A cybercrime collective known as Scattered LAPSUS$ Hunters has launched a new data leak site on the dark web, claiming it holds nearly one billion records from Salesforce customers.
The group is orchestrating a widespread blackmail campaign, setting a ransom deadline of October 10, 2025. They have threatened to publish sensitive data and technical details if their demands are not met.
The threat actors allege that significant security lapses at Salesforce, including inadequate two-factor authentication (2FA) and OAuth protections, enabled them to compromise over 100 Salesforce instances.
Their new onion site lists numerous high-profile companies as victims of the data theft, including Toyota Motor Corporation, FedEx, UPS, Adidas, Disney/Hulu, and McDonald’s.
Other prominent names listed are Qantas, Aeroméxico, Vietnam Airlines, Stellantis, IKEA, KFC, GAP, and the educational platform Canvas by Instructure.
Scattered LAPSUS$ Hunters Listings
Scattered LAPSUS$ Hunters is not a new entity but rather a coalition of members from some of the most infamous hacking groups, including ShinyHunters, Scattered Spider, and Lapsus$.
This alliance has been linked to a series of major cyberattacks throughout 2025, with a particular focus on Salesforce environments. The group’s formation represents a “trinity of chaos,” combining different skill sets to execute complex intrusion campaigns.
A blend of sophisticated social engineering and technical exploitation characterizes their methods. Attackers have been observed using voice phishing (vishing) campaigns, where they impersonate IT support staff in phone calls to trick employees.
During these calls, victims are guided to authorize a malicious application, which captures OAuth tokens. These tokens grant the attackers persistent access to the company’s Salesforce environment, effectively bypassing multi-factor authentication controls and allowing for the mass exfiltration of CRM data.
The Salesforce campaign highlights a strategic evolution in cybercrime tactics. Instead of relying on traditional ransomware that encrypts files, groups like Scattered LAPSUS$ Hunters are focusing on data theft and extortion.
The leverage is not the disruption of systems but the public exposure of stolen data, which can lead to customer backlash, regulatory fines, and severe reputational damage.
In mid-2025, actors associated with this collective claimed to have stolen 1.5 billion Salesforce records from 760 companies by compromising OAuth tokens linked to third-party integrations like Salesloft and Drift.
The attackers often release fragments of the stolen data as proof, holding back the full dataset to maximize pressure during negotiations.
This incident follows a pattern seen in earlier 2025 attacks on companies like Google, Jaguar Land Rover, and LVMH, where the same collective claimed responsibility.
Despite a recent “farewell letter” announcing their distribution, security experts believe the group has simply rebranded, and the threat of large-scale data leaks remains significant.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
