A notorious cybercriminal collective is actively extorting high-profile organizations after allegedly stealing one billion records from cloud databases hosted by Salesforce. The group, known for its shifting aliases—including ShinyHunters, Lapsus$, and Scattered Spider—has launched a dedicated dark web portal, titled “Scattered LAPSUS$ Hunters,” to facilitate these extortion demands.
Threat intelligence researchers identified the site this past Friday. The platform serves as a pressure tactic, forcing victims to pay ransoms to prevent the public disclosure of sensitive customer information. “Contact us to regain control on data governance and prevent public disclosure of your data,” the site warns. “Do not be the next headline.”
Massive Data Breach Impacts Global Giants
The scope of the operation is extensive, with numerous industry leaders confirming they have been targeted in the recent wave of cloud database breaches. Companies that have already acknowledged the theft of their data include Allianz Life, Google, Kering, Qantas, Stellantis, TransUnion, and Workday.
Furthermore, the hackers’ leak site explicitly names other potential victims, such as FedEx, Hulu, and Toyota Motors. While these organizations have yet to publicly address the claims, the attackers hinted that the list of affected parties is far more extensive than what is currently displayed, though they declined to provide specific details on why certain companies remain unlisted.
Salesforce Denies Platform Vulnerability
The extortionists have specifically targeted Salesforce, demanding that the cloud giant negotiate a ransom to prevent further leaks. The confrontational tone on the group’s website suggests that Salesforce has thus far refused to engage with the threat actors.
In an official statement, Salesforce spokesperson Nicole Aranda acknowledged the company is “aware of recent extortion attempts by threat actors.” However, the company firmly maintains that its own infrastructure remains secure. According to the company, the current incidents relate to “past or unsubstantiated” events, and there is “no indication that the Salesforce platform has been compromised,” nor are there any known vulnerabilities involved in this activity.
The Evolution of Digital Extortion
Security analysts have been tracking the group’s activities for weeks, noting a shift in strategy. While the gang has historically maintained a low profile, the launch of a public leak site signals an evolution in their operational model.
This tactic mirrors the methods previously employed by foreign ransomware syndicates, which have moved away from traditional data encryption toward “double extortion.” In this model, the primary threat is the public release of exfiltrated data rather than the disruption of business operations through encryption, significantly raising the stakes for any company handling massive volumes of consumer information.