Home Depot was listed among the 39 victims of the **Scattered Lapsus$ Hunters** cybercrime group, which breached corporate Salesforce instances via social engineering. The stolen data includes **personal and contact information of customers, employees, and partners**, with specific risks tied to a dedicated file containing **government employees' details**—names, email/postal addresses, and phone numbers. This exposure heightens risks of **targeted phishing, fraud, and even political violence** against individuals. The breach also involves sensitive data like **account IDs, dates of birth, passport/Social Security numbers, and purchase histories**, which could fuel identity theft or financial fraud. The group threatens to **publicly leak the data** unless a ransom is paid by **October 10, 2025**, leveraging pressure through a dark web leak site. Salesforce denies platform compromise but acknowledges extortion attempts linked to past incidents.
Source: https://www.helpnetsecurity.com/2025/10/06/data-leak-site-extortion-salesforce/
TPRM report: https://www.rankiteo.com/company/the-home-depot
"id": "the5692256100625",
"linkid": "the-home-depot",
"type": "Cyber Attack",
"date": "10/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'industry': 'Automotive',
'location': 'Global',
'name': 'Toyota',
'size': 'Large',
'type': 'Corporation'},
{'industry': 'Logistics',
'location': 'Global',
'name': 'FedEx',
'size': 'Large',
'type': 'Corporation'},
{'industry': 'Entertainment',
'location': 'Global',
'name': 'Disney/Hulu',
'size': 'Large',
'type': 'Corporation'},
{'industry': 'Waste Management',
'location': 'USA',
'name': 'Republic Services',
'size': 'Large',
'type': 'Corporation'},
{'industry': 'Logistics',
'location': 'Global',
'name': 'UPS',
'size': 'Large',
'type': 'Corporation'},
{'industry': 'Aviation',
'location': 'Mexico',
'name': 'AeroMexico',
'size': 'Large',
'type': 'Corporation'},
{'industry': 'Retail',
'location': 'USA',
'name': 'Home Depot',
'size': 'Large',
'type': 'Corporation'},
{'industry': 'Hospitality',
'location': 'Global',
'name': 'Marriott',
'size': 'Large',
'type': 'Corporation'},
{'industry': 'Aviation',
'location': 'Vietnam',
'name': 'Vietnam Airlines',
'size': 'Large',
'type': 'Corporation'},
{'industry': 'Pharmacy/Retail',
'location': 'USA',
'name': 'Walgreens',
'size': 'Large',
'type': 'Corporation'},
{'industry': 'Automotive',
'location': 'Global',
'name': 'Stellantis',
'size': 'Large',
'type': 'Corporation'},
{'industry': 'Food Service',
'location': 'Global',
'name': 'McDonald’s',
'size': 'Large',
'type': 'Corporation'},
{'industry': 'Food Service',
'location': 'Global',
'name': 'KFC',
'size': 'Large',
'type': 'Corporation'},
{'industry': 'Apparel',
'location': 'Global',
'name': 'ASICS',
'size': 'Large',
'type': 'Corporation'},
{'industry': 'Apparel',
'location': 'Global',
'name': 'GAP',
'size': 'Large',
'type': 'Corporation'},
{'name': 'MHM', 'type': 'Corporation'},
{'industry': 'Technology/Imaging',
'location': 'Global',
'name': 'Fujifilm',
'size': 'Large',
'type': 'Corporation'},
{'industry': 'Education Technology',
'location': 'USA',
'name': 'Instructure.com – Canvas',
'size': 'Medium',
'type': 'Corporation'},
{'industry': 'Retail/Grocery',
'location': 'USA',
'name': 'Albertsons',
'size': 'Large',
'type': 'Corporation'},
{'industry': 'Energy',
'location': 'Global',
'name': 'Engie Resources',
'size': 'Large',
'type': 'Corporation'},
{'industry': 'Luxury Apparel',
'location': 'Global',
'name': 'Kering (Gucci, Balenciaga, Brioni, Alexander '
'McQueen)',
'size': 'Large',
'type': 'Corporation'},
{'industry': 'Entertainment',
'location': 'USA',
'name': 'HBO Max',
'size': 'Large',
'type': 'Corporation'},
{'industry': 'Grocery Delivery',
'location': 'USA',
'name': 'Instacart',
'size': 'Large',
'type': 'Corporation'},
{'industry': 'Pet Retail',
'location': 'USA',
'name': 'Petco',
'size': 'Large',
'type': 'Corporation'},
{'industry': 'Apparel',
'location': 'Global',
'name': 'Puma',
'size': 'Large',
'type': 'Corporation'},
{'industry': 'Luxury Goods',
'location': 'Global',
'name': 'Cartier',
'size': 'Large',
'type': 'Corporation'},
{'industry': 'Apparel',
'location': 'Global',
'name': 'Adidas',
'size': 'Large',
'type': 'Corporation'},
{'name': 'TripleA', 'type': 'Corporation'},
{'industry': 'Aviation',
'location': 'Australia',
'name': 'Qantas Airways',
'size': 'Large',
'type': 'Corporation'},
{'industry': 'Automotive Retail',
'location': 'USA',
'name': 'CarMax',
'size': 'Large',
'type': 'Corporation'},
{'industry': 'Luxury Retail',
'location': 'USA',
'name': 'Saks Fifth Avenue',
'size': 'Large',
'type': 'Corporation'},
{'industry': 'Financial Services',
'location': 'USA',
'name': '1-800Accountant',
'size': 'Small/Medium',
'type': 'Corporation'},
{'industry': 'Aviation',
'location': 'Europe',
'name': 'Air France & KLM',
'size': 'Large',
'type': 'Corporation'},
{'industry': 'Technology/Advertising',
'location': 'Global',
'name': 'Google AdSense',
'size': 'Large',
'type': 'Corporation'},
{'industry': 'Technology',
'location': 'Global',
'name': 'Cisco',
'size': 'Large',
'type': 'Corporation'},
{'industry': 'Jewelry',
'location': 'Global',
'name': 'Pandora',
'size': 'Large',
'type': 'Corporation'},
{'industry': 'Credit Reporting',
'location': 'Global',
'name': 'TransUnion',
'size': 'Large',
'type': 'Corporation'},
{'industry': 'Luxury Apparel',
'location': 'Global',
'name': 'Chanel',
'size': 'Large',
'type': 'Corporation'},
{'industry': 'Retail/Furniture',
'location': 'Global',
'name': 'IKEA',
'size': 'Large',
'type': 'Corporation'},
{'industry': 'Financial Services',
'location': 'Vietnam',
'name': 'Credit Institute of Vietnam',
'type': 'Organization'},
{'industry': 'Financial Data',
'location': 'Global',
'name': 'S&P Global',
'size': 'Large',
'type': 'Corporation'},
{'industry': 'Technology',
'location': 'Global',
'name': 'Red Hat',
'size': 'Large',
'type': 'Corporation'},
{'industry': 'Cloud Computing/CRM',
'location': 'Global',
'name': 'Salesforce',
'size': 'Large',
'type': 'Corporation'}],
'attack_vector': ['Social Engineering',
'Compromised Salesforce Instances',
'OAuth Credential Theft (Salesloft/Drift)'],
'customer_advisories': ['Public Security Advisory Issued'],
'data_breach': {'data_exfiltration': 'Yes',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (PII, Financial, Government)',
'type_of_data_compromised': ['Personal Information',
'Contact Information',
'Account IDs',
'Dates of Birth',
'Passport Numbers',
'Social Security Numbers',
'Purchase Histories',
'Live Chat Transcripts',
'Government Employee Records']},
'date_publicly_disclosed': '2025-09-27',
'description': 'Scattered Lapsus$ Hunters, a hacker collective combining '
'members of Scattered Spider, Lapsus$, and ShinyHunters, '
'launched a data leak site to extort 39+ organizations whose '
'Salesforce databases were compromised via social engineering. '
'The group demands ransom payments by October 10, 2025, '
'threatening to release stolen customer/employee data '
'(including PII like SSNs, passport numbers, and purchase '
'histories) if unpaid. Salesforce denies platform compromise '
"but acknowledges extortion attempts tied to 'past or "
"unsubstantiated incidents.'",
'impact': {'brand_reputation_impact': ['High (Public Data Leak Site)',
'Threat of Litigation Against '
'Salesforce'],
'data_compromised': ['Personal/Contact Information '
'(Customers/Employees/Partners)',
'Account IDs',
'Dates of Birth',
'Passport Numbers',
'Social Security Numbers',
'Purchase Histories',
'Live Chat Transcripts',
'Government Employee Records (e.g., Home '
'Depot)'],
'identity_theft_risk': 'High',
'legal_liabilities': ['Civil/Commercial Litigation Against '
'Salesforce',
'Potential GDPR/CCPA Violations'],
'operational_impact': ['Potential Phishing/Social Engineering '
'Risks',
'Legal Liabilities',
'Reputational Harm'],
'systems_affected': ['Salesforce Instances',
'OAuth Credentials (Salesloft/Drift)']},
'initial_access_broker': {'data_sold_on_dark_web': 'Yes (Sample Data '
'Published)',
'entry_point': ['Social Engineering (Salesforce)',
'OAuth Credential Theft '
'(Salesloft/Drift)'],
'high_value_targets': ['Salesforce Customer '
'Databases',
'PII-Rich Records']},
'investigation_status': 'Ongoing (Salesforce denies platform compromise; '
'external experts involved)',
'motivation': ['Financial Gain (Extortion)',
'Reputation Damage',
'Legal Pressure on Salesforce'],
'post_incident_analysis': {'root_causes': ['Social Engineering '
'Vulnerabilities',
'Potential Salesforce '
'Misconfigurations',
'OAuth Security Gaps']},
'ransomware': {'data_exfiltration': 'Yes',
'ransom_demanded': 'Negotiable (Deadline: 2025-10-10)'},
'recommendations': ['Enhance Social Engineering Training',
'Implement Multi-Factor Authentication (MFA) for '
'Salesforce',
'Monitor Dark Web for Stolen Credentials',
'Review OAuth Integrations (e.g., Salesloft/Drift)',
'Proactive Threat Hunting for Compromised Accounts'],
'references': [{'date_accessed': '2025-09-27', 'source': 'Help Net Security'},
{'source': 'DataBreaches.net (Dissent Doe)'},
{'date_accessed': '2025-09-27',
'source': 'Salesforce Security Advisory'}],
'regulatory_compliance': {'legal_actions': ['Threatened Civil/Commercial '
'Litigation Against Salesforce'],
'regulations_violated': ['Potential GDPR',
'CCPA',
'Sector-Specific Data '
'Protection Laws']},
'response': {'communication_strategy': ['Public Advisory',
'Help Portal Support'],
'containment_measures': ['Security Advisory Issued',
'Customer Vigilance Advisories'],
'incident_response_plan_activated': 'Yes (Salesforce)',
'law_enforcement_notified': 'Yes (Salesforce)',
'third_party_assistance': ['External Experts', 'Authorities']},
'stakeholder_advisories': ['Salesforce Help Portal Support',
'Vigilance Against Phishing'],
'threat_actor': ['Scattered Lapsus$ Hunters',
'Crimson Collective (Red Hat breach)'],
'title': 'Scattered Lapsus$ Hunters Data Leak Extortion Campaign Targeting '
'Salesforce Customers',
'type': ['Data Breach', 'Extortion', 'Social Engineering'],
'vulnerability_exploited': ['Human Error (Social Engineering)',
'Potential Salesforce Misconfigurations']}