A shadowy cybercriminal collective calling itself Scattered LAPSUS$ Hunters claims to have stolen nearly one billion customer records from global cloud giant Salesforce, escalating fears over supply chain attacks targeting major corporations.
While Salesforce has strongly denied any breach of its systems, the hackers allege they gained access by exploiting retail companies that use Salesforce’s software, including Marks & Spencer, Co-op, and Jaguar Land Rover, all of which were hit by ransomware attacks earlier this year.
Salesforce Denies Breach, Points to Customer Targeting
In a statement to Reuters, Salesforce stressed that its own infrastructure remains secure.
“At this time, there is no indication that the Salesforce platform has been compromised, nor is this activity related to any known vulnerability in our technology,” a company spokesperson said.
Instead, attackers appear to have used “vishing” tactics—voice phishing calls to IT help desks—convincing employees to grant access to Salesforce-linked tools and environments. The hackers reportedly leveraged Salesforce’s proprietary Data Loader tool, modified to siphon bulk data once installed on compromised systems.
FCRF Launches CCLP Program to Train India’s Next Generation of Cyber Law Practitioners
A Dark Web Leak and a Web of Victims
On Friday, Scattered LAPSUS$ Hunters launched a dark web leak portal listing around 40 companies it claimed to have infiltrated. The group provided no public ransom demands, and both Salesforce and the hackers declined to say if negotiations were underway.
The leak raises concerns about whether the stolen data includes personally identifiable information (PII) of millions of customers. Security experts warn that such records can fuel identity theft, fraud, and large-scale phishing campaigns.
Links to “The Com” and Previous Arrests
Google’s Threat Intelligence Group (GTIG) tracks the collective under the codename “UNC6040”, noting their ability to trick employees into compromising their own environments. Investigators say the group’s infrastructure resembles networks tied to “The Com”, a loosely organized global cybercriminal ecosystem known for fraud and, in some cases, violent crimes.
The revelations follow July 2025 arrests in Britain, where four individuals under 21 were detained in connection with ransomware attacks on UK retailers. Authorities believe the group remains active despite those arrests, pointing to the decentralized nature of modern cybercrime gangs.
A Larger Pattern of Retail Sector Threats
Cybersecurity analysts say the claims against Salesforce highlight a broader vulnerability: multinational companies’ reliance on third-party cloud services. By targeting users instead of vendors directly, attackers can bypass advanced security defenses at the platform level.
Retailers, which store massive amounts of consumer and payment data, remain particularly attractive targets. Experts warn that without strong authentication, employee training, and incident response, vishing and data exfiltration campaigns will continue to proliferate.
The alleged theft of one billion Salesforce records marks one of the boldest claims yet by the Scattered LAPSUS$ Hunters. While Salesforce insists its systems remain uncompromised, the case underscores the persistent risks of social engineering and third-party attacks in an era where cloud platforms underpin global commerce.
