Full Report
After days of endlessly urging Salesforce or companies to pay them so that their data would not be leaked, the deadline for Salesforce to pay came and went. And as it went, ScatteredLAPSUS$Hunters leaked data from six of the 39 companies listed on its dark web leak site. But that’s where the massive leak that... Source
Analysis Summary
# Incident Report: Failed Massive Data Leak by ScatteredLAPSUS$Hunters
## Executive Summary
The threat actor group ScatteredLAPSUS$Hunters threatened a massive data leak involving data allegedly obtained from Salesforce customers, claiming over a billion records. However, after a set deadline passed, the group only leaked data relating to six out of 39 listed companies, including Qantas, Albertsons, GAP, Vietnam Airlines, Fujifilm, and Engie Resources. The group provided confusing and contradictory explanations for not releasing the remaining data, suggesting they either "can't" leak it or all data was already leaked, indicating a failure to maximize impact despite significant prior threats.
## Incident Details
- Discovery Date: Leading up to October 12, 2025 (Date of reporting/deadline passing)
- Incident Date: Around October 12, 2025 (Deadline for Salesforce payment)
- Affected Organization: ScatteredLAPSUS$Hunters claiming victims impacted via Salesforce environments. Qantas is confirmed as one of the six victims whose data was leaked.
- Sector: Technology (SaaS), Airlines, Retail, Utilities, Manufacturing/Technology
- Geography: Global (Implied by international victims like Qantas and Vietnam Airlines)
## Timeline of Events
### Initial Access
- Date/Time: Not explicitly stated, but prior to October 2025.
- Vector: Implied compromise targeting Salesforce or its customers, leading to claims of accessing data from 39 distinct organizations.
- Details: Threat actors claimed access to a large dataset related to Salesforce customers (989.45m+ records) and demanded a ransom from Salesforce, threatening to leak individual customer data if payment was refused.
### Lateral Movement
- Details: Not specified, beyond the initial compromise allowing access to these specific customer datasets.
### Data Exfiltration/Impact
- Date/Time: Following the deadline (around October 12, 2025).
- Details: Data from six companies (Qantas, Albertsons, GAP, Vietnam Airlines, Fujifilm, and Engie Resources) was released across multiple platforms (dark web onion site, a clear net forum requiring credits, and a free clear net leak site). Data from the remaining 33 organizations was *not* leaked.
### Detection & Response
- Details: Detection occurred when the threat actors' deadline passed and initial leaks began. Qantas had previously obtained a court injunction attempting to prevent the use or access of its stolen data. The threat actors' subsequent failure to leak further data effectively halted the intended mass impact.
## Attack Methodology
- Initial Access: Unspecified compromise leading to access to Salesforce-related customer data.
- Persistence: Not detailed.
- Privilege Escalation: Not detailed.
- Defense Evasion: Not detailed, though the breach itself demonstrates successful evasion prior to data exfiltration.
- Credential Access: Not detailed.
- Discovery: Not detailed.
- Lateral Movement: Not detailed.
- Collection: Data intended to encompass records from 39 Salesforce customers.
- Exfiltration: Data was distributed across three distinct compromised platforms following the deadline.
- Impact: Limited leakage, affecting only six of the 39 threatened organizations.
## Impact Assessment
- Financial: Not specified, although Qantas experienced media coverage due to pursuing an injunction. Salesforce stock dropped slightly, though analysts attributed bulk of decline to AI investments and flat revenues, not the threat itself.
- Data Breach: Data from Qantas, Albertsons, GAP, Vietnam Airlines, Fujifilm, and Engie Resources was leaked; the extent of the specific data types leaked for these six is not detailed (only that data was leaked). Data for 33 other entities was *not* released.
- Operational: Minimal direct operational impact reported, as the threat failure meant the intended mass disruption did not materialize.
- Reputational: Reputational damage occurred to the six companies whose data was exposed, and significant reputational damage to the threat actor group due to their failure to follow through on their threats.
## Indicators of Compromise
- Network indicators: Links to Limewire distribution platform were shared on a clear net forum.
- File indicators: Not specified.
- Behavioral indicators: Threat actors migrated distribution platforms from an onion site to a clear net forum/site when the deadline approached.
## Response Actions
- Containment: Qantas initiated legal action via a court injunction pre-emptively. Specific containment actions by the 39 victims are unknown, though Salesforce publicly indicated they would not pay the ransom.
- Eradication: Not applicable at the time of reporting, as the incident concluded with a fizzle rather than a full execution.
- Recovery Actions: Not specified.
## Lessons Learned
- Threat actors often fail to follow through on massive ransom/leak threats, even when setting clear deadlines.
- Even when threat actors claim to have received payment (or suggest they have), they may not remove associated listings, making the presence of a listing unreliable as evidence of payment.
- Victims should not feel obligated to pay ransom demands, as the threat might not materialize fully, or payment does not guarantee deletion/non-disclosure, as evidenced by the threat actors' own statements.
- The odds favor victims when threat actors claim a very large number of compromised entities versus the number actually leaked.
## Recommendations
- Organizations receiving ransom demands, especially those related to third-party SaaS providers like Salesforce, should prioritize security remediation and disclosure protocols over payment, as successful data leak follow-through is inconsistent.
- Maintain robust data backup and segregation strategies to minimize the impact of vendor supply chain compromises.
- Organizations should continue to adhere to the principle that paying threat actors reinforces criminal behavior and does not guarantee data deletion, referencing the inconsistent behavior seen in this incident.