The cybercriminal group **Scattered Lapsus$ Hunters** breached **Salesloft/Salesforce** and exfiltrated sensitive corporate data, which they threatened to leak publicly. Despite law enforcement (FBI and French authorities) seizing the domains (*breachforums.hn* and its Tor counterpart) used by the group to host the stolen files, the attackers swiftly restored access via alternative channels. The leaked data included proprietary and potentially confidential information from **Salesloft/Salesforce**, alongside files from over **40 other major companies** (e.g., Qantas, Gap, Toyota, Disney). The breach underscores the group’s persistence in extortion and data exposure, even after infrastructure disruptions. While no arrests were made, the incident highlights the escalating risks of **third-party vendor breaches** and the challenges in mitigating **large-scale data leaks** once threat actors gain initial access. The group’s shift from traditional forums to **Telegram** for operations further complicates tracking and enforcement efforts.
TPRM report: https://www.rankiteo.com/company/salesloft
"id": "sal2593525101325",
"linkid": "salesloft",
"type": "Breach",
"date": "10/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'sales engagement software',
'name': 'Salesloft',
'type': 'company'},
{'industry': 'cloud-based CRM',
'name': 'Salesforce',
'type': 'company'},
{'industry': 'aviation',
'location': 'Australia',
'name': 'Qantas',
'type': 'company'},
{'industry': 'retail (apparel)',
'location': 'United States',
'name': 'Gap',
'type': 'company'},
{'industry': 'aviation',
'location': 'Vietnam',
'name': 'Vietnam Airlines',
'type': 'company'},
{'industry': 'automotive',
'location': 'Japan',
'name': 'Toyota',
'type': 'company'},
{'industry': 'entertainment',
'location': 'United States',
'name': 'Disney',
'type': 'company'},
{'industry': 'fast food',
'location': 'United States',
'name': 'McDonald’s',
'type': 'company'},
{'industry': 'retail (furniture)',
'location': 'Sweden/Netherlands',
'name': 'Ikea',
'type': 'company'},
{'industry': 'retail (sporting goods)',
'location': 'Germany',
'name': 'Adidas',
'type': 'company'},
{'name': 'BreachForums', 'type': 'cybercriminal forum'}],
'attack_vector': ['data leak site hosting', 'forum-based extortion'],
'data_breach': {'data_exfiltration': True,
'personally_identifiable_information': 'potential (not '
'confirmed)',
'sensitivity_of_data': 'high (corporate proprietary data)',
'type_of_data_compromised': ['corporate files',
'potentially PII (unspecified)']},
'description': 'The domains used by Scattered Lapsus$ Hunters to host data '
'leak websites were seized by law enforcement (FBI and French '
'authorities) just as the group was preparing to leak files '
'stolen in the Salesloft/Salesforce breach. Despite the '
'takedown of clearnet domain (breachforums.hn) and Tor site, '
'the latter was quickly restored, and files from over 40 '
'companies—including Qantas, Gap, Vietnam Airlines, Toyota, '
'Disney, McDonald’s, Ikea, and Adidas—were leaked. The group '
"declared 'the era of forums is over' and announced a pivot to "
'Telegram groups, citing FBI destruction of database backups '
'(2023) and escrow databases as reasons for abandoning forums. '
'No arrests were made.',
'impact': {'brand_reputation_impact': ['high (for affected companies)',
'moderate (for Scattered Lapsus$ '
'Hunters due to forum shutdown)'],
'data_compromised': True,
'identity_theft_risk': 'potential (due to leaked corporate data)'},
'initial_access_broker': {'data_sold_on_dark_web': True,
'high_value_targets': ['Salesloft',
'Salesforce',
'40+ companies (e.g., '
'Qantas, Gap, Disney)']},
'investigation_status': 'ongoing (no arrests made; forum operations pivoted '
'to Telegram)',
'lessons_learned': ['Cybercriminal forums remain resilient despite law '
'enforcement takedowns, adapting to alternative platforms '
'(e.g., Telegram).',
'Destruction of database backups can disrupt '
'cybercriminal operations but may not fully deter them.',
'Collaboration between international law enforcement '
'(FBI/French authorities) is critical for disrupting '
'cybercriminal infrastructure.',
'Companies must assume leaked data will be exploited even '
'if initial leak attempts are thwarted.'],
'motivation': ['financial gain', 'reputation', 'disruption'],
'post_incident_analysis': {'corrective_actions': ['Strengthen vendor security '
'assessments for platforms '
'handling sensitive data.',
'Improve international '
'coordination for takedowns '
'of cybercriminal '
'infrastructure.',
'Develop strategies to '
'mitigate data leaks even '
'after initial disruption '
'of threat actor '
'operations.'],
'root_causes': ['Exploitation of cybercriminal '
'forums for data leaks and '
'extortion.',
'Lack of arrests allows threat '
'actors to continue operations '
'under new infrastructure.',
'Insufficient protection of '
'corporate data shared with '
'third-party vendors (e.g., '
'Salesloft/Salesforce).']},
'ransomware': {'data_exfiltration': True},
'recommendations': ['Monitor dark web/Telegram channels for leaked data '
'related to the breach.',
'Enhance third-party risk management for vendors like '
'Salesloft/Salesforce.',
'Prepare incident response plans for data leaks '
'originating from cybercriminal forums.',
'Law enforcement should prioritize tracking Scattered '
"Lapsus$ Hunters' new communication channels (e.g., "
'Telegram).'],
'references': [{'source': 'BleepingComputer'},
{'source': 'CyberInsider'},
{'source': 'TechRadar', 'url': 'https://www.techradar.com'}],
'regulatory_compliance': {'legal_actions': ['domain seizures by FBI/French '
'authorities']},
'response': {'containment_measures': ['domain seizure (breachforums.hn, Tor '
'site)',
'FBI/French authorities intervention'],
'law_enforcement_notified': True},
'threat_actor': 'Scattered Lapsus$ Hunters',
'title': 'Law enforcement seizes domains used by Scattered Lapsus$ Hunters; '
'Salesloft/Salesforce breach files leaked',
'type': ['data breach', 'cybercriminal forum takedown', 'extortion']}