The Scattered LAPSUS$ Hunters threat collective has launched a new dark web data leak site to attempt to extort victims of the group’s breaches of Salesloft and Salesforce environments.
Scattered LAPSUS$ Hunters – which includes members of the threat groups ShinyHunters, LAPSUS$ and Scattered Spider – published details and sample data on roughly 40 companies, many of them well known, and threatening to release the full data sets if a ransom isn’t paid by October 10.
The data appears to stem from previously reported breaches of Salesloft and social engineering attacks on Salesforce instances.
Salesforce said as much in a statement on October 2, saying the company is “aware of recent extortion attempts by threat actors, which we have investigated in partnership with external experts and authorities. Our findings indicate these attempts relate to past or unsubstantiated incidents, and we remain engaged with affected customers to provide support.
“At this time, there is no indication that the Salesforce platform has been compromised, nor is this activity related to any known vulnerability in our technology. We understand how concerning these situations can be. Protecting customer environments and data remains our top priority, and our security teams are fully engaged to provide guidance and support.”
Salesforce encouraged customers to “remain vigilant against phishing and social engineering attempts, which remain common tactics for threat actors.”
Salesforce Targeted by Scattered LAPSUS$ Hunters Too
Scattered LAPSUS$ Hunters also targeted Salesforce in its postings, claiming that “Near 1 billion records containing sensitive Personally Identifiable Information (PII) has been exfiltrated from your systems.”
“Unless you comply with our demand, as of 10/10/25 (deadline), we will be openly complying with the many law firms that are pursuing civil and commercial litigation against you.”
The threat collective specifically mentioned the Berger Montague law firm, and the group also threatened to cooperate with regulatory compliance authorities.
“We will also be submitting a full document, with clear outlines of how your company as a data controller under European GDPR and many other similar laws such as CCPA, HIPAA, etc. could have, over our year long campaign, prevented such intrusions and data-thefts,” the groups claimed. “This document will contain technical details regarding how our attacks were conducted, the fingerprint of our requests and how this clear defined pattern of networking traffic could have easily been blocked.”
The groups also threatened to work with legal authorities on any criminal proceedings, adding “all of this can be avoided. Very easily and swiftly.”
The threat groups said Salesforce could settle the matter for all the affected companies: “Should you comply, we will withdraw from any active or pending negotiation individually from your customers.”
Scattered LAPSUS$ Hunters Answers Questions from The Cyber Express
Asked by The Cyber Express what “clear defined pattern of networking traffic could have easily been blocked,” a Scattered LAPSUS$ Hunters spokesperson replied that “Salesforce itself is not vulnerable but it certainly could’ve done a much better job in protecting it’s customers.”
The threat group told The Cyber Express that “our IoCs listed by Mandiant and the FBI clearly state we used multiple Mullvad VPN IP addresses and TOR IP addresses which could have easily been detected via YARA rules and immediately blocked. In fact, Salesforce could’ve applied this customer-wide as a whole so individual customers would not have to do this themselves, if they really cared about their customers and committed to stopping us.”
Salesforce places too much security responsibility on customers, the group told The Cyber Express – a not uncommon complaint about the “shared responsibility” model of cloud security in general.
“Essentially, Salesforce is saying ‘yeah you can use our services but when it comes to security you have to deal with most of it yourself,’” the group told The Cyber Express. “Throughout this entire time Salesforce has done nothing but say ‘We are not in the wrong here, please follow our guide to protect yourself… etc.’”
Data Leak Site Shows Threat Group Tactics
The Scattered LAPSUS$ Hunters data leak site shows some of the pressure and tactics that threat groups use to try to get victim organizations to meet ransom demands, and also highlights the challenges of securing SaaS environments.
While the Scattered LAPSUS$ Hunters claims remain unverified, the list of claimed victims on the group’s data leak site includes such well-known brands as Toyota, FedEx, Disney/Hulu, UPS, Home Depot, Marriott, Walgreens, Stellantis, McDonalds, KFC, ASICS, GAP Inc, Houghton Mifflin Harcourt (HMH), Fujifilm, Albertsons, HBO MAX, Instacart, Petco, Puma, Cartier, Adidas, Qantas Airways, CarMax, Saks Fifth Avenue, Air France & KLM, Google AdSense, Cisco, TransUnion, Chanel, IKEA, and Salesforce.
