A cybercriminal group calling itself “Scattered LAPSUS$ Hunters” has claimed responsibility for one of the largest data thefts in recent years, alleging the theft of nearly one billion records from companies using Salesforce software. The group says the stolen data includes personally identifiable information (PII) and was obtained through targeted attacks on UK-based retailers and other global enterprises.
The hackers did not breach Salesforce’s core systems directly. Instead, they employed “vishing” — voice phishing — to impersonate employees and manipulate IT help desks at Salesforce client companies. In some cases, attackers reportedly convinced staff to install a tampered version of Salesforce’s proprietary Data Loader tool, enabling bulk extraction of sensitive data.
Salesforce has denied any compromise of its platform. “At this time, there is no indication that the Salesforce platform has been compromised, nor is this activity related to any known vulnerability in our technology,” a company spokesperson stated.
The group published a leak site on the dark web listing around 40 companies it claims to have breached. While the full scope of affected organizations remains unclear, previously targeted firms include Marks & Spencer, Co-op, and Jaguar Land Rover. Additional alleged victims span sectors such as retail, hospitality, and luxury goods, with names like McDonald’s, IKEA, Marriott, Chanel, and Cartier reportedly impacted.
Security researchers at Google’s Threat Intelligence Group, which tracks the hackers under the designation “UNC6040,” have linked the campaign’s infrastructure to “The Com,” a loosely organized cybercriminal ecosystem known for fraud and occasional violent activity. The group is believed to include members from ShinyHunters, Scattered Spider, and LAPSUS$.
In July, British police arrested four individuals under the age of 21 in connection with cyberattacks that disrupted operations at several UK retailers. Legal repercussions are mounting, with at least 14 lawsuits filed in Northern California against Salesforce, alleging negligence and privacy violations.
The hackers have threatened to release the stolen data unless ransom demands are met by October 10, 2025. Salesforce has declined to confirm whether negotiations are underway.
This incident underscores the growing threat of social engineering attacks targeting enterprise software ecosystems. Experts urge organizations to strengthen authentication protocols, monitor third-party integrations, and invest in employee security training to mitigate such risks.
