New 'Scattered Lapsus$ Hunters' Gang Extorts 39 Salesforce Customers on Leak Site
Scattered Lapsus$ Hunters Collective Launches Leak Site, Extorting Salesforce and 39 High-Profile Customers
Impact Scope
Affected Companies
Industries Affected
Related Entities(initial)
Threat Actors
Organizations
Other
Full Report(when first published)
Executive Summary
A new threat group, Scattered Lapsus$ Hunters, has publicly surfaced, claiming an affiliation with notorious groups like Scattered Spider, Lapsus$, and ShinyHunters. On the weekend of October 4-5, 2025, the group launched a dark web data leak site listing 39 high-profile organizations as victims of a large-scale data breach. The targeted data allegedly originates from the victims' Salesforce environments. The list of victims includes major brands like Cisco, Toyota, and Marriott. The group claims to have stolen nearly one billion records containing sensitive PII and has set an October 10, 2025, deadline for ransom negotiations. In a novel extortion tactic, the group has also demanded payment from Salesforce itself to prevent the data of the 39 victims from being leaked. The initial vector is believed to be social engineering, specifically vishing attacks targeting IT support staff to gain access to user credentials.
Threat Overview
Scattered Lapsus$ Hunters represents a potential evolution of social engineering-focused threat actors, combining the tactics of several infamous groups. Their primary objective is data theft for financial extortion. The current campaign targets organizations that rely on Salesforce for customer relationship management and other business functions. The group's decision to create a public leak site and engage in multi-pronged extortion (targeting both the victims and their software vendor) indicates a high degree of confidence and a desire for maximum psychological impact.
Attack Methodology
Based on reports and the known TTPs of the alleged affiliate groups, the attack likely follows this pattern:
- Reconnaissance: The attackers identify employees at target organizations, particularly those with privileged access, using professional networking sites and data broker services. (
T1592 - Gather Victim Host Information) - Initial Access: The group conducts vishing (voice phishing) attacks, impersonating IT help desk staff to trick employees into revealing their credentials or approving multi-factor authentication (MFA) prompts. (
T1566.004 - Spearphishing Voice) - Credential Access: Once credentials are obtained, the attackers log into the victim's Salesforce instance and other connected corporate applications. (
T1078 - Valid Accounts) - Exfiltration: The group exfiltrates large volumes of data, focusing on sensitive PII like Social Security numbers, driver's licenses, and dates of birth. (
T1530 - Data from Cloud Storage Object) - Impact: The stolen data is listed on a public leak site to pressure victims into paying a ransom. The group employs a double-extortion strategy, threatening to release the data if payment is not made. (
T1657 - Financial Extortion)
Technical Analysis
While Salesforce denies any vulnerability in its platform, the attack highlights the persistent threat of identity-based attacks. The success of this campaign hinges on the exploitation of the human element rather than software flaws. The TTPs are consistent with Scattered Spider and Lapsus$, who are known for their expertise in social engineering and bypassing MFA.
This incident underscores that even secure cloud platforms like Salesforce can be compromised if the identities and credentials used to access them are stolen. The perimeter has shifted from the network to the user's identity.
Impact Assessment
The potential impact is massive, affecting 39 major global corporations and their customers. The alleged theft of one billion records containing sensitive PII could lead to widespread identity theft and fraud. For the affected companies, the consequences include:
- Regulatory Fines: Significant penalties under regulations like GDPR and CCPA for failing to protect customer data.
- Litigation: The threat actors have explicitly stated they will cooperate with law firms, opening the door to class-action lawsuits.
- Reputational Damage: Being named on a public leak site causes immediate and lasting harm to a brand's reputation.
- Financial Loss: Costs will include incident response, legal fees, customer notifications, credit monitoring for affected individuals, and potentially the ransom payment.
Cyber Observables for Detection
Detection of this activity focuses on identity and access management logs and user behavior analytics.
log_sourcelog_sourcecommand_line_patternhelpdesk, support, ITapi_endpointDetection & Response
Defending against this requires a focus on identity security and employee awareness.
Detection Strategies
- Identity Analytics: Implement User and Entity Behavior Analytics (UEBA) to detect anomalous login patterns. This aligns with D3FEND's
User Geolocation Logon Pattern Analysis. - MFA Monitoring: Monitor for and alert on
Timeline of Events
Article Updates
October 8, 2025
Salesforce refuses ransom; new details reveal attacks used malicious Data Loader app via vishing and compromised OAuth tokens from Salesloft's Drift integration.
Update Sources:
MITRE ATT&CK Mitigations
User Training
Train employees, especially IT help desk staff, to recognize and resist social engineering and vishing attempts.
Multi-factor Authentication
Implement phishing-resistant MFA, such as FIDO2 security keys, to prevent credential theft and MFA fatigue attacks.
Mapped D3FEND Techniques:
Privileged Account Management
Strictly control and monitor privileged access to critical platforms like Salesforce, using just-in-time access principles.
Behavior Prevention on Endpoint
Use UEBA and identity threat detection and response (ITDR) solutions to identify anomalous user behavior indicative of an account takeover.
D3FEND Defensive Countermeasures
To directly counter the vishing and credential theft TTPs used by groups like Scattered Spider and Lapsus$, organizations must deploy phishing-resistant Multi-Factor Authentication (MFA). Standard push-based or OTP-based MFA is vulnerable to MFA fatigue and interception. The recommended solution is to implement FIDO2/WebAuthn-based authenticators, such as hardware security keys (e.g., YubiKey) or platform authenticators (e.g., Windows Hello, Face ID). This should be mandated for all users, but especially for privileged accounts, administrators, and IT help desk staff who are primary targets. By binding the authentication secret to a physical device, phishing-resistant MFA makes it nearly impossible for an attacker to complete the login process even if they have stolen the user's password through a vishing call. This shifts the security posture from relying on user vigilance to a technically enforced control.
Implement a User Behavior Analysis (UBA) or Identity Threat Detection and Response (ITDR) solution to detect post-compromise activity. Since the initial access relies on stolen credentials, detecting the attack requires identifying anomalous behavior. The UBA system should be configured to baseline normal user activity within Salesforce and other critical applications. It must alert on deviations such as logins from impossible-travel scenarios, access from unfamiliar devices or ASNs, unusual data access patterns (e.g., a sales account suddenly downloading massive reports), or privilege escalations. For this specific threat, create high-severity alerts for any successful login that follows a rapid series of MFA denials or a recent password reset initiated by the help desk. This provides a critical detection layer that can flag a compromised account before mass data exfiltration occurs.
Harden the configuration of the Salesforce instance to limit the potential blast radius of a compromised account. This involves applying the principle of least privilege to all user roles. Review and restrict data export permissions, ensuring that only specific, designated roles can perform mass data exports. Implement session management controls, such as short session timeouts and IP range restrictions for sensitive profiles. Configure alerts within Salesforce Shield or a similar tool to trigger on large data exports or report generation. While Salesforce stated its platform was not vulnerable, securing the customer-side configuration is a shared responsibility. This hardening makes it more difficult for an attacker using a stolen credential to quickly and quietly exfiltrrate the massive amounts of data claimed by Scattered Lapsus$ Hunters.
Timeline of Events
The 'Scattered Lapsus$ Hunters' data leak site appears online over the weekend.
Deadline set by the threat actors for victims to begin ransom negotiations.
Sources & References(when first published)
Article Author
Jason Gomes
• Cybersecurity PractitionerCybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Tags
📢 Share This Article
Help others stay informed about cybersecurity threats