Summary Points
- The hacker group "Scattered LAPSUS$ Hunters" has launched a dark web site claiming to hold nearly one billion Salesforce customer records and has initiated a blackmail campaign with a ransom deadline of October 10, 2025.
- They exploit security weaknesses, such as weak two-factor authentication and OAuth flaws, to access over 100 Salesforce instances and other high-profile companies like Toyota, Disney, McDonald’s, and IKEA.
- Their tactics include sophisticated social engineering, such as vishing calls to trick employees into granting OAuth tokens, enabling persistent access and mass data theft, shifting focus from ransomware to extortion through data leaks.
- Despite a claimed "farewell" message, experts believe the group has rebranded, continuing to threaten large-scale data leaks, with recent claims of stealing 1.5 billion records from 760 companies, emphasizing ongoing cybercrime risks.
The Core Issue
A notorious cybercrime coalition known as Scattered LAPSUS$ Hunters—comprising members from infamous hacking groups like ShinyHunters, Lapsus$, and Scattered Spider—has launched a new, highly concerning data leak site on the dark web, claiming to hold nearly one billion stolen records from Salesforce customers. This group has orchestrated a large-scale blackmail campaign threatening to release sensitive information from major companies such as Toyota, FedEx, Disney, McDonald’s, and IKEA if their ransom demands are not met by October 10, 2025. Their attack strategy involved sophisticated social engineering methods, primarily vishing campaigns where they impersonated IT support staff to trick employees into authorizing malicious applications. These actions allowed them to hijack OAuth tokens, bypass multi-factor authentication protections, and exfiltrate vast amounts of CRM data—highlighting a troubling evolution from traditional ransomware to data theft and extortion, with severe risks including reputational damage, regulatory fines, and loss of customer trust.
The attackers’ motives and methods are widely reported by cybersecurity experts who trace the rise of this coalition to a series of major breaches in 2025, targeting high-profile corporations globally. By exploiting security flaws like weak 2FA and OAuth protections, they have compromised thousands of Salesforce instances, stealing over 1.5 billion records from more than 760 companies in total. Their strategy hinges on releasing fragments of stolen data as proof, using this leverage to pressure victims into paying ransoms and avoiding complete exposure. Despite claims of their departure or rebranding, specialists believe the threat remains persistent, emphasizing that the group’s focus on data extortion signifies a dangerous shift in cybercriminal tactics, with potentially devastating repercussions for affected organizations across various sectors.
Risk Summary
The cyber threat posed by the coalition known as Scattered LAPSUS$ Hunters represents a profound evolution in cybercrime, primarily targeting high-profile corporations and compromising nearly one billion Salesforce records through sophisticated social engineering and technical exploits such as vishing, OAuth token theft, and exploitation of security lapses like weak two-factor authentication. This group’s modus operandi centers on large-scale data exfiltration and extortion rather than system disruption, escalating the risks to corporate reputation, regulatory exposure, and customer trust, as they threaten to publish massive sensitive datasets—potentially devastating if released—by their October 2025 ransom deadline. Their focus on privileged access via third-party integrations exemplifies how cybercriminal alliances with diverse hacking expertise are capable of orchestrating complex, persistent campaigns that leverage breaches for economic gains, underscoring the critical need for robust security measures, constant vigilance, and proactive threat detection to mitigate their expanding operational footprint and mitigate the severe societal, economic, and reputational impacts of such targeted data breaches.
Possible Remediation Steps
In the ever-changing landscape of cybersecurity threats, prompt remediation is essential to minimize damage, protect sensitive data, and maintain trust. Addressing vulnerabilities quickly ensures organizations can prevent further exploitation and reduce potential financial or reputational losses.
Mitigation Strategies:
- Immediate Assessment: Conduct a rapid security review to identify affected systems and the scope of the breach.
- Patch Deployment: Apply critical security patches or updates to fix vulnerabilities exploited by LAPSUS$ hackers.
- Enhanced Monitoring: Increase surveillance of network activity to detect unusual behavior indicative of unauthorized access.
- Access Control: Restrict privileges and enforce multi-factor authentication to prevent lateral movement within networks.
- Credential Reset: Change compromised passwords and implement stronger authentication protocols.
- User Training: Educate staff on recognizing phishing attempts and security best practices to prevent further infiltration.
- Incident Response Plan: Activate the organization’s breach response plan to coordinate efforts effectively.
- Collaboration and Reporting: Share breach details with cybersecurity community and authorities to facilitate broader threat mitigation efforts.
Explore More Security Insights
Stay informed on the latest Threat Intelligence and Cyberattacks.
Access world-class cyber research and guidance from IEEE.
Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.
Cyberattacks-V1
