The hacking conglomerate, which is believed to be responsible for attacks against Salesforce instances via Salesloft integrations, has posted ransom demands. It’s threatening to release data from over 700 major companies, including Google, FedEx, UPS, Toyota, Stellantis, Adidas, Disney, Home Depot, and many others, unless it gets paid. Salesforce is aware of the extortion attempts and says they relate to past or unsubstantiated incidents.
A threat actor calling itself “Scattered LAPSUS$ Hunters” (LPH), a conglomerate of three previously separate cybercrime gangs, has released massive demands directed at Salesforce.
“This message serves as formal notification that Salesforce, Inc. has been hacked by us and faced a major information security breach,” reads the post on the newly created data leak site (DLS) on the dark web.
The hackers didn’t specify the sum they expect.
“Contact us to negotiate this ransom, or all your customers’ data will be leaked.”
The new DLS lists dozens of major global companies, and the hackers are threatening to release around 1 billion records with personally identifiable information.
The massive claims are likely exaggerated to gain additional attention and promote the gang’s new leak site and Telegram channel. LPH had its previous accounts blocked, and two gang members were arrested by law enforcement. This was followed by an abrupt announcement of its retirement, which was expected to be fake.
The now unretired cybercriminals set October 10th, 2025, as the deadline for Salesforce to “proceed into the right decision.”
“Failure to meet these demands will ultimately have us release all of the compromised data, and you will be dealing with the escalation of all consequences described above. Because you had no preventive measures in place, you will be dealing with them a lot.”
Cybernews has already extensively reported on hackers raiding numerous Salesforce instances by abusing compromised authentication tokens from the third-party AI marketing tool, Salesloft Drift. An investigation revealed that the hackers initially gained access to Salesloft’s GitHub account.
The data leak site only contains a few of the affected companies. The LHS gang also claims to have dumped over 100 other unnamed instances from Salesforce. It accuses the company of not enforcing two-factor authentication (2FA) or any other type of OAuth security.
The new post on a fresh Telegram account claims that LHS possesses 1,563 billion records from 760 companies. The data allegedly includes 254 million accounts and 579 million records of contact information from a similar number of users.
Since the previous Salesloft data breaches were already disclosed by dozens of companies, it is likely that threat actors retain massive amounts of stolen data.
However, Cybernews researchers didn’t find any hard evidence of the claims on the DLS, as no sample files were provided.
The largest companies listed by hackers on their site that could be affected by the alleged leak include Alphabet Inc. (Google AdSense), with a market capitalization of $3 trillion, Home Depot ($393 billion), Toyota Motor Corporation ($250 billion), Cisco ($270 billion), and The Walt Disney Company ($201 billion).
Court records show that Salesforce has been sued at least 14 times over the data thefts in the Northern California District Court this September alone. At least 23 plaintiffs argue that Salesforce, which manages extensive amounts of corporate data, should have better secured its platform.
The hackers threaten to assist law firms, contact affected companies and individuals, and publish technical evidence of Salesforce’s alleged negligence, unless the ransom is paid.
Cybernews has reached out to Salesforce for comment and will include its response.
Salesforce confirmed in a new security advisory that it is aware of the recent extortion attempts by the threat actors.
“Our findings indicate these attempts relate to past or unsubstantiated incidents, and we remain engaged with affected customers to provide support,” Salesforce said. “At this time, there is no indication that the Salesforce platform has been compromised, nor is this activity related to any known vulnerability in our technology.”
The company continues to monitor the situation and encourages customers to remain vigilant against likely phishing and social engineering attempts.
“We understand how concerning these situations can be. Protecting customer environments and data remains our top priority, and our security teams are fully engaged to provide guidance and support.”
The company also shared a blog post with guidance on how to protect against social engineering.
Google’s Mandiant team released an independent analysis on the threat actor, providing hardening recommendations.
Updated on October 3rd [04:00 p.m. GMT] with additional information from Salesforce.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked