Hacker Alliance Demands $989M Ransom, Threatens to Leak 1 Billion Salesforce Records
A group calling itself Scattered LAPSUS$ Hunters has reemerged after months of silence and multiple arrests of its alleged members. On a newly launched leak site, the attackers published a list of approximately forty corporate Salesforce environments and demanded nearly $989.45 million in ransom to prevent the release of data they claim includes around one billion customer records. The ultimatum expires on October 10—if Salesforce refuses to negotiate, the group threatens to publish the stolen information in full.
A Salesforce spokesperson told The Register that the company is aware of the extortion attempt and has conducted an investigation in cooperation with external experts and law enforcement. In an official statement, Salesforce noted that the incidents appear linked to previously known or unconfirmed cases and that no evidence of compromise within its infrastructure has been found. The company emphasized that the attacks are unrelated to any vulnerabilities in its own technologies and assured that affected customers are receiving support.
The situation traces back to events in August, when it was discovered that attackers had abused OAuth tokens via Drift’s integration with Salesloft, granting them access to numerous Salesforce instances. Cloudflare reported that “hundreds of organizations” were affected, with customer data stolen in some cases. Salesloft engaged Mandiant to investigate the breaches, while Google’s Threat Intelligence Group later confirmed the scale of the abuse. Prior to the launch of the leak site, both Google and Salesforce had alerted potentially affected companies.
In its August report on intrusions targeting Salesforce environments, Google attributed the incidents to the ShinyHunters group and predicted the emergence of a leak site. Analysts also noted that the renewed wave of publications was likely intended to intensify pressure on victims associated with recent UNC6040 attacks. That same day, a Telegram channel named Scattered LAPSUS$ Hunters appeared, with Scattered Spider, ShinyHunters, and Lapsus$ jointly declaring a partnership. The channel, however, vanished within days, deleted by the start of the following week.
By mid-September, representatives of Scattered Spider and Lapsus$ publicly announced their retirement from active operations, claiming they intended to “enjoy their accumulated millions.” Shortly thereafter, two British teenagers were charged with attacks on Transport for London’s infrastructure, with investigators in the U.S. and U.K. linking them to the Scattered Spider group. Another teenager surrendered to Las Vegas police on September 17, accused of participating in the 2023 casino attacks also attributed to the same collective.
When approached for comment, representatives of the newly formed SLH/SLSH Press Newsroom declined to discuss specifics, stating only that the decision to resume activity was “connected to recent arrests.” They provided no details regarding the group’s structure or the origin of the leaked data.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
