Salesforce

A cybercriminal collective known as **Scattered Lapsus$ Hunters**—an alliance of the notorious **ShinyHunters, Scattered Spider, and LAPSUS$ ransomware groups**—threatened to leak **one billion records** allegedly exfiltrated from **Salesforce’s systems**, targeting **39 of the world’s largest corporations**, including Disney, Toyota, and McDonald’s. The attackers demanded a ransom, warning that failure to comply by **October 10, 2023**, would result in the **massive exposure of customer data** across dark web and Clearnet platforms. The breach, if executed, would compromise **sensitive personal and corporate information** of Salesforce’s high-profile clients, leading to **severe reputational damage, financial fraud risks, and potential regulatory penalties**. The threat underscores a **large-scale, coordinated extortion campaign** leveraging ransomware tactics to pressure Salesforce into negotiation, with the attackers explicitly stating their intent to **‘target each and every individual customer’** if demands were unmet. The incident highlights the **escalating sophistication of cybercriminal syndicates** in exploiting enterprise vulnerabilities for maximal disruption.

Source: https://www.csoonline.com/article/4071014/fbi-seizes-breachforums-servers-as-threatened-salesforce-data-release-deadline-approaches.html

TPRM report: https://www.rankiteo.com/company/salesforce

"id": "sal5602056101125",
"linkid": "salesforce",
"type": "Ransomware",
"date": "10/2023",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"

{'affected_entities': [{'customers_affected': '39 (including Disney, Toyota, '
                                              "Adidas, McDonald's, IKEA, Home "
                                              'Depot)',
                        'industry': 'cloud computing / CRM',
                        'location': 'San Francisco, California, USA',
                        'name': 'Salesforce',
                        'size': 'large',
                        'type': 'corporation'},
                       {'industry': 'entertainment',
                        'location': 'Burbank, California, USA',
                        'name': 'Disney',
                        'size': 'large',
                        'type': 'corporation'},
                       {'industry': 'automotive',
                        'location': 'Toyota City, Aichi, Japan',
                        'name': 'Toyota',
                        'size': 'large',
                        'type': 'corporation'},
                       {'industry': 'sportswear',
                        'location': 'Herzogenaurach, Germany',
                        'name': 'Adidas',
                        'size': 'large',
                        'type': 'corporation'},
                       {'industry': 'fast food',
                        'location': 'Chicago, Illinois, USA',
                        'name': "McDonald's",
                        'size': 'large',
                        'type': 'corporation'},
                       {'industry': 'retail / furniture',
                        'location': 'Delft, Netherlands',
                        'name': 'IKEA',
                        'size': 'large',
                        'type': 'corporation'},
                       {'industry': 'retail / home improvement',
                        'location': 'Atlanta, Georgia, USA',
                        'name': 'Home Depot',
                        'size': 'large',
                        'type': 'corporation'}],
 'data_breach': {'data_exfiltration': 'alleged',
                 'number_of_records_exposed': 'one billion (alleged)'},
 'description': 'A message on the BreachForums extortion site threatened to '
                'leak one billion records allegedly stolen from the Salesforce '
                'systems of 39 of the largest companies in the world, '
                "including Disney, Toyota, Adidas, McDonald's, IKEA, and Home "
                'Depot. The threat was issued by a super-alliance of the '
                'ShinyHunters, Scattered Spider, and LAPSUS$ ransomware '
                'groups, known as Scattered Lapsus$ Hunters. The group vowed '
                'to carry out the leak via dark web and Clearnet sites if '
                'Salesforce did not pay a ransom by 11:59 p.m. EST on October '
                '10, 2023. The message warned of targeting individual '
                'customers of Salesforce if the company failed to comply.',
 'impact': {'brand_reputation_impact': 'high (potential, due to threat of '
                                       'massive data leak)',
            'data_compromised': 'one billion records (alleged)',
            'identity_theft_risk': 'high (potential, given scale of alleged '
                                   'breach)'},
 'initial_access_broker': {'data_sold_on_dark_web': 'threatened (not yet '
                                                    'confirmed)',
                           'high_value_targets': ['Salesforce customer data '
                                                  '(39 large corporations)']},
 'investigation_status': 'ongoing (allegations not confirmed by Salesforce or '
                         'affected companies as of report)',
 'motivation': ['financial gain', 'extortion'],
 'ransomware': {'data_exfiltration': 'alleged',
                'ransom_demanded': 'unspecified (threatened leak if unpaid by '
                                   'October 10, 2023, 11:59 p.m. EST)'},
 'references': [{'source': 'BreachForums extortion site'}],
 'threat_actor': ['ShinyHunters',
                  'Scattered Spider',
                  'LAPSUS$',
                  'Scattered Lapsus$ Hunters'],
 'title': 'Scattered Lapsus$ Hunters Threatens to Leak One Billion Records '
          'Allegedly Stolen from Salesforce Systems',
 'type': ['data breach', 'extortion', 'ransomware threat']}