Hackers Extort 39 Victims With New Data Leak Site

A newly formed cybercriminal alliance known as Scattered Lapsus$ Hunters has initiated a data leak platform to coerce nearly forty major corporations into paying ransoms. The group, reportedly composed of former members from Scattered Spider, Lapsus$, and ShinyHunters, claims to have infiltrated corporate Salesforce databases using social engineering tactics. They are now threatening to publish the stolen information unless their demands are met.

The dark web site currently displays thirty-nine affected organizations, including Toyota, FedEx, Disney/Hulu, Republic Services, UPS, AeroMexico, Home Depot, Marriott, Vietnam Airlines, Walgreens, Stellantis, McDonald’s, KFC, ASICS, GAP, MHM, Fujifilm, Instructure.com – Canvas, Albertsons, Engie Resources, Kering (Gucci, Balenciaga, Brioni, AlexanderMcQ), HBO Max, Instacart, Petco, Puma, Cartier, Adidas, TripleA, Qantas Airways, CarMax, Saks Fifth (Avenue), 1-800Accountant, AirFrance & KLM, Google Adsense, Cisco, Pandora, TransUnion, Chanel, and IKEA.

Each listing includes the date of the alleged breach, the category and volume of data taken, and a link to a sample of the compromised information. Breach dates range from April 2024 through September 2025. The stolen data primarily consists of personal and contact details belonging to customers, employees, and business partners. In certain cases, the haul also includes account IDs, birth dates, passport numbers, Social Security numbers, purchase histories, and live chat transcripts.

As noted by the pseudonymous researcher Dissent Doe at DataBreaches.net, this type of information can be weaponized for phishing campaigns and other social engineering schemes. Data revealing high-value purchases could help fraudsters identify lucrative targets. Even seemingly harmless details can endanger individuals, particularly those vulnerable to political violence. Doe highlighted Home Depot’s situation, where a file dedicated to government workers contained names, email and postal addresses, and phone numbers.

Scattered Lapsus$ Hunters has set a deadline of October 10, 2025, for the listed companies to initiate ransom negotiations via corporate email. The same ultimatum applies to Salesforce itself. The hackers claim that if Salesforce cooperates, they will refrain from targeting the thirty-nine victim organizations. They have threatened to assist law firms pursuing civil litigation against Salesforce by releasing documents that allegedly show the company failed to prevent unauthorized access to personally identifiable information (PII).

Following the site’s appearance, Salesforce issued a security advisory acknowledging recent extortion attempts by threat actors. The company stated it investigated these claims with external experts and law enforcement. Their findings suggest the incidents relate to past or unverified events, with no evidence of a platform-wide compromise or exploitation of a known vulnerability in their technology. Salesforce continues to support affected customers and advises vigilance against phishing and social engineering, directing those in need to its Help portal.

The data leak site also includes three entries under the “Salesforce customers” heading that are not connected to the main extortion campaign: Credit Institute of Vietnam, S&P Global, and Red Hat. The Red Hat breach, attributed to a group called the Crimson Collective, is the most recent. The relationship, if any, between Crimson Collective and Scattered Lapsus$ Hunters remains unclear.

In a related development, the hackers announced on Telegram that by the end of the week they will begin extorting additional companies whose data they obtained using stolen OAuth credentials from Salesloft and Drift.

(Source: HelpNet Security)