Hackers Say They Have 1 Billion Records From 39 Companies

A prolific cyber extortion gang that has sown chaos around the world is threatening to release a fresh batch of documents, including what it said were one billion customer accounts belonging to “a big Western financial institution,” according to a source familiar with its communications. The recently formed group, which goes by the name Scattered LAPSUS$ Hunters, published on a dark web portal that it will release the information unless the victims, or a major software provider featured in the allegations, pay up.

Disney, McDonald’s, and Toyota are among the companies to have been listed in early victim lists being shared by the perpetrators, with data samples described as containing full names, email addresses, phone numbers, and in some cases, addresses and dates of birth. The posted snippets of code look legitimate, according to independent researcher Kevin Beaumont, although complete verification is ongoing.

A Salesforce Ecosystems Marketing Campaign from the Ground Up

The extortion demands line up with warnings from Google’s Mandiant unit about a broad wave of data theft targeting Salesforce customer environments. Investigators have linked aspects of the campaign to hacks of third-party software tools that plug into Salesforce, as firms like Salesloft and Drift do; such tools can serve as potent data connections if abused.

The FBI informed organizations that the actors were exfiltrating a significant amount of data in bulk prior to losing access, indicating that they may have been leveraging privileged tokens or accounts associated with certain capabilities running on these integrations. Attribution is fluid, but the pattern mirrors other recent enterprise breaches that have made identity, OAuth tokens, and app-to-app trust the new attack surface.

Salesforce said it is assessing the allegations with outside experts and “will take any and all corrective action that is necessary.” There’s no evidence its platform was breached, the company said, and the attempts look like they’re linked to former or unverified incidents. It advised customers to be watchful for phishing and social engineering—the very tactics Mandiant was seeing, including help desk impersonation, MFA fatigue, and rushed token abuse.

Who Are Scattered LAPSUS$ Hunters, the New Extortion Gang?

The selected name refers to three infamous groups: Scattered Spider, LAPSUS$, and ShinyHunters. It probably intends to foster brand recognition rather than clear crediting. Scattered Spider has been associated with ruinous social engineering campaigns against casinos and tech companies; LAPSUS$ famously targeted identity providers and software makers through SIM swaps and insider recruitment; ShinyHunters has a lengthy history of leaking vast amounts of data for clout and profit.

Members affiliated with these brands have been arrested by law enforcement over the years, but methods—rapid social engineering, cloud identity pivots, and data-theft-first extortion—are widely copied. The current operation also relies on a new pressure tactic: threatening to “cooperate” with plaintiffs’ attorneys and regulators if payment is denied, turning legal and compliance exposure into leverage.

Scale, Stakes, and the Critical Human Element

One billion records is the attention-grabbing headline, but the operational risk stems from its composition: contact details with which to supercharge phishing attacks, password reset attempts, and further their identity graphs.

The human element has consistently figured into the majority of breaches, according to the Verizon Data Breach Investigations Report, and 2024’s edition attributed it to about two-thirds of cases—a sign that social engineering remains the most reliable entry door into an enterprise.

The financial stakes are rising. The latest Cost of a Data Breach report from IBM sets the average global breach cost at approximately $4.88 million, and figures in excess of that for regulated industries and events involving cloud deployments. For multinationals with clients in Europe, privacy regulators also have the power to impose hefty fines under GDPR, and class-action exposure in the U.S. is already priced in as a routine part of incident calculus—especially when hackers announce plans to alert law firms and watchdogs.

How the Intrusions Probably Worked Across Apps

According to advisories and previous case studies, the playbook seems to have revolved around support workflows and third-party SaaS integrations. Attackers pretend to be IT, fool an employee into resetting MFA or approving file access, then use OAuth or API permissions to exfiltrate data at scale. If footholds have already been established inside a consolidated app, the pivot to linked CRM environments may be rapid—particularly if security tokens are not restricted, logs are noisy, and data export rate limits are loose.

It’s not so much about zero-day exploits but the abuse of trust chains and identity sprawl. The transition from ransomware encryption to pure data theft additionally allows attackers to move more quickly and avoid the operational overhead and noise that encryption generates.

What Companies and Users Need to Do Right Now

Organizations with Salesforce, or in its orbit, should start by conducting a review of connected apps and revoking unused OAuth tokens, rotating API keys, and escalating to least privilege on export scopes. Fast-track phishing-resistant MFA (for example, FIDO2), strengthen help desk UCAC verification, and high-fidelity alerting on mass export of data and anomalous API behavior. If samples include your data, develop notices and collaborate with attorneys and regulators, directing incident responders to confirm scope and timing.

Those connected to the impacted brands should also consider that targeted phishing is coming—it’s just a question of when. Reset your passwords, turn on two-factor authentication everywhere you can, and think about credit freezes where appropriate. Don’t trust support-themed messages or calls, especially if they warn about urgent refunds, order problems, or account resets.

The Bigger Picture: Why Integrations Raise New Risks

But even if the final 39-company tally proves accurate, this campaign highlights a structural vulnerability: the very same integrations that make modern sales and support stacks so powerful also make them tempting targets for attackers. As long as identity workflows, third-party scopes, and data minimization are not treated with the same level of paranoia as perimeter defenses, adversaries will continue to take that path of least resistance—like jumping from one trusted entity to another using nothing more than people, tokens, and approved apps.