Salesforce Cloud Data Breach: A Billion Records Exposed in Largest Extortion Attack Yet
A new hacking alliance—Scattered LAPSUS$ Hunters—claims to have stolen nearly a billion records from cloud databases hosted on Salesforce, targeting top brands like Allianz, Google, Kering, Qantas, Stellantis, TransUnion, and more. This blog explains how the attack worked, the evolution of extortion sites on the dark web, risks for business and consumers, and what you must do now to protect your data.
Cloud security is facing its most brazen challenge yet. A notorious, English-speaking hacking group—known as Lapsus$, Scattered Spider, and ShinyHunters—has launched a dark web extortion site and claims to have stolen about a billion records from databases hosted by Salesforce. Their leaked victims list reads like a who’s who of global business: Allianz Life, Google, Kering, Qantas, Stellantis, TransUnion, Workday, FedEx, Hulu, Toyota Motors, and more have been affected or threatened.
How Did the Attack Happen?
- The hackers breached dozens of high-profile companies by exploiting cloud database security gaps, focusing on customers using Salesforce’s hosted services.
- They’ve published a “data leak” website—Scattered LAPSUS$ Hunters—on the dark web to pressure victims into paying ransom before stolen information is released.
- Victims are told: “Contact us to regain control on data governance and prevent public disclosure.” This marks an evolution from private ransom requests to open, public extortion tactics.
Victims and Impact: Who’s Involved?
- Brands confirmed to be affected include Google, Allianz, Kering (Gucci parent), Qantas, Stellantis, TransUnion, Workday—with others listed but not commenting (FedEx, Hulu, Toyota Motors).
- The breach affects millions of customers, exposing sensitive data including contact info, personal records, and potentially payment histories.
- Some companies may have privately paid ransom; others have not commented. Salesforce itself has not responded officially to the hack claims.
Why Extortion Leaks Are So Dangerous
- “Leak sites” are now common among ransomware groups, evolving from encrypted data and private demands to wide-scale “public shaming.”
- Companies lose leverage if payment negotiations go public; customers face greater risk of identity theft and fraud.
- Many affected firms have cloud-based disaster recovery—making instant public disclosure a huge operational, legal, and reputational risk.
What Businesses & Individuals Must Do Now
- Review all cloud security configurations, especially for databases hosted by third-party providers like Salesforce.
- Monitor for suspicious communications and dark web mentions. Reset credentials, enable multi-factor authentication for all users.
- Immediate breach response: notify affected customers, strengthen incident communication plans, and work with cybersecurity teams on containment and recovery.
- Individuals should watch for phishing, fraud alerts, and potential misuse of compromised data—stay vigilant for months to come.
What Experts & Security Watchers Are Saying on X (Twitter):
🚨🚨🚨BREAKING - New data leak site by Scattered LAPSUS$ Hunters exposes Salesforce customers. Dozens of global companies involved in a large-scale extortion campaign.
— Hackmanac (@H4ckmanac) October 3, 2025
Scattered LAPSUS$ Hunters claims to have breached Salesforce, exfiltrating ~1B records.
They accuse Salesforce… pic.twitter.com/u2PAO7miyP
This breach redefines the scale and tactics of modern cybercrime, highlighting the need for aggressive cloud security, rapid detection, and smarter incident response—even for the largest enterprises.
Source: TechCrunch, October 3, 2025
What's Your Reaction?
