Hacking Group Claims Theft of 1 Billion Records from Salesforce Customers

10/03/2025 Security

Alright, buckle up, because there's some serious stuff going on in the cyber world. A well-known hacking group, with names like Lapsus$, Scattered Spider, and ShinyHunters, has decided to go public with their extortion tactics. They've launched a dark web site called Scattered LAPSUS$ Hunters where they're threatening to leak a mountain of data – reportedly around a billion records – pilfered from companies that use Salesforce to manage their customer information.

The hackers are basically saying, "Pay us, or your data gets exposed." It's a pretty straightforward, albeit nasty, approach. Their site states, "Contact us to regain control on data governance and prevent public disclosure of your data." It sounds like something straight out of a spy movie, doesn't it?

Over the past few weeks, this ShinyHunters gang has allegedly been breaking into cloud databases hosted by Salesforce. The list of potential victims is pretty staggering. We're talking about big names like Allianz Life, Google, Kering, Qantas, Stellantis, TransUnion, and Workday. That’s a lot of potentially compromised information floating around.

What I find particularly interesting is that some companies, like FedEx, Hulu, and Toyota Motors, are listed on the hackers' site, but haven't confirmed the breach. It makes you wonder if they're trying to keep things quiet or if they haven't even realized they've been hit. The representative from ShinyHunters mentioned there are other companies that haven't been listed, but declined to say why.

The hackers are directly calling out Salesforce, demanding they negotiate a ransom to avoid a massive data dump. Salesforce, for its part, has acknowledged the "extortion attempts" but claims their platform hasn't been compromised and that these incidents relate to "past or unsubstantiated incidents." They say they’re working with affected customers, but it’s a bit of a vague response, if you ask me.

For some time now, security researchers have suspected this group was planning a public shakedown like this. Historically, this kind of thing was more common with ransomware gangs. Now, they're just threatening to publish the data outright unless they get paid. It's a sign that the threat landscape is evolving, and not in a good way.

Ultimately, I think the big question is: how many companies will cave and pay the ransom? And what kind of message does that send to other cybercriminals? It’s a complicated situation, and one that I expect will continue to unfold in the coming days and weeks.