Key Takeaway: Notorious hacking alliance demands ransom from Salesforce and its customers after allegedly stealing nearly 1 billion customer records through sophisticated social engineering tactics.
A coalition of prominent cybercriminal groups has launched an extensive extortion campaign targeting cloud computing giant Salesforce and its customers, claiming to have stolen approximately 1 billion records from company databases. The hacking alliance, operating under the unified name “Scattered LAPSUS$ Hunters,” published a dedicated data leak site on the dark web on October 3, 2025, threatening to release stolen data unless ransoms are paid by their October 10 deadline.
Attack Methodology and Victim Impact
Rather than directly compromising Salesforce’s infrastructure, the hackers employed sophisticated social engineering techniques known as vishing (voice phishing) to target the company’s customers. The attackers called IT help desks while impersonating internal staff members to gain unauthorized access to corporate systems.
The cybercriminals also exploited OAuth tokens—particularly through the Salesloft-Drift integration—to compromise hundreds of organizations using Salesforce’s customer relationship management platform. This supply chain attack approach allowed them to access vast datasets from multiple companies through a single vulnerability point.
Major corporations across various industries have confirmed their data was compromised in these attacks. Verified victims include Allianz Life (2.8 million records), Google, Qantas, Stellantis, TransUnion, and Workday. The hackers’ leak site lists additional alleged victims, including FedEx, Hulu (owned by Disney), Toyota Motors, Cisco, McDonald’s, Marriott, IKEA, and luxury brands under LVMH such as Dior, Louis Vuitton, and Tiffany & Co.
According to cybersecurity researcher Milivoj Rajić, who verified multiple samples of the leaked data, the stolen information includes extensive personally identifiable information such as names, dates of birth, passport numbers, employment histories, shipping information, customer support records, chat transcripts, and flight details.
Salesforce’s Response
Salesforce has maintained that its core platform remains secure and was not directly compromised. In an official statement, the company said:
“Our findings indicate these attempts relate to past or unsubstantiated incidents, and we remain engaged with affected customers to provide support. At this time, there is no indication that the Salesforce platform has been compromised, nor is this activity related to any known vulnerability in our technology.”
The company emphasized that the attacks appear to stem from customer-side security lapses and third-party integrations rather than vulnerabilities in Salesforce’s own systems.
Unique Extortion Tactics
What sets this campaign apart is the hackers’ unprecedented approach to extortion. Beyond targeting individual victim companies, the group is directly demanding ransom from Salesforce itself, threatening to “collaborate with law firms pursuing civil and commercial litigation” against the company and release documentation allegedly showing Salesforce “made little to no attempt to prevent unauthorized access to PII.”
Security expert Brian Soby noted that this represents the first known instance of attackers threatening to participate in existing litigation against a platform vendor as part of an extortion campaign.
Latest Developments
The criminal alliance has indicated they plan to expand their operations beyond the current Salesforce campaign. On their Telegram channel, Scattered LAPSUS$ Hunters announced they would begin extorting additional companies whose data was stolen through OAuth credential abuse from other platforms by the end of October 2025.
Law enforcement agencies and cybersecurity experts believe the group will continue operating under different names rather than truly disbanding—following patterns established by other major cybercrime organizations like the disbanded Conti ransomware group.
The incident highlights the growing sophistication of social engineering attacks and the vulnerabilities inherent in cloud-based ecosystems where trusted integrations can become attack vectors. Security professionals emphasize the importance of implementing robust verification processes for IT support requests and regularly auditing third-party integrations to prevent similar breaches.
Sources: Information gathered from Reuters, TechCrunch, and various cybersecurity research organizations reporting on the Scattered LAPSUS$ Hunters extortion campaign.