A recent surge in data thefts has culminated in a group of hackers threatening to publicly release 1 billion stolen records allegedly taken from 39 major companies, including well-known brands like Disney, McDonald’s, and Toyota. The group, calling itself the Scattered LAPSUS$ Hunters, published a site on the dark web today, demanding that the victim companies pay a ransom by October 10 or face the leakage of the stolen data.
The Connection to Salesforce Customer Hacks
This apparent extortion campaign appears to be linked to a series of sophisticated hacks that targeted customers of Salesforce. This past summer, Google’s Mandiant security team raised alarms about a “widespread data theft campaign” focused on compromising customer environments utilizing Salesforce. Specifically, the hackers successfully breached the AI chat agent provider Salesloft Drift, which integrates with Salesforce software.
Last month, the FBI issued its own alert, warning that hackers had been looting “large volumes of data in bulk” before Salesloft was able to shut down the access point. It now seems that the responsible parties are attempting to capitalize on the pilfered information. The group’s name, Scattered LAPSUS$ Hunters, is a combination of three infamous cybercrime gangs—Scattered Spider, LAPSUS, and Shiny Hunters—all responsible for numerous breaches in recent years. Although law enforcement has arrested at least some members of each of these groups, someone is clearly continuing their criminal activities.
The hackers are primarily demanding that Salesforce itself pay to protect the client data, though they are also offering various affected companies a chance to individually negotiate. Other affected brands allegedly include KFC, HBO Max, Adidas, Ikeda, and Walgreens. The stolen information is said to cover personal user details such as full names, email addresses, phone numbers, and potentially more sensitive data, including physical addresses and dates of birth.
Security researcher Kevin Beaumont suggested that samples of the stolen data uploaded by the hackers on their dark web site appear to be authentic. Meanwhile, Salesforce has issued a statement claiming it is reviewing the data theft claims but insisting that its own platform is not at fault.
Salesforce Denies Platform Compromise
In its official statement, Salesforce said, “We are aware of recent extortion attempts by threat actors, which we have investigated in partnership with external experts and authorities.” The company’s findings “indicate these attempts relate to past or unsubstantiated incidents, and we remain engaged with affected customers to provide support.” Critically, Salesforce affirmed, “At this time, there is no indication that the Salesforce platform has been compromised, nor is this activity related to any known vulnerability in our technology.”
Salesforce went on to urge its customers “to remain vigilant against phishing and social engineering attempts”—a crucial tactical note, as these are the same techniques the Scattered LAPSUS$ Hunters gang has likely used to infiltrate the victim companies. In addition to the Salesloft breach, Google’s Mandiant team had previously warned about hackers impersonating IT support staff to trick employees into helping them compromise Salesforce customer environments.
The hackers have issued an unusual threat aimed at increasing pressure on Salesforce, stating, “We will be openly complying with the many law firms that are pursuing civil and commercial litigation against you. Specifically, we will be cooperating with the Berger Montague Law Firm if you do not comply with our request.” (The Berger Montague law firm did not immediately respond to a request for comment.) The dark web site also declared that the hackers intend to submit documentation to European regulators and U.S. law enforcement regarding Salesforce’s allegedly substandard security practices if the company does not comply with the group’s demands.
Author’s Opinion
The hackers’ threat to cooperate with law firms and regulators is a bizarre, yet potentially effective, pressure tactic that tries to leverage the legal and regulatory burden on major tech platforms. By framing their actions not just as criminal extortion but also as a form of coerced security auditing, the Scattered LAPSUS$ Hunters are attempting to weaponize the victims’ compliance obligations. This strategy exploits the inherent tension between a platform like Salesforce wanting to protect its reputation and the genuine, costly security failures that led to the customer data being exposed in the first place, suggesting cybercriminals are becoming more sophisticated in their understanding of corporate risk management.
Featured image credit: Towfiqu barbhuiya via Unsplash
For more stories like it, click the +Follow button at the top of this page to follow us.