Scattered LAPSUS$ Hunters Claim Salesforce Breach, 1B Records, 39 Firms Listed

A new leak site has gone live, operated by the notorious group calling itself “Scattered Lapsus$ Hunters,” (a coalition that combines the tactics and branding of Scattered Spider, Lapsu$, and ShinyHunters) and it carries a bold claim that Salesforce, one of the largest SaaS and CRM providers in the world, has been breached and close to one billion records (989 million records) are up for sale.

The group says the attack took place in mid-2024 and that the stolen data amounts to multiple terabytes. In messages posted to their site, they allege the data includes highly sensitive personal information such as Social Security numbers, driver’s licenses, and dates of birth. They are now demanding that Salesforce negotiate before an October 10, 2025, deadline, warning that failure to do so will result in the release of the full cache.

Additionally, the hackers are also inviting law firms to cooperate with them, even naming Berger Montague as a partner they would share evidence with. The hackers are presenting this less like a threat and more like an offer. They also claim they will provide detailed documentation to courts and regulators in the United States and Europe, alleging Salesforce acted with “criminal negligence” by failing to block repeated intrusions.

The list of companies named as victims on the leak site is massive. The group has listed 39 organizations whose data they say was taken from Salesforce-hosted systems. The list includes:

1. KFC – 1.3GB
2. ASICS – 9GB
3. UPS – 91.34GB
4. IKEA – 13GB
5. GAP, INC. – 1GB
6. Petco – 9.9GB
7. Cisco – 5.6GB
8. McDonald’s – 28GB
9. Cartier – 1.4GB
10. Adidas – 37GB
11. Fujifilm – 155MB
12. Instacart – 32GB
13. Marriott – 7GB
14. Walgreens – 11GB
15. Pandoranet – 8.3GB
16. Chanel – 2GB
17. CarMax – 1.7GB
18. Disney/Hulu – 36GB
19. TransUnion – 22GB
20. Aeroméxico – 172.95GB
21. Toyota Motor Corporations – 64GB
22. Stellantis – 59GB
23. Republic Services – 42GB
24. TripleA (aaacom) – 23GB
25. Saks Fifth – 1.1GB
26. Albertsons (Jewel Osco, etc) – 2GB
27. Engie Resources (Plymouth) – 3GB
28. 1-800Accountant – 18GB
29. HMH (hmhcocom) – 88GB
30. Instructurecom – Canvas – 35GB
31. Google Adsense – 19GB
32. HBO Max – 3.2GB
33. FedEx – 1.1TB
34. Qantas Airways – 153GB
35. Vietnam Airlines – 63.62GB
36. Air France & KLM – 51GB
37. Home Depot – 19.43GB
38. Kering (Gucci, Balenciaga, Brioni, AlexMcQ) – 10GB

Hackers Accuse Salesforce of Failure

The hackers accuse Salesforce of failing to enforce multi-factor authentication and say they successfully targeted more than 100 additional unnamed instances through OAuth application weaknesses. They also point to earlier warnings, claiming they emailed Salesforce in July 2025 from an address linked to the operation and received no meaningful response.

The hackers present their message as part ransom demand, part technical briefing. They point out that their attacks ran for a year, left clear traces, and argue Salesforce had enough time to spot and stop them

They also cite GDPR, CCPA, and HIPAA obligations, arguing that data protection duties were ignored. To back this up, they promise to release forensic-style documents with attack fingerprints, affected populations broken down by country, and details about the kinds of information exposed.

The attackers provide a tuta.io based contact address and require any communication to include a strict verification format in the subject line. They say verified representatives will then be forwarded to a live channel where negotiations can take place.

Salesforce Apparently Knows

The hackers have also circulated a screenshot on their Telegram channel that appears to show a Salesforce security advisory acknowledging ongoing extortion attempts. In the message, Salesforce refers to social engineering threats, states that there is no evidence its platform was compromised, and reassures customers that its teams are monitoring the situation.

Since the image cannot be independently verified, it is unclear whether this advisory is authentic or fabricated as part of the attackers’ campaign. Nevertheless, the group’s site maintains the deadline of October 10, 2025, with the status listed as “Active.” And, with the site live, the group now has a public tool to increase pressure on the company as the deadline approaches.