A dangerous cybercriminal collective, infamous for a string of high-profile attacks, is now threatening to expose nearly one billion records allegedly stolen from major corporations that use Salesforce for customer data management. The group, which operates under a shifting array of aliases including Lapsus$, Scattered Spider, and ShinyHunters, has established a new dark web portal specifically for this extortion campaign, dramatically escalating the stakes for the affected businesses.
The newly launched site, dubbed “Scattered LAPSUS$ Hunters,” serves as a direct channel for corporate extortion. It features a stark warning to potential victims, urging them to make contact to “regain control on data governance and prevent public disclosure of your data.”
The message is clear: pay to avoid becoming the next major data breach headline. The group claims to have infiltrated the cloud-based databases of dozens of prominent companies over recent weeks, explicitly naming Salesforce and demanding the cloud giant itself enter into negotiations to prevent a catastrophic leak of all its customers’ data. The public nature of this threat suggests the hackers believe Salesforce has so far refused to engage.
In response to the escalating situation, Salesforce has issued a formal statement acknowledging awareness of the extortion attempts. A company spokesperson directed attention to their position, which downplays the immediate threat to its infrastructure. The statement indicates that their investigation points to these attempts being linked to “past or unsubstantiated incidents,” and they are working with customers who may be impacted. Crucially, Salesforce asserts there is no evidence that its core platform has been compromised or that the activity exploits a specific vulnerability within its technology, shifting the focus toward potential security lapses at the individual client level.
Saleforce has posted a community message update on their website.
Security Advisory: Ongoing Response to Social Engineering Threats
We are aware of recent extortion attempts by threat actors, which we have investigated in partnership with external experts and authorities. Our findings indicate these attempts relate to past or unsubstantiated incidents, and we remain engaged with affected customers to provide support. At this time, there is no indication that the Salesforce platform has been compromised, nor is this activity related to any known vulnerability in our technology.
We understand how concerning these situations can be. Protecting customer environments and data remains our top priority, and our security teams are fully engaged to provide guidance and support. As we continue to monitor the situation, we encourage customers to remain vigilant against phishing and social engineering attempts, which remain common tactics for threat actors.
For detailed guidance, please review our blog post on protecting against social engineering (https://www.salesforce.com/blog/protect-against-social-engineering) and reach out through the Salesforce Help portal if you need support.
Posted 8:58 am PDT, Oct 02 2025 · Last updated 8:58 am PDT, Oct 02 2025
