A hacking group linked to earlier Lapsus$, Scattered Spider, and ShinyHunters activity said it has exfiltrated about a billion customer records from companies operating cloud databases hosted on Salesforce, launching a new extortion site on the dark web to pressure victims into paying. If true, the claim would be one of the largest thefts of data used to target customers of software-as-a-service providers to date.
Salesforce, in a statement provided by spokeswoman Nicole Aranda, said the company has “no indication” that its broader platform was subject to a compromise and characterized the extortion activity as linked to prior or unconfirmed events. Salesforce is helping customers who have been affected, the statement said. That distinction is important: In multi-tenant SaaS, attackers frequently breach customers’ identities, integrations, or data pipelines—rather than the provider’s underlying infrastructure.
A New Extortion Site Requires Negotiations
The group launched a leak portal called “Scattered LAPSUS$ Hunters,” embracing the same public shaming tactics favored by ransomware crews. The site requires contact and “verification” in advance of offering to suppress releases, an increasingly common playbook among data-theft schemes that eschew encryption and instead focus on publishing when the victim doesn’t pay.
The operators also called on Salesforce itself to act, posting a submission form on their site that urged employees to submit statements supporting the layoffs. It’s a high-profile gambit: Threat actors will occasionally attempt to pressure the platform into brokering discussions, even if the technical exposure resides in customer-controlled environments—like misconfigured databases, compromised credentials, or third-party integrations.
High-Profile Brands Report That Their Data Was Taken
In recent weeks, Allianz Life, Google, Kering, Qantas, Stellantis, and TransUnion have also confirmed that data associated with their organizations had been compromised in this campaign. The leak site also names FedEx, Hulu, and Toyota among its supposed targets; these companies have not publicly acknowledged the claims. In previous ShinyHunters campaigns, the group has mixed new compromises with older data points to exaggerate the apparent number of victims an event has produced, a trend investigators will analyze and likely question here.
Data about customer relationship management can be especially sensitive. In addition to contact info, CRM records can contain account numbers, service logs, marketing opt-ins, loyalty program digits, and support chat logs. When exposed at volume, this data powers targeted phishing, account takeover, identity theft, and business email compromise.
What Would Probably Go Wrong for Victims
Investigators have not released a conclusive vector of intrusion. But more recent campaigns that are using Scattered Spider–style tactics have heavily incorporated social engineering of support desks, SIM swaps, abuse of recovery workflows, and MFA fatigue to take over legitimate sessions. In a SaaS world, compromised OAuth tokens, overprivileged API keys, and poorly scoped service accounts quite often become the literal keys to the kingdom.
Guidance from CISA and leading incident responders like Mandiant emphasizes a number of controls that help mitigate this class of attack:
- Enforced phishing-resistant MFA
- Hardware-backed keys for admins
- Identity-based conditional access
- Rigorous OAuth and connected-app reviews
- IP allowlists for API-heavy integrations
- Ongoing monitoring for abnormal exports
For Salesforce in particular, companies need to audit Connected Apps, revoke unused refresh tokens, rotate secrets, and verify that data access policies reflect least privilege.
How Big Is a Billion Records in SaaS Data Breaches?
Headline numbers in data extortion usually mix individual people, row-level transactions, and repeated entries spread across multiple tenants. Even after you account for duplicates, the added value of CRM fields when used for social engineering means risk could still be high. For context, the most recent mega-claims by criminal enterprises—such as hundreds of millions of records disclosed by payment and entertainment platforms—offer telling reminders that high-quality, high-volume SaaS datasets multiply to incredible totals.
Analysts will seek corroboration from third-party breach notices and regulatory filings. In numerous jurisdictions, companies now have to share details about significant data exposures with regulators, who should be able to cut through the signal and noise over the next few weeks.
Salesforce’s Shared Responsibility Reality
That Salesforce has declared its platform free of compromise reflects the shared responsibility present in most cloud incidents. Providers own the infrastructure; both providers and customers own identity, data configuration, and third-party connections. That’s what makes CRM tenants so appealing: hijack a user or compromise an integration, and you can exfiltrate huge amounts of data through sanctioned channels without ringing typical malware alarms.
Enterprises with reliance on a large partner ecosystem have to assume that it is now possible that an integrator or marketing platform is a pivot point. Regular third-party risk reviews, token-scoped permissions, and export throttling can significantly limit the blast radius of any one compromised account or connector.
The Surge in Extortion-Only Cyberattacks on SaaS Data
Data theft and public shaming in the absence of encryption is now a major criminal pattern. Companies like Coveware have tracked an increase in these “exfiltration-only” attacks as criminals pursue predictability and speed over a more convoluted ransomware attack. In repeated reports over the years, Verizon has found that most breaches involve a human element. That is why attackers often opt for credential theft or social engineering to make their way into SaaS data.
The financial stakes are substantial. IBM’s Cost of a Data Breach study puts the average price of a breach in the millions, and response times for discovery and remediation are often measured in months. When the data set is a CRM backbone, downstream exposure—customer churn, legal claims, and regulatory scrutiny—can completely outsize initial response costs.
Bottom line: Whether the “billion records” number ends up being substantiated or not, the campaign zeroes in on a long-standing reality when it comes to SaaS risk. Guard identities, restrain integrations, and watch what data leaves the house—or attackers will take the path of least resistance into your crown jewels.
