Hacking Group Claims Theft of 1 Billion Records from Salesforce Customer Database

A notorious, primarily English-speaking cybercrime group has claimed responsibility for stealing nearly one billion records from companies that store customer information on Salesforce’s cloud platform — and is now threatening to publish the data unless victims pay up.

The loosely organized collective — known by various aliases including Lapsus$, ShinyHunters, and Scattered Spider — has launched a dedicated extortion site on the dark web called “Scattered Lapsus$ Hunters.” The site, first discovered by threat intelligence researchers on Friday, is designed to pressure victims into paying ransom to prevent the release of stolen data.

A message on the site reads:

“Contact us to regain control of your data governance and prevent public disclosure of your information. Don’t become the next headline. All communications will require strict verification and will be handled discreetly.”

Over recent weeks, the ShinyHunters group has allegedly breached multiple high-profile companies by infiltrating cloud databases hosted on Salesforce. Confirmed victims include Allianz Life, Google, luxury fashion conglomerate Kering, Qantas Airways, auto giant Stellantis, credit bureau TransUnion, and workforce platform Workday, among others.

The leak site also names other alleged victims — including FedEx, Hulu (owned by Disney), and Toyota Motors — though none responded to requests for comment as of Friday.

It remains unclear whether any of the companies listed have paid the attackers to prevent data publication. A ShinyHunters representative claimed, “There are many more companies we haven’t listed,” but declined to explain why.

At the top of the leak site, the hackers explicitly call out Salesforce, demanding ransom negotiations and warning that “all your customers’ data will be leaked” if the company does not comply — a sign that Salesforce has yet to engage with the attackers.

Salesforce Response

Nicole Aranda, a Salesforce spokesperson, shared a company statement acknowledging “recent extortion attempts by threat actors.”

“Our findings indicate these attempts relate to past or unverified incidents, and we are actively working with affected customers to provide assistance,” the statement said. “At this time, there is no evidence that the Salesforce platform itself has been compromised, nor is this activity linked to any known vulnerability in our technology.”

Aranda declined to provide further comment.

Security researchers have long speculated that the group — which typically avoids public visibility — was preparing to launch an extortion site. Historically, such platforms have been associated with Russian-speaking ransomware syndicates. Over the past several years, these organized cybercrime groups have evolved from simply stealing or encrypting data and demanding private ransom payments to threatening public leaks of sensitive information if their demands are not met.