Salesforce Customers Hit by Hackers in Data Extortion Attack
▼ Summary
– A new hacking group called Scattered LAPSUS$ Hunters claims to have stolen large amounts of data from dozens of Salesforce customers.
– The group appears to consist of members from notorious hacking groups Lapsus$, Scattered Spider, and ShinyHunters, who had previously announced their retirement.
– They have listed 39 major organizations on a leak site and are threatening to release the data unless Salesforce pays a ransom.
– Salesforce stated it has no evidence its platform was hacked and believes the claims relate to past or unsubstantiated incidents.
– The hackers are using a novel tactic by threatening to collaborate with plaintiffs in lawsuits against Salesforce as part of their extortion campaign.
A significant data extortion campaign is currently targeting dozens of major organizations using Salesforce’s customer relationship management platform. A newly formed hacking collective, identifying as Scattered LAPSUS$ Hunters, claims responsibility for infiltrating Salesforce instances and stealing approximately one billion records. The group is threatening to publicly release the stolen data unless Salesforce pays a substantial ransom.
This alliance appears to consist of members from three notorious cybercrime groups: Lapsus$, Scattered Spider, and ShinyHunters. While Lapsus$ has been inactive since 2022, Scattered Spider emerged around that time. ShinyHunters, which first appeared in 2020, joined forces with Scattered Spider earlier this year. The groups had jointly announced their retirement just last month, making their re-emergence in this new campaign particularly notable.
On a recently established Tor-based leak site, the hackers have published a list of 39 victim organizations. The list includes globally recognized brands such as Adidas, Air France/KLM, Allianz Life, Cisco, Dior, Disney, FedEx, Google, Home Depot, Kering, Louis Vuitton, Qantas, Stellantis, Toyota, TransUnion, UPS, and Workday. The group claims additional companies were also compromised but are not currently named on their site.
In an official statement, Salesforce maintains that its own platform security remains intact. The company stated it has found no evidence of a breach within its systems and believes the extortion claims are connected to past incidents or remain unsubstantiated. “We are aware of recent extortion attempts by threat actors, which we have investigated in partnership with external experts and authorities. Our findings indicate these attempts relate to past or unsubstantiated incidents, and we remain engaged with affected customers to provide support,” the company announced.
Security experts highlight the unusual nature of this extortion strategy. According to Brian Soby, co-founder and CTO of AppOmni, the hackers are not only targeting the victim organizations but are also attempting to extort Salesforce directly. They claim they will collaborate with plaintiffs in ongoing lawsuits against Salesforce over recent breaches unless Salesforce pays them directly. Soby described this as a novel tactic, noting it is the first known instance where attackers have threatened to leverage existing litigation against a platform vendor as part of an extortion scheme.
The method of compromise is believed to involve social engineering attacks and the use of stolen login credentials rather than exploiting a technical vulnerability in the Salesforce platform itself. This suggests that many affected organizations may not have fully implemented the security tools and practices required under their Shared Responsibility agreements with cloud service providers. Soby added that the attackers are attempting to frame alleged negligence not just against the customers, but also against the vendor and its native security tools, which adds another layer to their extortion strategy.
This incident underscores the persistent and evolving threat posed by sophisticated cybercriminal alliances, even after public announcements of their disbandment.
(Source: Security Week)
