The Scattered LAPSUS$ Hunters, a threat collective combining elements from groups like ShinyHunters, LAPSUS$, and Scattered Spider, has recently unveiled a new data leak site on the dark web aimed at extorting companies affected by its breaches of platforms like Salesloft and Salesforce.
This latest initiative from Scattered LAPSUS$ Hunters has revealed information on approximately 40 companies, many of which are major brands. The group has threatened to publish full data sets unless a ransom is paid by October 10, 2025. The information leaked appears to be tied to previous reported breaches of Salesloft and various social engineering tactics targeting Salesforce.
Salesforce Responds to Threats
In a statement released on October 2, Salesforce acknowledged awareness of these recent extortion attempts, emphasizing their investigation with external experts and law enforcement. The company noted that their findings suggest these threats relate to incidents that are either past or unverified.
Salesforce reassured its customers, saying, “There is no indication that the Salesforce platform has been compromised, nor is this activity associated with any known vulnerability in our technology. We understand how concerning these situations can be. Protecting customer environments and data remains our top priority, and our security teams are fully engaged to provide guidance and support.”
To further protect their users, Salesforce has urged heightened vigilance against phishing and social engineering attempts, common tactics employed by cybercriminals today.
Allegations Against Salesforce
The Scattered LAPSUS$ Hunters have levied serious allegations against Salesforce, claiming that nearly 1 billion records containing sensitive Personally Identifiable Information (PII) have been exfiltrated from their systems. They issued a stark ultimatum, stating that if their ransom demands are not met by the specified deadline, they will cooperate with numerous law firms pursuing litigation against the company.
The group specifically pointed out the law firm Berger Montague in their threat and expressed intent to report their findings to regulatory compliance authorities. They claimed, “We will also be submitting a full document that outlines how your company, as a data controller under European GDPR and other laws such as CCPA and HIPAA, could have prevented such data thefts.” Their document is said to include technical details on how their attacks were executed, as well as how certain traffic patterns could have been blocked.
The threat collective implied that working with legal authorities on potential criminal proceedings was also on their agenda, insisting that all of these actions could be avoided quickly if Salesforce complied with their demands. They suggested that a settlement could resolve matters for all impacted parties, stating, “Should you comply, we will withdraw from any active or pending negotiation individually from your customers.”
Insight from the Scattered LAPSUS$ Hunters
When queried by The Cyber Express regarding the specific traffic patterns that could have been blocked, a spokesperson for the collective mentioned that while Salesforce itself was not vulnerable, their security measures could have been more robust in safeguarding customer data. They pointed out that the group utilized multiple Mullvad VPN and TOR IP addresses, which could have been detected and blocked using proper preventative measures.
The group criticized Salesforce’s approach to security, suggesting that the company places too much responsibility for security on its customers—a frequently voiced critique of the shared responsibility model prevalent in cloud security. The spokesperson asserted, “Salesforce is effectively saying, ‘You can use our services, but you have to manage your security largely on your own.’” They argued that throughout the situation, Salesforce has largely maintained its stance of non-responsibility, merely advising customers to follow their guidelines for protection.
Threat Group Tactics and Challenges for SaaS Security
The tactics demonstrated on the Scattered LAPSUS$ Hunters’ data leak site underscore the pressure that cybercriminals apply to compel victim organizations to comply with ransom demands. These developments also highlight the ongoing challenges of securing Software as a Service (SaaS) environments.
Although the collective’s claims are yet to be verified, the list of alleged victims featured on their data leak site includes several prominent brands such as Toyota, FedEx, Disney/Hulu, UPS, Home Depot, Marriott, Walgreens, and many more. These revelations serve as a stark reminder of the critical need for robust cybersecurity measures across all sectors.
