Compromise of Nordstrom's Salesforce-OKTA integration leveraged for cryptocurrency scam distribution
Summary
Hide ▲
Show ▼
An attacker compromised a Nordstrom marketing infrastructure path via an Okta SSO to Salesforce integration, then sent fraudulent St. Patrick’s Day cryptocurrency scam emails to Nordstrom customers from the legitimate [email protected] address. The emails urged recipients to rapidly deposit crypto to double the amount within two hours, using grammatical errors and urgency to deceive. Nordstrom confirmed the unauthorized campaign and warned customers that no legitimate Nordstrom communication requests crypto transfers. Some customers reportedly sent funds to attacker-controlled wallet addresses before the company issued a takedown notice.
Timeline
-
18.03.2026 15:55 1 articles · 3h ago
Nordstrom cryptocurrency scam campaign distributed via compromised Salesforce-OKTA pipeline
A threat actor leveraged a compromised Okta SSO to Salesforce integration to send fraudulent cryptocurrency promotion emails to Nordstrom customers via Salesforce Experience Cloud. The emails impersonated a legitimate St. Patrick’s Day campaign, urged rapid crypto deposits to double the amount within two hours, and originated from the official [email protected] address. Nordstrom responded by issuing a customer alert confirming the unauthorized campaign and reiterating that it never requests crypto transfers.
Show sources
- Nordstrom's email system abused to send crypto scams to customers — www.bleepingcomputer.com — 18.03.2026 15:55
Information Snippets
-
The scam emails originated from [email protected], a legitimate marketing address, indicating a compromise of Nordstrom’s Salesforce Experience Cloud or its Okta SSO integration.
First reported: 18.03.2026 15:551 source, 1 articleShow sources
- Nordstrom's email system abused to send crypto scams to customers — www.bleepingcomputer.com — 18.03.2026 15:55
-
The phishing lure promised a 200% return on any cryptocurrency sent to attacker-controlled wallet addresses within a two-hour window, creating artificial urgency.
First reported: 18.03.2026 15:551 source, 1 articleShow sources
- Nordstrom's email system abused to send crypto scams to customers — www.bleepingcomputer.com — 18.03.2026 15:55
-
Grammatical and typographical errors (e.g., “Normstorm” in the header) were present, yet obscured by the legitimate sender address and the St. Patrick’s Day theming.
First reported: 18.03.2026 15:551 source, 1 articleShow sources
- Nordstrom's email system abused to send crypto scams to customers — www.bleepingcomputer.com — 18.03.2026 15:55
-
Nordstrom sent a follow-up warning to customers stating it never requests crypto transfers and is investigating the incident.
First reported: 18.03.2026 15:551 source, 1 articleShow sources
- Nordstrom's email system abused to send crypto scams to customers — www.bleepingcomputer.com — 18.03.2026 15:55
-
An incident source indicated the breach path was an Okta SSO → Salesforce compromise, used to dispatch emails through Salesforce Experience Cloud.
First reported: 18.03.2026 15:551 source, 1 articleShow sources
- Nordstrom's email system abused to send crypto scams to customers — www.bleepingcomputer.com — 18.03.2026 15:55
-
Customers with email addresses never previously exposed in breaches received the scam messages, suggesting a direct marketing list compromise.
First reported: 18.03.2026 15:551 source, 1 articleShow sources
- Nordstrom's email system abused to send crypto scams to customers — www.bleepingcomputer.com — 18.03.2026 15:55