- Scattered Lapsus$ Hunters launch data leak site to pressure victims into ransom negotiations
- Attackers exploited Salesloft’s Drift app to access Salesforce customer data, not Salesforce itself
- Victims include Cloudflare, Zscaler, Tenable; Salesforce denies platform compromise or active vulnerabilities
Scattered Lapsus$ Hunters, a team-up of infamous hacking groups Scattered Spider, Lapsus$, and Shiny Hunters, has apparently created a standalone data leak and extortion page in order to pressure its victims into paying their ransom demands.
Earlier in 2025, news broke that the attackers managed to breach a third-party app – Salesloft’s Drift integration – and steal OAuth and refresh tokens. Then, they used the tokens to call the app customers’ Salesforce APIs and exfiltrate data such as customer contact records, case objects, and similar. Salesforce itself was not breached, but the data hosted by the clients was nabbed anyway.
The list of attacked organizations is quite extensive and includes a number of heavy hitters such as Cloudflare, Palo Alto Networks, Zscaler, Tenable, and others.
“unsubstantiated incidents”
Now, the threat actors are urging victims to reach out and negotiate a deal: “Contact us to regain control on data governance and prevent public disclosure of your data,” the announcement says. “Do not be the next headline. All communications demand strict verification and will be handled with discretion.”
Researchers fromTechCrunch, who claim to have seen the page late last week, say the list on the site misses a few names known to have been breached, and speculates some of the companies may have already paid the ransom demand.
The hackers, however, did not deny – or confirm – these speculations, telling the publication, “There are numerous other companies that have not been listed.”
Salesforce, on the other hand, seems unphased by the new development, with a spokesperson saying, “Our findings indicate these attempts relate to past or unsubstantiated incidents, and we remain engaged with affected customers to provide support.”
“At this time, there is no indication that the Salesforce platform has been compromised, nor is this activity related to any known vulnerability in our technology.”
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
You might also like
- Salesforce platforms are being cracked open for data theft – FBI warns of UNC6040 and UNC6395 IOCs
- Take a look at our guide to the best authenticator app
- We’ve rounded up the best password managers
