Stellantis Confirms Customer Contact Data Breach After Third-Party Cyberattack

Auto giant Stellantis says a cyberattack on a third-party service provider exposed customer contact information. Here’s what we know, why third-party breaches keep happening, and smart next steps for companies and customers.

• Stellantis confirmed a data breach affecting customer contact records; the incident stemmed from a third-party service provider that supports its North American customer service operations.
• The company says the compromised data was limited to contact information — no financial data or other “sensitive personal information” was stored on Stellantis systems, according to the announcement.
• Security reporting outlets (BleepingComputer) attribute the incident to threat actor group ShinyHunters, claiming more than 18 million Salesforce records were taken in a broader Salesloft-related compromise; Stellantis has not yet verified that figure publicly.
• Stellantis says it activated incident response, notified authorities, and is informing affected customers. It also warned customers to be vigilant for phishing attempts.

Why this matters — third-party risk is still the weak link

Large organizations increasingly rely on external platforms — CRMs, contact centers and sales engagement tools — to run customer operations. That convenience comes with a tradeoff: an attacker who compromises a vendor can access a broad set of downstream targets at scale. When a supplier is breached, dozens of well-known brands can find customer records exposed without any intrusion into their own networks.

That’s the pattern here: the root cause appears not to be a direct compromise of Stellantis systems but a supply-chain or vendor breach that allowed attackers to harvest contact data. Past incidents — from SolarWinds to vendor CRM leaks — show this vector is persistent and powerful.

Wider context — who else was affected?

Reporting around the Salesloft-related incident mentions other major tech and security firms as part of the same wave (Google, Cloudflare, Palo Alto Networks, Zscaler and others). If those reports are accurate, this is part of a larger campaign that targeted a common supplier used across many industries — underscoring how attacker ROI increases dramatically when one compromise yields many victims.

What Stellantis (and other companies) should be doing now

1. Verify vendor scope and logs: Confirm exactly which vendor systems were impacted, what data sets were exposed, and how long the access window lasted.
2. Communicate clearly with affected customers: Provide specific guidance, sample phishing messages to watch for, and what remediation the company will offer (e.g., identity monitoring) if applicable.
3. Harden vendor governance: Require suppliers to meet baseline security controls (MFA, encryption at rest, least privilege for API tokens) and demand real-time or frequent evidence of compliance.
4. Segment and minimize shared data: Limit what third parties can store and ensure sensitive fields are not replicated unnecessarily in vendor systems.
5. Run tabletop exercises: Practice vendor-breach scenarios to speed containment and customer communications when incidents occur.

Practical steps for customers

If you are a Stellantis customer or think you may be affected, take these precautions right now:

• Be skeptical of unexpected messages: Don’t click links or download attachments from emails or texts claiming to be from Stellantis unless you can verify the sender.
• Confirm account activity directly: Log in to official accounts (don’t use email links) to check for notices or required actions.
• Enable anti-phishing measures: Use strong, unique passwords, enable multi-factor authentication (MFA) wherever possible, and consider a password manager.
• Monitor communications: Watch for suspicious calls, texts, or emails asking for personal or financial info — report them to the company and your email provider.

Two takeaways — strategic and practical

Strategic: Vendor security is now core business risk, not just an IT problem. Boards and C-suites must treat third-party cyber posture as a material risk and require evidence of resilience.

Practical: For customers, the immediate danger after a contact-data leak is phishing. Contact lists let attackers craft targeted scams that look legitimate — so vigilance and basic security hygiene matter more than ever.

Final thought

Third-party breaches are now an everyday business risk. Companies should assume suppliers can be targeted and build systems, contracts and detection accordingly. For customers, the best defense is cautious behavior and enabling basic protections like MFA. What steps would you like companies to take first to reduce vendor risk?

Share your thoughts: Are you a customer affected by this incident, or a security leader at a company that relies on third-party CRMs? Hit reply and tell us what protections you want to see implemented.