A cybercrime collective known as Scattered LAPSUS$<\/a> Hunters has launched a new data leak site on the dark web, claiming it holds nearly one billion records from Salesforce customers.<\/p>\n The group is orchestrating a widespread blackmail campaign, setting a ransom deadline of October 10, 2025. They have threatened to publish sensitive data and technical details if their demands are not met.<\/p>\n The threat actors allege that significant security lapses at Salesforce, including inadequate two-factor authentication (2FA) and OAuth protections, enabled them to compromise over 100 Salesforce instances. <\/p>\n Their new onion site lists numerous high-profile companies as victims of the data theft, including Toyota Motor Corporation, FedEx, UPS, Adidas, Disney\/Hulu, and McDonald\u2019s. <\/p>\n Other prominent names listed are Qantas, Aerom\u00e9xico, Vietnam Airlines, Stellantis, IKEA, KFC, GAP, and the educational platform Canvas by Instructure.<\/p>\n Scattered LAPSUS$ Hunters is not a new entity but rather a coalition of members from some of the most infamous hacking groups, including ShinyHunters, Scattered Spider<\/a>, and Lapsus$.<\/p>\n This alliance has been linked to a series of major cyberattacks throughout 2025, with a particular focus on Salesforce environments. The group\u2019s formation represents a \u201ctrinity of chaos,\u201d combining different skill sets to execute complex intrusion campaigns.<\/p>\n A blend of sophisticated social engineering and technical exploitation characterizes their methods. Attackers have been observed using voice phishing (vishing)<\/a> campaigns, where they impersonate IT support staff in phone calls to trick employees.<\/p>\n During these calls, victims are guided to authorize a malicious application, which captures OAuth tokens<\/a>. These tokens grant the attackers persistent access to the company\u2019s Salesforce environment, effectively bypassing multi-factor authentication controls and allowing for the mass exfiltration of CRM data.<\/p>\n The Salesforce campaign highlights a strategic evolution in cybercrime tactics. Instead of relying on traditional ransomware that encrypts files, groups like Scattered LAPSUS$ Hunters are focusing on data theft and extortion.<\/p>\n The leverage is not the disruption of systems but the public exposure of stolen data, which can lead to customer backlash, regulatory fines, and severe reputational damage.<\/a><\/p>\n In mid-2025, actors associated with this collective claimed to have stolen 1.5 billion Salesforce records from 760 companies by compromising OAuth tokens linked to third-party integrations like Salesloft and Drift<\/a>.<\/p>\n The attackers often release fragments of the stolen data as proof, holding back the full dataset to maximize pressure during negotiations. <\/p>\n This incident follows a pattern seen in earlier 2025 attacks on companies like Google, Jaguar Land Rover<\/a>, and LVMH, where the same collective claimed responsibility.<\/p>\n Despite a recent \u201cfarewell letter\u201d announcing their distribution, security experts believe the group has simply rebranded, and the threat of large-scale data leaks remains significant.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n <\/a><\/p>\n The post Scattered LAPSUS$ Hunters Announced Salesforce Breach List On New Onion Site<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgQ9KkoS73oEGF7aanu2_k2hNRwaq8C82UoweOIHDPZe8T0-G6V5eBBjZI_XUhlFMSbFsg4fhIrlObptqjU0Kl5TCzQTCtSBOKtN6bOzwBU3zCmO-Thz73g583dXJZj9-D3q8RyfxuJekHW7S2vAWPOIxIwM956US9oObNhlHMdpLqvnGCGvGcSQkon3AFG\/s16000\/Scattered%2520LAPSUS%2524%2520Hunters%2520Listing.webp?ssl=1\")
<\/figure>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgUII3dJnWbiIzXuWHzEfWSn8CCpmkhMO-YE4ocZcCznFYs_0HQuf7g2iWJNujXWr_fHfA6nyFZcUagDPObeXpVO3uAwT7o79tBsaXABT4T_3z1c8H5zUWfuHVbZW5VMpTx0rAbppX8mpGbGi9Ws0IXpe6Dtbo_IS4VXYBUS2BOL9I5hFPHaH7-NintY3Gg\/s16000\/Scattered%2520LAPSUS%2524%2520Hunters%2520Listing1.webp?ssl=1\")
<\/figure>\n\nScattered LAPSUS$ Hunte<\/strong>rs Listings<\/strong>
\n<\/h2>\n