Lapsus$, Scattered Spider, and ShinyHunters, an extortion group calling itself Scattered LAPSUS$ Hunters recently leaked millions of records from a campaign targeting Salesforce customers. The leak followed a ransom demand to Salesforce, where the hackers claimed to have stolen data from 39 customers and threatened to publish it unless the company paid. Salesforce refused the demand, stating the extortion was related to “past or unsubstantiated incidents.” In response, the hackers published data on their Tor-based leak site, allegedly belonging to several companies, including Albertsons, Engie Resources, Fujifilm, GAP, Qantas, and Vietnam Airlines.
After publishing the data on their private site, the threat actors provided links to paying users on a clear-net forum and then released the data for free on another public website. One of the alleged victims, Qantas, obtained a court injunction to block access to the information and is analyzing the leak with cybersecurity experts. Back in July, the Australian airline had stated that roughly 6 million customers may have been affected in an incident where attackers hit a third-party platform and exfiltrated names, email addresses, phone numbers, dates of birth, and frequent flyer numbers. Qantas confirmed in a statement that it had already proactively advised all impacted customers in July about the data that was exposed, and this has not changed.
According to the data breach notification service Have I Been Pwned, the hackers also leaked data associated with approximately 7.3 million Vietnam Airlines accounts. This information was reportedly stolen from the company’s Salesforce instance in June and includes names, email addresses, phone numbers, dates of birth, and loyalty program details. Although the hackers had initially named 39 victims and claimed to have stolen data from many more, they only ended up leaking data from six organizations. When asked by followers on their Telegram channel about the missing data, Scattered LAPSUS$ Hunters said it “can’t leak” any more data.
The hackers told DataBreaches.net that some of the victim organizations had paid a ransom but asked to remain on the leak site “so they can protect themselves.” However, there’s no proof of this claim. It remains unclear why the data of only six victims was leaked, but in the past, hackers have been known to make false claims about possessing stolen data. Last week, Scattered LAPSUS$ Hunters also claimed to have stolen 19 million personal records from Australian telecommunications company Telstra, but the company quickly refuted the claim, stating the data was scraped from public sources, not its systems.
Telstra’s investigation found that no passwords, banking details, or personal identification data like driver’s license or Medicare numbers were included in the leaked data. The incident with Telstra highlights a common tactic where hackers inflate the scale of a breach or make up claims entirely to gain attention or pressure companies. The limited number of leaks compared to the hackers’ initial claims and the alleged requests from companies to remain on the leak site suggest the situation is more complicated than the hackers portray. This lack of transparency underscores the difficulty in verifying claims made by cybercriminals.
Reference:
