reacted to the news of the data breach in the context of the broader conversations around privacy concerns in the automotive industry and the proposed REPAIR Act (H.R. 906) legislation in the United States. Online comments from consumers include criticism towards Stellantis for characterizing [[Right to repair]] as a security vulnerability while failing to keep their customers' contact info secure, expressions of gratitude for owning vehicles from the early 2000's and older that don't collect consumer data to begin with, and statements of distrust in Stellantis and a lack of surprise at the incident.<ref>{{Cite news |last=Knutsson |first=Kurt |date=2025-10-07 |title=Jeep and Chrysler parent Stellantis confirms data breach |url=https://www.foxnews.com/tech/jeep-chrysler-parent-stellantis-confirms-data-breach |url-status=live |archive-url=https://web.archive.org/web/20251007162047/https://www.foxnews.com/tech/jeep-chrysler-parent-stellantis-confirms-data-breach |archive-date=7 Oct 2025 |access-date=2025-10-15 |work=Fox News}}</ref> <ref>{{Cite web |date=2025-09-22 |title=Automaker giant Stellantis confirms data breach after Salesforce hack |url=https://www.reddit.com/r/cybersecurity/comments/1nnz4b0/automaker_giant_stellantis_confirms_data_breach/ |url-status=live |archive-url=https://web.archive.org/web/20260222230643/https://old.reddit.com/r/cybersecurity/comments/1nnz4b0/automaker_giant_stellantis_confirms_data_breach/ |archive-date=22 Feb 2026|access-date=2025-10-15 |website=Reddit}}</ref><ref>{{Cite web |date=2025-09-26 |title=Stellantis suffers data breach during campaign against independent repair |url=https://www.reddit.com/r/cars/comments/1nrgpsz/stellantis_suffers_data_breach_during_campaign/ |url-status=live |archive-url=https://web.archive.org/web/20260222230709/https://old.reddit.com/r/cars/comments/1nrgpsz/stellantis_suffers_data_breach_during_campaign/ |archive-date=22 Feb 2026|access-date=2025-10-15 |website=Reddit}}</ref>
+==See also==
+*[[Ticketmaster Entertainment, LLC]] - ShinyHunters data breach
+*[[Volkswagen car-location data-exposure incident]]
 ==References==
 {{reflist}}
+[[Category:Stellantis]]
+[[Category:Data breaches]]