Cyber Analysis Group - CyberAGroup - OSINT Darkweb Investigations  - Insider Threat - Crypto - Online threat & exposure - SOCMINT - Canadian

‹ Back

UPDATE: Scattered LAPSUS$ Hunters' Dark web site initially appeared to have been hacked (tip from Jason Geigel - see the screenshot below) and, around the same period, included police seizures of some of their domains. Their Dark web site that hosted the original 6 leaks is now off-line. The group announced in a Telegram channel that they would not release any further information until 2026, likely due to the increased police scrutiny and a possible reorganization of the group and their methodologies. In addition, they may simply not have any additional data to ransom & release.

 

 

ORIGINAL STORY:

 

The Salesforce data leak occurred around October 1, 2025. It involved the unauthorized access to Salesforce customer cloud instances. Approximately 1 billion records from 39 companies were potentially impacted. The group responsible, Scattered LAPSUS$ Hunters, claims to have "over 166M+ records of Personally Identifiable Information (PII)" from companies including Toyota, FedEx, Google, Walgreens, Adidas, Disney/Hulu, among others.

 

The hacker group Scattered LAPSUS$ Hunters, which includes members from groups like ShinyHunters and Lapsus$, has now begun to leak the data after Salesforce refused to pay the ransom following an October 10th deadline. A popup message on the Scattered LAPSUS$ Hunters dark web site says, "Don't be the next headline, protect yourself, your customers, make the right decision, and reach out to us," followed by an @onionmail.com email address. The group now appears to be seeking ransom payments from the individual companies that were affected. To date, they have publicly released the data of six of the affected companies: Qantas, Vietnam Airlines, Albertsons, GAP, Fujifilm, and Engie Resources.

 

While some data has been released, the claims by Scattered LAPSUS$ Hunters of "over 166M+ records of Personally Identifiable Information (PII)" and the list of affected companies come directly from the group itself. The specific companies actually breached and the extent of those compromises remain unclear. Multiple types of attacks were reported in the Salesforce data compromise, including voice phishing (vishing), social engineering, OAuth token abuse, and API exploitation. Some attacks were more successful than others, meaning it was not a single uniform method producing the same results. The data currently being released likely reflects the group’s most successful breaches as they aim to extort other companies that may or may not have suffered similar compromises.