Scattered Lapsus$ Hunters launched a data leak site over the weekend, aiming to pressure organizations whose Salesforce databases they have plundered into paying to prevent the stolen data from being released.
Screenshot of Scattered Lapsus$ Hunters data leak site (Source: Help Net Security)
The group’s victims
Scattered Lapsus$ Hunters is a hacker collective that reportedly brings together members of the Scattered Spider, Lapsus$, and ShinyHunters cybercrime groups.
The dark web data leak site currently lists 39 companies whose data was apparently stolen by compromising their corporate Salesforce instances via social engineering: Toyota, FedEx, Disney/Hulu, Republic Services, UPS, AeroMexico, Home Depot, Marriott, Vietnam Airlines, Walgreens, Stellantis, McDonald’s, KFC, ASICS, GAP, MHM, Fujifilm, Instructure.com – Canvas, Albertsons, Engie Resources, Kering (Gucci, Balenciaga, Brioni, AlexanderMcQ), HBO Max, Instacart, Petco, Puma, Cartier, Adidas, TripleA, Qantas Airways, CarMax, Saks Fifth (Avenue), 1-800Accountant, AirFrance & KLM, Google Adsense, Cisco, Pandora, TransUnion, Chanel, and IKEA.
Each entry lists the date when the breach happened, the type and amount of data stolen, and provides a link to a sample of the data.
The stated breach dates span from April 2024 to September 2025, and most of the stolen data includes personal and contact information of the victim organizations’ customers, employees, and/or partners. In specific instances, the data also encompasses account IDs, dates of birth, passport numbers, Social Security numbers, purchases, live chat transcripts, and more.
As Dissent Doe over at DataBreaches.net noted, customer data can be used for phishing or other social engineering attacks, and data about expensive purchases could be used by fraudsters to compile a list of preferred targets.
“Even worse, perhaps: some seemingly benign data can also put named individuals at risk of political violence or targeting. In this type of situation, DataBreaches includes the Home Depot incident, because Home Depot has a file devoted to government employees that includes their names, email and postal addresses, and phone numbers,” Doe pointed out.
The group’s demands
Scattered Lapsus$ Hunters has given the companies until October 10, 2025, to contact them (via corporate email) and to begin negotiating the ransom.
The same deadline has been given to Salesforce and, if the company plays ball, Scattered Lapsus$ Hunters will purportedly not go after the 39 affected companies.
The group threatened to comply “with the many law firms that are pursuing civil and commercial litigation against [Salesforce]” and release documentation that ostensibly shows that the company “made little to no attempt to prevent unauthorised access to PII.”
After the data leak site went public, Salesforce pushed out a security advisory stating that they are aware of recent extortion attempts by threat actors, which they have investigated in partnership with external experts and authorities.
“Our findings indicate these attempts relate to past or unsubstantiated incidents, and we remain engaged with affected customers to provide support. At this time, there is no indication that the Salesforce platform has been compromised, nor is this activity related to any known vulnerability in our technology,” the company stated.
Customers have been advised to remain vigilant against phishing and social engineering attempts and to reach out through the Salesforce Help portal for support, if needed.
What else?
The data leaks site also contains three listings unrelated to the breaches under the “Salesforce customers” heading: Credit Institute of Vietnam, S&P Global, and Red Hat.
The latter breach is the most recent and has been claimed by the Crimson Collective. (The relationship between the Crimson Collective and Scattered Lapsus$ Hunters is currently unknown.)
Scattered Lapsus$ Hunters has also stated on Telegram that, by the end of the week, they will start extorting companies whose data they exfiltrated by leveraging OAuth credentials stolen from Salesloft / Drift.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
