Hackers Launch Leak Portal to Publish Data Stolen from Salesforce Instances


The hacker collective styling itself “Scattered Lapsus$ Hunters”—an alliance echoing elements of ShinyHunters, Scattered Spider, and Lapsus$—has launched an extortionware portal to pressure victims into paying for delisting and purported deletion of stolen data.

The group’s leverage centers on Salesforce datasets, reflecting months of intrusions achieved via social engineering, OAuth abuse, and downstream supply chain compromise.

UpGuard and other analysts have tracked the campaign’s evolution from voice-phishing that weaponized Salesforce integrations to a sweeping data-theft operation tied to Salesloft’s Drift ecosystem and OAuth tokens that unlocked broad API access across targets.

Google’s threat intelligence team has separately documented the attackers’ use of persuasive phone pretexts and fraudulent integrations to gain privileged access to Salesforce instances.

Timeline of events

Late 2024: Attackers conduct phone-based social engineering (“vishing”) to persuade users or admins to add malicious integrations to Salesforce, granting API-level access and enabling at-scale exfiltration.

The FBI warned of coordinated campaigns stealing Salesforce data from major enterprises, including Google and Cisco, by exploiting trust in integrations and user workflows .

March–June 2025: Intruders compromise Salesloft’s corporate GitHub environment, create a user, and manipulate repositories and workflows, then pivot into the Drift application’s AWS environment.

There, they locate OAuth tokens belonging to Drift customers and use those tokens to programmatically access integrated platforms—most critically, Salesforce—at scale .

Google later connected the dots between the initial social-engineering tradecraft and the OAuth token abuse that enabled “en masse” compromises of Drift-integrated customers .

June–August 2025: Google publishes a detailed advisory on the voice-phishing playbook and malicious Salesforce integrations.

By mid-August, valid OAuth tokens are actively used to pull Salesforce data from victims, expanding impact beyond initial claims that only Salesforce integrations were affected .

August 20–26, 2025: Salesloft discloses the Drift incident and Google releases deeper technical analysis of the data-theft mechanics, reinforcing that the threat path combined human manipulation, code repository weaknesses, and tokenized access to cloud services .

September 2025: The collective briefly claims to be “going dark,” yet activity linked to Salesforce data persists, suggesting operational rebranding or staged pauses rather than cessation .

October 3, 2025: The group unveils a TOR-hosted extortion portal listing alleged Salesforce customers and claimed volumes of exfiltrated data, setting an October 10 deadline for payments and threatening publication if demands are unmet.

Screenshot of leak site.
Screenshot of leak site.

Some observers note references to a clear‑web mirror, but the core site functions on the Onion network.

Extortionware portal and ramifications

The leak site catalogs organizations and the proportion or volume of Salesforce data purportedly stolen, weaponizing the business-critical nature of customer, pipeline, and deal metadata. This is a strategic choice: Salesforce’s strength—broad third‑party integration and flexible APIs—also expands the attack surface when user trust and OAuth scopes are abused.

The lesson is stark: user risk and integration governance now sit at the heart of enterprise data defense, and GitHub/AWS secret hygiene, OAuth scope minimization, least privilege, token rotation, and continuous integration monitoring are no longer optional controls.

The two dominant intrusion paths were: tricking users into approving malicious integrations with expansive read scopes; and compromising a legitimate integration provider (Drift), then abusing discovered OAuth tokens to harvest data from connected Salesforce tenants .

Salesforce has stated there is no indication of a platform compromise or vulnerability exploitation, which aligns with evidence pointing to social engineering, OAuth token abuse, and supply‑chain weakness rather than a core Salesforce flaw.

Yet the platform remains central to impact because of the volume and sensitivity of data it aggregates and exposes via powerful integrations.

Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.



Source link

About Cybernoz

Security researcher and threat analyst with expertise in malware analysis and incident response.