The Scattered Lapsus$ Hunters gang, which says it has stolen data from the Salesforce instances of dozens of international companies in recent months, upped its extortion game today by listing their names on a new data leak site.
The list of alleged victims includes Salesforce itself, from which the gang claims it has captured about 1 billion records. Others included Toyota Motor Corp., FedEx, Disney/Hulu, UPS, Home Depot, hotel chain owner Marriott, car manufacturer Stellantis, US retailer Walgreens, McDonalds, Cisco Systems, Google Adsense and more.
All of the named victims have been given until October 10 to pay up, or the copied data will be released.
In the case of Salesforce, the gang is threatening to do more: “Complying” with law firms that are pursuing civil and commercial litigation for alleged irresponsibility against the customer relationship management platform for the alleged data thefts, about which Salesforce and its customers had been warned by the gang for months before the data leak site was unveiled.
“For example,” the gang’s notice to Salesforce says, “we e-mail taunted you … in July 2025 and you never took any further preventative action to stop us. This especially proves our point, it would be bad if we went public with this and showed proof.”
The gang even says its documents will be provided to the “United States District of Northern District of California” [presumably meaning the United States District Court for the Northern District of California] to possibly prosecute Salesforce. As part of that action, the gang promises we will engage in open dialogue with our press contacts, civil/commercial litigation lawyers, and answering any questions asked.”
“As you know, all of this can be avoided,” the gang’s message to Salesforce reads. “Very easily and swiftly. To reiterate, we have full access to your systems; should the ransom demand not be met, your data will be released in full. Should you comply, we will withdraw from any active or pending negotiation individually from your customers. Your customers will not be attacked again nor will they face a ransom from us again, should you pay. We are able to thoroughly elaborate more on this if you engage with us.”
Who is this group?
Some background: According to Luke Connolly, a threat researcher at Emsisoft, this extortion group is an apparent loose affiliation between a number of relatively unstructured cybercriminal groups including ShinyHunters, Scattered Spider, and Lapsus$ and The Com, and sometimes works under one name.
The unveiling of the Salesforce victims data leak site wasn’t unexpected. Last month, Connolly said the group launched a new Telegram channel pre-announcing it.
Salesforce statement
In an online statement yesterday — the day before the data leak site was launched – Salesforce said, “we are aware of recent extortion attempts by threat actors, which we have investigated in partnership with external experts and authorities. Our findings indicate these attempts relate to past or unsubstantiated incidents, and we remain engaged with affected customers to provide support. At this time, there is no indication that the Salesforce platform has been compromised, nor is this activity related to any known vulnerability in our technology.”
Vishing attack
The Salesforce spokesperson referred to a June warning from the Google Threat Intelligence Group (GTIG) about activity from a group it calls UNC6040 that had attacked one of its corporate Salesforce instances. This group has consistently claimed to be ShinyHunters, which specializes in impersonating IT staff in voice phishing (vishing) calls to trick employees into giving away access to Salesforce databases, the GTIG report says, by getting victims to authorize the connection of a malicious app to their organization’s Salesforce portal. This application is often a modified version of Salesforce’s Data Loader, not one authorized by Salesforce.
During the vishing call, the hacker guides the victim to Salesforce’s connected app setup page to approve a malicious version of the Data Loader app, with a name or branding that differs from the legitimate version. This gives hacker the ability to access, query, and exfiltrate sensitive information directly from the compromised Salesforce customer environment.
In some instances, the GTIG report adds, extortion activities haven’t been observed until several months after the initial UNC6040 intrusion activity, which could suggest that UNC6040 has partnered with a second threat actor that monetizes access to the stolen data.
As part of the report, Google also says that one of its Salesforce instances, used to store contact information and related notes for small and medium businesses, was compromised with a similar tactic by this gang. Data was retrieved by the threat actor “during a small window of time” before access was cut off, Google says. “The data retrieved by the threat actor was confined to basic and largely publicly available business information, such as business names and contact details.”
Linked to Salesloft Drift attacks
In September, the FBI issued a Flash alert about the compromises of Salesforce instances by UNC6040 and UNC6395. Both groups have recently been targeting organizations’ Salesforce platforms via various initial access mechanisms. However, the FBI alert says, UNC6395 has been using a tactic other than vishing. It is leveraging compromised OAuth tokens for Salesloft Drift, an AI chatbot that integrates not only with the Salesloft sales engagement platform, but also with Salesforce. That’s how UNC6395 was able to get Salesforce customers’ data.
On August 20, Salesloft, in collaboration with Salesforce, revoked all Drift active access and refresh tokens.
In a September analysis, researchers at Israel-based Kela called the Salesloft Drift campaign “one of the most significant SaaS supply chain compromises to date.” The stolen OAuth and refresh tokens from Drift were designed to synchronize data between Drift and Salesforce.
These tokens can bypass primary authentication methods, including multi-factor authentication, Kela notes. In this campaign, the attackers could maintain persistent access, and generated new session tokens over 10 days. From there, UNC6395 pivoted into Salesforce environments. Using Salesforce Object Query Language (SOQL), the Kela report says, the attackers searched for high-value secrets, such as AWS access keys, Snowflake tokens, and passwords, that are often embedded in support cases and customer records. Stolen data was then routed through TOR and cloud VPS infrastructure (including AWS and DigitalOcean) to obscure the exfiltration. The attackers also attempted to clean up logs by deleting query jobs.
“This approach highlights a growing trend,” said Kela. “Attackers are not stealing entire CRM datasets but targeting the crown jewels hidden in SaaS platforms: credentials that open the door to broader cloud and enterprise systems.”
Kela says victim firms in this campaign included Akamai, Cloudflare, Palo Alto Networks, CyberArk, BeyondTrust, Bugcrowd, Proofpoint, Zscaler, Tanium, and Workiva. Data stolen included contact information, support ticket data, and compromised API tokens, depending on the victim.
Salesloft said in September that an investigation by Google’s Mandiant incident response unit showed this campaign started with UNC6395 accessing Salesloft’s GitHub account between March and June. That allowed the download of content from multiple repositories. In addition, the threat actor added a guest user to the account.
Highlights a broader issue
Brian Soby, chief technology officer and co-founder of AppOmni, called the threat by the hackers to assist in legal action against Salesforce “unusual. To our knowledge, it is the first time an attacker has threatened to participate in or leverage existing litigation against the vendor of a compromised platform and its native security tools as part of an extortion campaign. While attackers often pressure customers of a breached product, using lawsuits to increase leverage on the vendor represents a novel escalation.,” he said.
However, he said, “at the same time, it’s important to note that ShinyHunters gained access through phishing and stolen customer user credentials, enabling compromise of customer Salesforce instances. Under the Shared Responsibility model, preventing and detecting such activity falls squarely within the customer’s domain. This makes the legal theories driving these lawsuits questionable at best.”
He added that these incidents highlight a broader issue, noting, “many SaaS customers have yet to adopt the tools and practices necessary to effectively meet their Shared Responsibility obligations. What is novel here is the attempt to frame alleged negligence not just against customers, but against the vendor and its native, first-party security tools.”
‘With Salesloft they got lucky’
Johannes Ullrich, dean of research at the SANS Institute, told CSO that Scattered Lapsus$ Hunters is “more of a conglomerate/collective of members of various other groups like Scattered Spider and Lapsus$. The techniques they employ are heavy on social engineering, but with Salesloft, they got lucky in the sense that they were able to leverage their access into Salesloft’s systems to gain access to various companies’ Salesforce data.”
Salesloft’s sales chatbot, to be effective, must interface with Salesforce and other systems using credentials created by the customer. “The attackers stole those credentials from Salesloft and used them to access Salesforce instances of affected companies,” he said. “Any company running the Salesloft agent is potentially at risk.”
The bigger picture, he added, is that this was a software supply chain attack. Modern distributed software uses web services APIs just as traditional software used libraries, Ullrich noted. But, he said, APIs are more difficult to protect.
“Users of these APIs are usually not able to effectively test them, so they place a lot of trust in the companies operating them,” he explained. “The best strategy is to limit your exposure by carefully weighing the risk of an API against the potential benefit it will provide. Any access provided to these remote systems should be carefully tailored to the problem they are trying to solve. However, for example, in the case of Salesloft, its chatbot tool required quite far-reaching access to be useful, and the attackers took advantage.”
No Responses