1 Billion Records Stolen in Salesforce Data Breach
▼ Summary
– A hacking group known as Lapsus$, Scattered Spider, and ShinyHunters launched a dark web site called Scattered LAPSUS$ Hunters to extort victims by threatening to release stolen data.
– The group has stolen about a billion records from companies using Salesforce-hosted cloud databases, targeting firms like Allianz Life, Google, and TransUnion.
– The hackers demand ransom payments to prevent data leaks, with their site listing alleged victims such as FedEx, Hulu, and Toyota Motors, though some companies may have paid to avoid being listed.
– Salesforce stated it is aware of the extortion attempts but indicated there is no evidence of a platform compromise or related vulnerabilities, attributing the incidents to past or unsubstantiated events.
– This extortion tactic marks a shift from traditional ransomware, as the group publicly threatens to publish stolen data online rather than encrypting it privately.
A massive data breach impacting cloud databases hosted by Salesforce has resulted in the theft of approximately one billion customer records, with a well-known hacking collective now threatening to publish the information unless their ransom demands are met. The group, which operates under various aliases including Lapsus$, Scattered Spider, and ShinyHunters, has established a dedicated data leak site on the dark web named “Scattered LAPSUS$ Hunters.” First identified by threat intelligence researchers, the site serves as a platform to extort the affected companies, warning them to make a payment or face public exposure of their sensitive data.
The website explicitly urges victims to make contact, stating, “Contact us to regain control on data governance and prevent public disclosure of your data. Do not be the next headline. All communications demand strict verification and will be handled with discretion.” Security analysts believe the ShinyHunters gang is responsible for infiltrating the cloud-based databases of dozens of prominent organizations over recent weeks.
Numerous high-profile companies have confirmed that their data was compromised in these widespread attacks. Confirmed victims include insurance leader Allianz Life, Google, fashion powerhouse Kering, airline Qantas, automotive manufacturer Stellantis, credit reporting agency TransUnion, and the HR platform Workday. The hackers’ leak site also lists other alleged targets such as FedEx, Hulu, a Disney subsidiary, and Toyota Motors. As of the latest reports, these three companies had not issued any public statements regarding the claims.
It remains unclear whether other known victims, whose names do not appear on the public leak site, have secretly paid a ransom to the hackers to keep their data private. When questioned, a ShinyHunters representative confirmed that “there are numerous other companies that have not been listed,” but offered no further explanation.
At the top of their dark web portal, the hackers directly name Salesforce and call for the company to enter into ransom negotiations. They warn that failure to do so will result in “all your customers [sic] data will be leaked.” The wording strongly implies that Salesforce has so far refused to engage with the extortionists.
In response to inquiries, Salesforce spokesperson Nicole Aranda shared an official company statement acknowledging “recent extortion attempts by threat actors.” The statement continued, “Our findings indicate these attempts relate to past or unsubstantiated incidents, and we remain engaged with affected customers to provide support. At this time, there is no indication that the Salesforce platform has been compromised, nor is this activity related to any known vulnerability in our technology.” Aranda declined to provide any additional comments.
Security professionals had anticipated this development, having speculated for weeks that the group, which has traditionally avoided a public online footprint, was preparing to launch a leak site to pressure its victims. Historically, such dedicated leak sites have been a hallmark of foreign, often Russian-speaking, ransomware operations. In a notable shift in tactics over the past few years, these cybercriminal organizations have moved away from encrypting data and making private ransom demands. Instead, they now commonly steal information and then threaten to publish it online unless a payment is received.
(Source: TechCrunch)
