Hackers Claim Theft of Nearly One Billion Salesforce Records in Supply-Chain Attack
Scattered LAPSUS$ Hunters target client organizations with altered tools
A hacker group claiming to have stolen nearly one billion Salesforce records from client organizations has launched an extortion campaign, highlighting the risks of supply-chain compromise in cloud services and raising concerns about global data security.
How the Campaign Unfolded
The group, calling itself Scattered LAPSUS$ Hunters, said it infiltrated Salesforce environments not by breaching the company itself, but by targeting its client organizations. According to Reuters, attackers used vishing — phone-based social engineering — to trick IT staff into installing a modified version of Salesforce’s Data Loader tool.
This tampered utility then allowed attackers to siphon large volumes of customer records from organizations that relied on Salesforce’s platform. Early claims suggest that records spanning personal data, transaction histories, and business operations may have been extracted over weeks before the breach was publicly disclosed.
Scale of the Theft
The group published a list of nearly 40 victim organizations on a leak site, naming targets in retail, automotive, and logistics sectors. Google’s Threat Analysis Group confirmed that UNC6040 — a cluster it tracks — overlaps with Scattered LAPSUS$ Hunters and is linked to past activity by criminal coalitions sometimes called “The Com.”
Salesforce itself stated there was “no indication” of any compromise to its core infrastructure. The company emphasized that the incidents stemmed from abuses within client environments, a distinction that highlights the layered risks of shared platforms.
Victim Overview
While the full scope is still emerging, the following sectors have been identified by researchers as most affected:
| Sector | Examples of Impacted Companies | Notes |
|---|---|---|
| Retail | Multiple multinational brands | Customer loyalty records exposed |
| Automotive | Global manufacturers, including suppliers | Sales pipeline and dealer data affected |
| Logistics | Regional carriers | Shipment and route data potentially stolen |
Tactics and Attribution
The tactics used — heavy reliance on social engineering combined with altered administrative tools — resemble earlier campaigns by Lapsus$ and ShinyHunters. Analysts noted that overlapping members may have consolidated into Scattered LAPSUS$ Hunters, building on prior breaches of Okta, Uber, and other high-profile firms.
The group also mirrored methods employed by Scattered Spider, which in 2023 targeted Okta customers through IT service desk manipulation. Security experts believe this evolving overlap reflects either a coalition or skill-sharing among established cybercrime actors.
Ripple Effects of Cloud-Linked Compromise
This incident illustrates the downstream risk of supply-chain dependency in cloud ecosystems. When a widely used tool like Salesforce’s Data Loader is compromised, it creates a multiplier effect, spreading exposure across multiple industries simultaneously.
The case parallels the recent airport ransomware disruptions, where a single supplier failure cascaded into widespread chaos. In both scenarios, attackers focused on chokepoints where many organizations depend on shared infrastructure or software.
Escalating Data Leak Campaigns
The stolen Salesforce records are now reportedly tied to a new data leak initiative branded as the “Trinity of Chaos,” linking groups such as ShinyHunters and Scattered Spider. According to Security Affairs, the campaign has begun publishing sample data to pressure victims into payment.
The extortion model mirrors previous ransomware trends, but instead of encrypting systems, attackers threaten public exposure of sensitive records. This method reduces technical complexity while maintaining high leverage over targeted companies.
European Relevance
The timing also underscores Europe’s rising concerns over foreign cyber operations. Only days earlier, Ukraine arrested Chinese nationals in connection with espionage targeting military technology, while German courts sentenced a China-linked aide for intelligence activities.
These cases, alongside the Salesforce theft, highlight how both state-aligned and criminal actors are accelerating campaigns aimed at extracting strategic or economic advantage.
Statistics and Early Estimates
Preliminary assessments suggest:
- Nearly 1 billion records claimed stolen, though independent verification is ongoing.
- At least 39 companies listed on extortion leak sites.
- More than 12 terabytes of data referenced in hacker communications.
If validated, this would represent one of the largest cloud-linked data compromises to date.
Industry and Regulatory Response
Salesforce has urged clients to strengthen multi-factor authentication and review access logs for suspicious use of the Data Loader tool. Meanwhile, European regulators are expected to scrutinize whether impacted firms failed to implement adequate safeguards under GDPR.
Legal experts say fines could be severe if consumer data exposure is confirmed. Past GDPR cases have seen penalties of up to 4% of annual global turnover, depending on the scale and negligence found.
Looking Forward
The Salesforce records theft demonstrates how cybercrime groups continue to adapt, exploiting weak points not in platforms themselves but in how organizations use them. By weaponizing trust in legitimate tools, attackers bypass traditional defenses and achieve scale at unprecedented speed.
For companies worldwide, the incident reinforces the reality that data security risks extend beyond internal networks — and into every dependency linked to shared platforms and third-party ecosystems.
