A coalition known as Scattered LAPSUS$ Hunters has shaken the cybersecurity world by claiming it holds nearly 1 billion Salesforce customer records.
The group, comprising hackers from ShinyHunters and Scattered Spider, launched a dark website featuring 39 corporate victims with urgent ransom demands and a looming October 10 deadline.
The extortion campaign brought immediate concern within the business and tech industries.
Data from companies such as Google, Toyota, FedEx, Disney, Walgreens, and Chanel are reportedly at risk, along with millions of sensitive consumer details, including addresses, birthdates, and Social Security numbers.
Who are the Scattered LAPSUS$ Hunters targeting Salesforce?
Combining notorious members from ShinyHunters, Scattered Spider, and LAPSUS$, Scattered LAPSUS$ Hunters emerged in 2025 as a formidable threat to corporate security.
This coalition specializes in targeting cloud software giants, operating extortion sites, and leveraging high-profile breaches for massive payouts.
Security researchers note that the group exploits the reputations of its founding members.
Previous attacks orchestrated by ShinyHunters and LAPSUS$ have targeted global technology brands, and their merger accelerated ransomware campaigns focused on high-value data vaults such as Salesforce customer records.
Did you know?
Salesforce manages customer data for over 150,000 organizations, spanning nearly every major global industry.
Which major companies are exposed to the extortion claims?
As of October 2025, the leak site run by Scattered LAPSUS$ Hunters lists 39 major organizations allegedly affected by the Salesforce breach.
Among the corporate victims are Google, Toyota, FedEx, Disney, Home Depot, Walgreens, McDonald's, KFC, IKEA, and luxury brands like Chanel, Cartier, and Kering subsidiaries.
Insurer Allianz Life and credit bureau TransUnion have confirmed breaches impacting millions of their customers.
Google’s August disclosure about access to its Salesforce instance for small and medium business contacts underscored the scale and gravity of the situation for global enterprises.
How did hackers steal records from Salesforce customers?
The attack did not target Salesforce’s core platform directly, but instead exploited individual customer instances. Hackers employed sophisticated social engineering tactics, including voice phishing and impersonating IT support staff, to gain authorization for malicious OAuth applications.
Once inside, the attackers leveraged compromised authentication tokens from third-party tools, including Salesloft and Drift AI.
This allowed them to gain API-level access, extract records, and threaten public release unless ransom demands were met.
Experts attribute the campaign’s technical execution to threat groups UNC6040 and UNC6395, noted by Google’s Threat Intelligence Group.
ALSO READ | How did OpenAI surpass SpaceX at $500 billion
What legal risks now confront Salesforce and its clients?
Salesforce is facing rising legal pressure, with at least 14 lawsuits filed in Northern California courts in September 2025.
Plaintiffs allege the company failed to secure its platform and detect unauthorized applications, seeking class-action status for alleged negligence and privacy violations on behalf of millions.
Clients whose customer data was exposed are contemplating separate legal action. Regulatory authorities and law firms have been contacted by hackers, threatening to provide evidence of alleged corporate negligence if ransom negotiations stall.
This has compounded reputational and financial risks for both Salesforce and affected brands.
How are authorities and the tech industry responding?
Authorities are conducting criminal investigations into the coalition’s activities, while cybersecurity experts advise companies to strengthen multi-factor authentication and limit third-party integrations.
Salesforce asserts its platform was not compromised and continues to offer incident support and technical resources to impacted organizations.
Industry analysts anticipate a growing adoption of zero-trust security models and stricter cloud access controls in response to ongoing security threats.
Looking ahead, the Salesforce breach may become a milestone moment for cloud software security.
Both regulators and businesses are reviewing policies, with consumers demanding transparency around data protection measures.
The cybercriminal landscape continues to evolve, and collective resilience is now a central priority for technology providers and their clients.
Comments (0)
Please sign in to leave a comment