A new data leak site has been launched by a group of cybercriminals calling themselves Scattered Lapsus$ Hunters, which includes members of the well-known ShinyHunters, Scattered Spider, and Lapsus$ groups. The site publicly lists 39 companies, including major brands like FedEx, Google, Home Depot, and Disney/Hulu, and features samples of data allegedly stolen from their Salesforce instances. The group is demanding that these companies pay a ransom by an October 10 deadline to prevent the full public release of their data. According to a representative from ShinyHunters, these companies were contacted prior to the launch of the site but chose to ignore their demands, prompting this public extortion campaign.
The cybercriminals have also issued a direct ultimatum to Salesforce itself, demanding a ransom to prevent the leak of all impacted customer data, which they claim amounts to roughly one billion records. In exchange for payment, the group has offered to cease all negotiations with individual companies and promised not to target them again. In a further threat, they warned that if Salesforce does not pay, they will assist law firms in pursuing civil lawsuits against the company. The group also claims that Salesforce failed to adequately protect its customers’ data in accordance with the European General Data Protection Regulation (GDPR).
The Scattered Lapsus$ Hunters have been conducting these attacks against Salesforce customers since the beginning of the year, using voice phishing to trick employees into linking a malicious application to their company’s Salesforce account. This gave the attackers access to company databases, which they then used to extort victims. The group noted that even if a single company was targeted, the stolen data often contained information for multiple subsidiaries, significantly increasing the impact of the breaches. The security firm Mandiant has been tracking these attacks under the name UNC6395, although they have not yet officially linked them to this specific group.
In addition to the current wave of attacks, the extortion group claims to have stolen sensitive information—including passwords and AWS access keys—from over 760 companies that use Salesloft’s Drift AI chat integration with Salesforce. The group, through a Telegram channel, announced that they will launch a separate data leak site on October 10 to extort these victims. Companies like Google, Palo Alto Networks, and Cloudflare are among those allegedly affected by this second campaign. The group has offered a concession: if a company pays a ransom during the current extortion phase, it will not be targeted again in the upcoming Salesloft campaign.
Salesforce has released a statement acknowledging the extortion attempts but maintains that its platform has not been compromised and that the activity is not related to any known vulnerabilities. The company says it is working with external experts and authorities to investigate and is supporting the affected customers. However, the cybercriminals’ public actions and claims of having breached major corporations continue to raise concerns for businesses worldwide.
Reference:
