Full Report
In their newest escalation of activities since saying “goodbye” and then determinedly trying to create more chaos on Telegram. the Scattered LAPSUS$ Hunters collective (for lack of a better word right now), has opened up a leak site in both clear net and onion versions. In its debut, the group has targeted Salesforce, and is... Source
Analysis Summary
# Incident Report: Salesforce Customer Data Extortion by Scattered LAPSUS$ Hunters
## Executive Summary
The threat group known as Scattered LAPSUS$ Hunters has established a leak site, threatening to release over 1 Billion records belonging to Salesforce customers unless a ransom is paid by October 10, 2025. The compromise appears to involve multiple Salesforce clients, with attack timelines ranging from early 2024 to recent dates, resulting in the potential exposure of sensitive customer and employee data across various sectors. Response actions by affected entities are currently unknown, though the attackers claim they will cease individual extortion attempts if Salesforce pays the central ransom.
## Incident Details
- Discovery Date: October 3, 2025 (Public disclosure of leak site)
- Incident Date: Attack timelines reported vary, ranging from early 2024 to recent dates.
- Affected Organization: Salesforce, Inc. (as the central target for payment/leaked data source) and dozens of their downstream clients (e.g., Disney, Hulu, Kering, Walgreens, Home Depot).
- Sector: Mixed (CRM/Technology, Retail, Hospitality, Healthcare implications via customer data).
- Geography: Not specified, but affects global clients.
## Timeline of Events
### Initial Access
- Date/Time: Varies, some incidents date back to early 2024.
- Vector: Not explicitly detailed, but implies exploitation leading to access within Salesforce instances or related client environments utilizing Salesforce CRM.
- Details: The method of initial compromise for the dozens of listed victims is undisclosed, but the outcome is access to data stored or processed via Salesforce.
### Lateral Movement
- Details: Not specified in the reporting, generally assumed once initial access is gained into the system hosting the data.
### Data Exfiltration/Impact
- Details: Data exfiltration from at least 39 distinct client entities linked to Salesforce. Over 989.45 million to 1 billion+ records are claimed to be held hostage. Compromised data types include customer PII, high-wealth purchase records (Kering), and sensitive employee data (Walgreens, Home Depot government employee lists).
### Detection & Response
- Detection: The threat group announced the compromise via a newly launched leak site (clear net and onion versions) on October 3, 2025.
- Response Actions: Salesforce and affected entities are under pressure to negotiate or resolve the ransom demand before the October 10, 2025 deadline. Individual client responses (notifications, remediation) are currently unconfirmed.
## Attack Methodology
- Initial Access: Unknown (Implied misconfiguration or exploitation targeting Salesforce or client integrations).
- Persistence: Unknown.
- Privilege Escalation: Unknown.
- Defense Evasion: Unknown.
- Credential Access: Unknown.
- Discovery: Unknown.
- Lateral Movement: Unknown.
- Collection: Broad collection of customer relationship management (CRM) data, employee records, and transaction details across multiple client environments.
- Exfiltration: Large-scale data transfer resulting in data sets measured in GB per victim.
- Impact: Extortion via public data leak threat.
## Impact Assessment
- Financial: Unspecified ransom demand; potential costs associated with mandatory client notifications and remediation for dozens of entities.
- Data Breach: Massive scale (1B+ records). Data includes PII, high-value customer purchase history, and employment details (including potential home addresses of government employees).
- Operational: Potential operational disruption for targeted companies if public data leaks result in heightened scrutiny or remediation efforts.
- Reputational: Significant reputational damage to Salesforce for failing to adequately secure client data processing environments, and to downstream clients for data loss.
## Indicators of Compromise
- Network Indicators: (None specified as URLs were defanged).
- File Indicators: (None specified).
- Behavioral Indicators: Creation and publication of a new dedicated extortion leak site referencing specific client targets and ransom deadlines.
## Response Actions
- Containment measures: Unknown.
- Eradication steps: Unknown.
- Recovery actions: Unknown (Implied negotiation or data restoration efforts pending).
## Lessons Learned
- Key takeaways: Reliance on third-party/CRM systems (Salesforce) introduces centralized risk that can impact numerous downstream organizations simultaneously. Data exposure affects individuals (customers and employees) by making them prime targets for subsequent social engineering attacks.
- What could have been done better: Proactive monitoring of third-party data exposure, robust segmenting of sensitive data within CRM platforms, and timely public disclosure by affected entities if breaches occurred earlier in 2024.
## Recommendations
- Prevention measures for similar incidents: Mandate rigorous external audits of data handled by critical third-party processors like Salesforce. Implement stringent access controls and data minimization practices within CRM environments to reduce the blast radius of any security failure. Establish clear mandatory disclosure policies for data compromises facilitated by shared technology platforms.