In early August 2025, the cybercrime collective Scattered Spider publicly exposed screenshots of console access to Victoria's Secret systems, indicating unauthorized access and potential data exfiltration. The group, collaborating with other extortion factions like ShinyHunters and Lapsus$, shared partial customer data samples, suggesting a breach of sensitive information. The attack involved spear-phishing and exploited VPN credentials, followed by in-memory execution of malicious payloads to evade detection. The incident highlights the group's shift toward real-time data theft and extortion, posing significant risks to the company's customer data and operational security.
Source: https://cybersecuritynews.com/scattered-spider-with-new-telegram-channel/
TPRM report: https://www.rankiteo.com/company/victoria's-secret
"id": "vic209081225",
"linkid": "victoria's-secret",
"type": "Cyber Attack",
"date": "8/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Fashion',
'name': 'Victoria’s Secret',
'type': 'Retail'},
{'customers_affected': '100-entry customer data sample',
'industry': 'Fashion',
'name': 'Gucci',
'type': 'Retail'},
{'industry': 'Fashion',
'name': 'Neiman Marcus',
'type': 'Retail'},
{'industry': 'Fashion',
'name': 'Chanel',
'type': 'Retail'},
{'industry': 'Media',
'name': 'Disney',
'type': 'Entertainment'},
{'industry': 'Finance',
'name': 'S&P Global',
'type': 'Financial Services'},
{'industry': 'Technology',
'name': 'T-Mobile',
'type': 'Telecommunications'},
{'industry': 'Semiconductors',
'name': 'Nvidia',
'type': 'Technology'},
{'name': 'Otelier'},
{'industry': 'Cryptocurrency',
'name': 'Coinbase',
'type': 'Financial Services'},
{'industry': 'Restaurant',
'location': 'Brazil',
'name': 'Burger King Brazil',
'type': 'Food Service'},
{'industry': 'Sportswear',
'name': 'Adidas',
'type': 'Retail'},
{'industry': 'Networking',
'name': 'Cisco',
'type': 'Technology'},
{'industry': 'Public Sector',
'location': 'United States',
'name': 'U.S. Department of Homeland Security',
'type': 'Government'},
{'industry': 'Public Sector',
'location': 'United Kingdom',
'name': 'U.K. Ministry of Justice',
'type': 'Government'}],
'attack_vector': 'Spear-phishing, Exploited VPN credentials',
'data_breach': {'data_exfiltration': 'Yes',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Customer data, Corporate '
'documents, Server listings, '
'Court filings'},
'date_detected': 'Early August 2025',
'date_publicly_disclosed': 'Early August 2025',
'description': 'In early August 2025, a previously quiet cybercrime '
'collective known as Scattered Spider resurfaced with a '
'striking new Telegram channel that aggregates proof of its '
'intrusions and data exfiltration operations. The channel name '
'fuses ShinyHunters, Scattered Spider, and Lapsus$, signaling '
'a collaboration—or at least a shared brand—among several '
'prolific extortion groups. Within hours of its launch, the '
'channel published screenshots of console access to Victoria’s '
'Secret, a 100-entry customer data sample from Gucci, and '
'lists of sellable databases from Neiman Marcus and Chanel.',
'impact': {'brand_reputation_impact': 'Significant due to public exposure',
'data_compromised': 'Customer data, Corporate documents, Server '
'listings, Court filings',
'identity_theft_risk': 'High',
'operational_impact': 'High alarm across industries'},
'initial_access_broker': {'data_sold_on_dark_web': 'Yes',
'entry_point': 'Spear-phishing, Exploited VPN '
'credentials',
'high_value_targets': 'Victoria’s Secret, Gucci, '
'Neiman Marcus, Chanel, '
'Disney, S&P Global, '
'T-Mobile, Nvidia, Otelier, '
'Coinbase, Burger King '
'Brazil, Adidas, Cisco, U.S. '
'Department of Homeland '
'Security, U.K. Ministry of '
'Justice'},
'motivation': 'Financial gain, Extortion',
'post_incident_analysis': {'root_causes': 'Spear-phishing, Exploited VPN '
'credentials, Windows kernel '
'vulnerabilities'},
'ransomware': {'data_exfiltration': 'Yes'},
'references': [{'source': 'DataBreaches.net'}],
'threat_actor': 'Scattered Spider, ShinyHunters, Lapsus$',
'title': 'Scattered Spider Cybercrime Collective Resurfaces with New Telegram '
'Channel',
'type': 'Data Exfiltration, Ransomware, Extortion',
'vulnerability_exploited': 'Windows kernel vulnerabilities'}