The cybercriminal group **Scattered LAPSUS$ Hunters** (a collaboration of Scattered Spider, ShinyHunters, and Lapsus$) has resurfaced, claiming to have stolen **1 billion customer records** from **40 companies’ Salesforce environments**. The gang is demanding **$989.45** to prevent the data from being leaked online, setting an **October 10 deadline** for negotiation. While Salesforce denies a direct platform breach, the attack appears linked to a prior **OAuth token abuse campaign** via **Salesloft’s Drift integration**, which compromised hundreds of organizations in August 2024. Google and Mandiant confirmed the intrusions, attributing them to **UNC6040 (Salesforce-related breaches)**. The group had previously announced retirement but reemerged following arrests of UK teens tied to **Scattered Spider**, suggesting operational shifts. The leaked data reportedly includes **customer records**, posing severe reputational, financial, and operational risks to affected businesses. Salesforce maintains no evidence of a **platform-level vulnerability**, but the extortion attempt escalates pressure on victims.
Source: https://www.theregister.com/2025/10/03/scattered_lapsus_hunters_latest_leak/
TPRM report: https://www.rankiteo.com/company/salesforce
"id": "sal2102121100425",
"linkid": "salesforce",
"type": "Cyber Attack",
"date": "8/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '~40 companies (via Salesforce '
'environments)',
'industry': 'Cloud Computing / CRM',
'location': 'San Francisco, California, USA',
'name': 'Salesforce',
'size': 'Large (Enterprise)',
'type': 'Corporation'},
{'customers_affected': 'Hundreds of organizations (via '
'OAuth abuse)',
'industry': 'Sales Engagement Software',
'location': 'Atlanta, Georgia, USA',
'name': 'Salesloft (Drift integration)',
'type': 'Corporation'},
{'industry': 'Various',
'location': 'Global',
'name': 'Multiple Unnamed Companies',
'type': ['Corporations', 'Organizations']}],
'attack_vector': ["OAuth Token Abuse (via Salesloft's Drift integration)",
'Social Engineering',
'Credential Stuffing'],
'customer_advisories': 'Notifications sent to affected organizations (via '
'Salesforce and Google)',
'data_breach': {'data_exfiltration': 'Claimed by threat actors',
'number_of_records_exposed': '1 billion (claimed; unverified)',
'personally_identifiable_information': 'Potential '
'(unconfirmed)',
'sensitivity_of_data': 'Moderate to High (if PII included)',
'type_of_data_compromised': ['Customer data',
'Potentially PII (unconfirmed)']},
'date_publicly_disclosed': '2024-09-27',
'description': 'A threat actor group calling itself Scattered LAPSUS$ Hunters '
'(SLH) has launched a data-leak site listing about 40 '
'companies’ Salesforce environments, demanding $989.45 to '
'prevent the publication of what it claims is about 1 billion '
'stolen records. The group set an October 10 deadline for '
'Salesforce to negotiate payment or face data leakage. The '
'incident is linked to prior OAuth token abuse campaigns via '
"Salesloft's Drift integration, which affected hundreds of "
'organizations. Salesforce denies platform compromise but '
'acknowledges extortion attempts tied to past or '
'unsubstantiated incidents. The group includes members from '
'Scattered Spider, ShinyHunters, and Lapsus$, some of whom '
'were recently arrested in connection with other high-profile '
'attacks.',
'impact': {'brand_reputation_impact': 'High (public extortion threats, media '
'coverage)',
'data_compromised': '1 billion records (claimed by threat actors)',
'identity_theft_risk': 'Potential (if PII was exposed)',
'systems_affected': ['Salesforce environments of ~40 companies',
'Customer data via OAuth abuse']},
'initial_access_broker': {'data_sold_on_dark_web': 'Claimed (via extortion '
'site)',
'entry_point': "OAuth tokens via Salesloft's Drift "
'integration',
'high_value_targets': ['Salesforce customer data',
'CRM environments']},
'investigation_status': 'Ongoing (Salesforce, Mandiant, law enforcement)',
'motivation': ['Financial Gain', 'Extortion', 'Reputation Damage'],
'post_incident_analysis': {'root_causes': ['OAuth token misuse',
'Third-party integration '
'vulnerabilities (Drift)',
'Potential insider threats or '
'credential theft']},
'ransomware': {'data_exfiltration': 'Claimed',
'ransom_demanded': '$989.45 (for all data)',
'ransom_paid': 'No (as of disclosure)'},
'references': [{'date_accessed': '2024-09-27',
'source': 'The Register',
'url': 'https://www.theregister.com/2024/09/27/salesforce_extortion_scattered_lapsus_hunters/'},
{'date_accessed': '2024-09-26',
'source': 'Salesforce Security Advisory'},
{'date_accessed': '2024-08-08',
'source': 'Google Threat Intelligence Group'},
{'date_accessed': '2024-08',
'source': 'Cloudflare (OAuth Abuse Report)'}],
'regulatory_compliance': {'legal_actions': ['Arrests of UK teens (Scattered '
'Spider members)',
'Ongoing investigations']},
'response': {'communication_strategy': ['Public security advisory',
'Media statements'],
'incident_response_plan_activated': 'Yes (Salesforce engaged '
'external experts and '
'authorities)',
'law_enforcement_notified': 'Yes (US and UK authorities '
'involved)',
'remediation_measures': ['Customer notifications',
'Investigation of OAuth abuse'],
'third_party_assistance': ['Mandiant (Google)',
'External cybersecurity experts']},
'stakeholder_advisories': 'Salesforce security advisory (2024-09-26)',
'threat_actor': ['Scattered LAPSUS$ Hunters (SLH)',
'Scattered Spider',
'ShinyHunters',
'Lapsus$'],
'title': 'Scattered LAPSUS$ Hunters Extortion Campaign Targeting Salesforce '
'Environments',
'type': ['Extortion', 'Data Breach', 'Unauthorized Access'],
'vulnerability_exploited': 'Misconfigured OAuth integrations (historical, via '
"Salesloft's Drift)"}