The Scattered Lapsus$ Hunters group has leaked millions of records, allegedly stolen from Salesforce customers in recent months.
This leak is the latest development in a widespread extortion campaign, during which the group—which comprises members of the Scattered Spider, ShinyHunters, and Lapsus$ cybercrime gangs—took responsibility for a series of attacks against 39 different Salesforce customers and attempted to hold Salesforce to ransom, threatening to leak victims’ data if the CRM provider didn’t pay.
In response to Salesforce’s refusal to pay, the hackers have taken to their onion-based leak site to publish data allegedly stolen from Albertsons, Engie Resources, Fujifilm, GAP, Qantas, and Vietnam Airlines. They also published the data on a clearnet forum and another clearnet website.
According to Have I Been Pwned, data from Vietnam Airlines includes 7.3 million email addresses, as well as names, phone numbers, dates of birth, and loyalty programme membership information.
Meanwhile, Quantas has released a statement saying that the company is working with cybersecurity experts to examine the leak, and has obtained a court injunction to block access to the allegedly stolen data.
“We have also put in place additional security measures, increased training across our teams and strengthened system monitoring and detection since the incident occurred,” the company says, referring to the initial cyberattack that affected approximately 6 million of its customers in July.
Despite having allegedly stolen data from 39 victims, Scattered Lapsus$ Hunters has leaked the data of only six organizations. The group posted in its telegram channel that it “CAN’T” leak any more data, and reportedly told DataBreaches.Net that some of the victim organizations had in fact paid a ransom, but asked the hackers not to remove them from the leak site so they could “protect themselves.” This claim has not been substantiated.
A Long-Running Campaign
Scattered Lapsus$ Hunters’ campaign against Salesforce began during the summer, when the group allegedly stole data from the Salesforce instances of 39 different Salesforce customers. The attackers used voice phishing techniques to trick employees into connecting their organizations’ Salesforce instances to a malicious OAuth application, which allegedly enabled the attackers to access company data.
Last week, members of the ShinyHunters extortion group set up a BreachForums leak site, where they posted samples of data they claimed to have stolen from their victims. The threat actors promised not to leak the full extent of the data if Salesforce agreed to pay a ransom:
“Should you comply, we will withdraw from any active or pending negotiation individually from your customers. Your customers will not be attacked again nor will they face a ransom from us again, should you pay,” the group wrote.
In response, Salesforce released the following statement:
“We are aware of recent extortion attempts by threat actors, which we have investigated in partnership with external experts and authorities. Our findings indicate these attempts relate to past or unsubstantiated incidents, and we remain engaged with affected customers to provide support.”
Days later, the ShinyHunters’ BreachForums domain was taken down following a collaborative operation by the FBI, the US Department of Justice, France’s BL2C cybercrime unit, and the Paris Prosecutor’s Office. However, law enforcement agencies were only able to seize the clearnet version of the domain, with the onion version reportedly having remained live.
The FBI and our partners have seized domains associated with BreachForums, a major criminal marketplace used by ShinyHunters, Baphomet, and IntelBroker to traffic stolen data and facilitate extortion.
— FBI (@FBI) October 12, 2025
This takedown removes access to a key hub used by these actors to monetize… pic.twitter.com/aiTRzFCIYU
Following the takedown, members of the ShinyHunters group posted on Telegram, promising that the law enforcement action would have “no impact” on its extortion campaign against Salesforce, and teased readers to “stay tuned” for 11:59pm ET on October 10th.
Though a little belated, it seems that the attackers have now acted upon that promise—though the leak was far less extensive than many had feared.
