A cybercrime collective often called Scattered LAPSUS$ Hunters has launched a brand new information leak website on the darkish net, claiming it holds practically one billion data from Salesforce prospects.
The group is orchestrating a widespread blackmail marketing campaign, setting a ransom deadline of October 10, 2025. They’ve threatened to publish delicate information and technical particulars if their calls for are usually not met.
The menace actors allege that important safety lapses at Salesforce, together with insufficient two-factor authentication (2FA) and OAuth protections, enabled them to compromise over 100 Salesforce cases.
Their new onion website lists quite a few high-profile corporations as victims of the information theft, together with Toyota Motor Company, FedEx, UPS, Adidas, Disney/Hulu, and McDonald’s.
Different outstanding names listed are Qantas, Aeroméxico, Vietnam Airways, Stellantis, IKEA, KFC, GAP, and the tutorial platform Canvas by Instructure.
Scattered LAPSUS$ Hunters Listings
Scattered LAPSUS$ Hunters will not be a brand new entity however slightly a coalition of members from a few of the most notorious hacking teams, together with ShinyHunters, Scattered Spider, and Lapsus$.
This alliance has been linked to a collection of main cyberattacks all through 2025, with a specific give attention to Salesforce environments. The group’s formation represents a “trinity of chaos,” combining completely different talent units to execute advanced intrusion campaigns.
A mix of subtle social engineering and technical exploitation characterizes their strategies. Attackers have been noticed utilizing voice phishing (vishing) campaigns, the place they impersonate IT assist workers in cellphone calls to trick staff.
Throughout these calls, victims are guided to authorize a malicious software, which captures OAuth tokens. These tokens grant the attackers persistent entry to the corporate’s Salesforce setting, successfully bypassing multi-factor authentication controls and permitting for the mass exfiltration of CRM information.
The Salesforce marketing campaign highlights a strategic evolution in cybercrime techniques. As a substitute of counting on conventional ransomware that encrypts recordsdata, teams like Scattered LAPSUS$ Hunters are specializing in information theft and extortion.
The leverage will not be the disruption of methods however the public publicity of stolen information, which might result in buyer backlash, regulatory fines, and extreme reputational harm.
In mid-2025, actors related to this collective claimed to have stolen 1.5 billion Salesforce data from 760 corporations by compromising OAuth tokens linked to third-party integrations like Salesloft and Drift.
The attackers usually launch fragments of the stolen information as proof, holding again the complete dataset to maximise stress throughout negotiations.
This incident follows a sample seen in earlier 2025 assaults on corporations like Google, Jaguar Land Rover, and LVMH, the place the identical collective claimed duty.
Regardless of a current “farewell letter” saying their distribution, safety specialists imagine the group has merely rebranded, and the specter of large-scale information leaks stays important.
Comply with us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to function your tales.
