Salesforce Data Breach: 1 Billion Records Stolen

Hacking Group Threatens Data Release of One Billion Records

A prominent hacking collective, largely operating in English, has established a website dedicated to extorting victims. They are threatening the public release of approximately one billion records obtained from companies utilizing Salesforce cloud databases to store customer information.

The Scattered LAPSUS$ Hunters Group

This loosely affiliated group, previously identified as Lapsus$, Scattered Spider, and ShinyHunters, has launched a dedicated data leak site on the dark web, named Scattered LAPSUS$ Hunters.

The website, initially detected by threat intelligence analysts on Friday and reviewed by TechCrunch, is designed to coerce victims into paying a ransom to prevent the online publication of their compromised data.

The site’s message states, “Contact us to regain control on data governance and prevent public disclosure of your data.” It further urges potential victims, “Do not be the next headline. All communications demand strict verification and will be handled with discretion.”

Recent Data Breaches

Allegedly, over the past several weeks, the ShinyHunters group successfully breached the cloud-based databases of numerous high-profile organizations hosted by Salesforce.

hacking group claims theft of 1 billion records from salesforce customer databases

Several companies have already confirmed data theft, including insurance provider Allianz Life, Google, fashion group Kering, airline Qantas, automotive manufacturer Stellantis, credit reporting agency TransUnion, and the employee management platform Workday.

The hackers’ leak site lists potential victims such as FedEx, Hulu (a Disney subsidiary), and Toyota Motors, who have not yet responded to requests for comment.

Ransom Payments and Salesforce

It remains uncertain whether companies known to have been compromised, but not listed on the leak site, have submitted ransom payments to avoid data publication. A ShinyHunters representative informed TechCrunch that “there are numerous other companies that have not been listed,” but refrained from providing further explanation.

The site prominently features Salesforce, demanding the company engage in ransom negotiations, with a threat that “all your customers [sic] data will be leaked” if they do not comply. This suggests that Salesforce has not yet initiated communication with the hackers.

Salesforce's Response

Salesforce spokesperson Nicole Aranda shared a link to the company’s official statement, acknowledging awareness of recent extortion attempts by threat actors.

The statement clarifies, “Our findings indicate these attempts relate to past or unsubstantiated incidents, and we remain engaged with affected customers to provide support.” It further asserts, “At this time, there is no indication that the Salesforce platform has been compromised, nor is this activity related to any known vulnerability in our technology.”

Aranda declined to provide additional commentary.

Evolution of Extortion Tactics

Security researchers have anticipated the group’s move to establish a data leak website for extortion purposes for several weeks.

Historically, such sites have been linked to foreign, often Russian-speaking, ransomware operations. Over the last few years, these cybercrime organizations have shifted their strategies. They have moved from encrypting victim data and privately demanding ransom, to simply threatening public data release unless payment is received.

Updated with statements from ShinyHunters and Salesforce.