Redazione RHC : 6 October 2025 16:09
A group calling itself Scattered LAPSUS$ Hunters has resurfaced after months of silence and the arrest of its members. On a new leak site, the attackers published a list of approximately 40 Salesforce corporate environments and demanded a payment of nearly $1 billion—$989.45 million—in exchange for non-disclosure of the data, which, according to the extortionists, includes approximately one billion customer records. They have set an ultimatum of October 10: if Salesforce fails to negotiate, the criminals threaten to publish everything they have stolen.
A Salesforce representative told The Register that the company was aware of the extortion attempts and had conducted an investigation in collaboration with external experts and law enforcement . The official statement stated that the incidents were related to previously known or unconfirmed cases and that no signs of compromise of Salesforce’s infrastructure had been found. The company emphasized that the attack was not related to any vulnerabilities in its technology and that affected customers are receiving support.
However, the situation has its roots in events that occurred in August. It was discovered that attackers had used OAuth tokens via Salesloft’s Drift integration , allowing them to access multiple Salesforce instances.
Cloudflare reported that “hundreds of organizations” were affected, with customer information stolen in some cases . Mandiant’s team, contracted by Salesloft, was tasked with investigating these incidents, and the Google Threat Intelligence Group later confirmed the extent of the breach. Before launching the current leak site, Google and Salesforce sent warnings to potentially affected companies.
In its August report on the Salesforce hacks, Google highlighted the ShinyHunters group’s involvement in the incidents and predicted the emergence of a leak site. At the time, company analysts also noted that the new wave of publications was likely aimed at increasing pressure on victims associated with the recent UNC6040 attacks . That same day, a Telegram channel called Scattered LAPSUS$ Hunters appeared, with Scattered Spider, ShinyHunters, and Lapsus$ declaring their collaboration. However, the channel only lasted a few days and was shut down early the following week.
In mid-September, representatives of Scattered Spider and Lapsus$ publicly announced their retirement from activities, with the intention of “enjoying the millions they have accumulated” .
But shortly thereafter, two UK teenagers were charged with attacks on Transport for London infrastructure, and American and British investigators linked them to the Scattered Spider group. Another teenager turned himself in to Las Vegas police on September 17, suspected of participating in a series of casino attacks in 2023, also attributed to the same group.
In response to journalists’ inquiries, representatives of the new SLH/SLSH Press Newsroom group declined to provide details , confirming only that the decision to resume operations was “related to the recent arrests.” They did not comment on the group’s structure or the source of the leaked data.
Redazione