A cyber criminal collective calling itself Scattered LAPSUS$ Hunters claims to have stolen almost 1 billion records from companies that use Salesforce cloud software.
The group says these records include personally identifiable data. It also asserts responsibility for earlier hacks of British names such as Marks & Spencer, Co-op, and Jaguar Land Rover.
Salesforce Denies a System Breach
Salesforce has strongly denied the claims, stating that their platform itself shows “no indication … has been compromised.”
Rather than hacking Salesforce directly, the attackers say they targeted Salesforce customers using a method called “vishing” (voice phishing). In this tactic, they impersonate employees to IT help desks over the phone to gain credentials and access.
One hacker, identifying themselves as “Shiny,” said they tricked customer support staff and convinced them to install a modified version of Salesforce’s Data Loader tool — enabling large-scale data extraction.
Leak Site and Ransom Pressure
The group published a dark-web leak site listing around 40 companies they claim to have breached. It is unclear whether all listed firms are Salesforce customers.
Neither the hackers nor Salesforce has confirmed whether ransom negotiations are underway.
Links to Known Cyber Threats
Security researchers have tracked these operations to UNC6040, a group known for social engineering and Salesforce-targeted tactics.
Earlier in the year, similar campaigns were observed where employees were tricked into installing altered versions of Data Loader to extract data.
The infrastructure used in this campaign shows overlaps with “The Com,” a loosely organized cybercrime network.
Ongoing Implications
- The authenticity of the hackers’ claim is unverified as of now.
- If true, this would be among the largest corporate data thefts tied to cloud services in recent years.
- The case highlights how attackers are shifting toward third-party targeting — exploiting clients rather than software vendors directly.
- The incident raises serious concerns over data security, identity theft, and the integrity of vast customer datasets across industries.
