Extortion Campaign Targets Salesforce Customer Data
A prominent English-speaking hacking collective, known by various names including Lapsus$, Scattered Spider, and ShinyHunters, has initiated a dark web extortion campaign. The group claims to have stolen approximately one billion records from cloud databases hosted by Salesforce, targeting numerous high-profile companies.
Launch of Dedicated Dark Web Leak Site
The hackers have established a website on the dark web, titled “Scattered LAPSUS$ Hunters,” designed to pressure victim companies into paying ransoms. The site warns, “Contact us to regain control on data governance and prevent public disclosure of your data. Do not be the next headline. All communications demand strict verification and will be handled with discretion.” This public-facing platform marks a shift from the group’s historically low-profile operations, signaling a more aggressive extortion approach.
Notable Victims Confirmed
- Insurance giant Allianz Life
- Google
- Fashion conglomerate Kering
- Airline Qantas
- Automaker Stellantis
- Credit bureau TransUnion
- Employee management platform Workday
Additional companies such as FedEx, Hulu (Disney-owned), and Toyota Motors are also listed on the hackers’ leak site, though these organizations have not publicly commented.
Salesforce Response and Security Status
At the top of their site, the hackers directly call on Salesforce to negotiate a ransom, threatening to release customer data otherwise. Salesforce has publicly denied any compromise of its platform. In a statement, spokesperson Nicole Aranda said, “Our findings indicate these attempts relate to past or unsubstantiated incidents, and we remain engaged with affected customers to provide support. At this time, there is no indication that the Salesforce platform has been compromised, nor is this activity related to any known vulnerability in our technology.” Salesforce has not disclosed further details or engagement with the extortionists.
Evolution of Ransomware and Extortion Tactics
Security experts note a shift in cybercriminal behavior from traditional ransomware attacks involving data encryption to public threats of data exposure. These tactics aim to coerce victims into paying ransoms to avoid reputational damage and operational risks. Historically, such leak sites have been associated with foreign ransomware groups, often Russian-speaking, but this group’s predominantly English-speaking profile marks a notable divergence.
FinOracleAI — Market View
The recent claims of data theft from Salesforce-hosted databases underscore ongoing vulnerabilities in cloud-based data storage and the increasing sophistication of cyber extortion groups. While Salesforce denies platform compromise, the breadth of affected customers indicates significant risk exposure.
- Opportunities: Strengthening cloud security protocols and incident response capabilities; expanding cybersecurity insurance markets; accelerating adoption of zero-trust architectures.
- Risks: Heightened reputational damage for affected companies; potential regulatory scrutiny over data protection failures; increased costs related to breach remediation and legal liabilities.
Impact: This extortion campaign highlights the persistent threat posed by organized cybercriminal groups targeting cloud infrastructure, emphasizing the need for enhanced cybersecurity vigilance across enterprises reliant on third-party platforms.
