Despite multiple arrests and talk of retirement, Scattered LAPSUS$ Hunters has reemerged with a data-leak site listing 39 companies’ Salesforce environments, demanding payment to prevent what they claim is roughly 1 billion stolen records from being published online.
The group published a dedicated data leak site on the dark web on October 3, 2025, aiming to pressure victims into paying to avoid having their stolen data published online. The list reads like a who’s who of major corporations: Qantas, Toyota, Walgreens, Adidas, FedEx, Disney, Home Depot, Marriott, Google, Cisco, UPS, McDonald’s, Gap, IKEA, Air France, TransUnion, and luxury brands including Louis Vuitton, Dior, Chanel, and Tiffany & Co.
The gang set an October 10 deadline for Salesforce to negotiate a payment, warning that otherwise “all your customers’ data will be leaked”.
Who Is Scattered LAPSUS$ Hunters?
This isn’t a new group, but rather an apparent combination of the Scattered Spider, LAPSUS$, and ShinyHunters cybercriminal groups, which first emerged over the summer in a public Telegram channel. Each brings different skills to the table: Scattered Spider handles social engineering and initial access, ShinyHunters specializes in data theft and publication, and LAPSUS$ members act as amplifiers and extortionists.
The timing of this resurgence is notable. In September 2025, several members announced their “retirement” following a string of arrests. Four individuals aged 17 to 20 were arrested in the United Kingdom in July in connection with attacks on retailers Marks & Spencer, Harrods, and Co-op Group. When asked why they rolled out a new leak site after pledging to go dark, the group’s representatives said it had “something to do with recent arrests” but declined to elaborate further.
How They Got In
The attack campaign exploited social engineering and OAuth token abuse to gain unauthorized access to Salesforce customer environments. The attackers used voice phishing (vishing) campaigns where they impersonated IT support staff in phone calls to trick employees at targeted organizations into granting them access or credentials for their Salesforce environments.
Once inside, they abused OAuth applications, particularly through integrations like Salesloft’s Drift app. By convincing victims to authorize what appeared to be legitimate connected apps, the attackers obtained long-lived OAuth tokens that bypassed multi-factor authentication and granted programmatic access to CRM data.
The hackers claim the attack took place throughout 2024 and that the stolen data amounts to multiple terabytes, including highly sensitive personal information such as Social Security numbers, driver’s licenses, and dates of birth. On their leak site, they accuse Salesforce of failing to enforce multi-factor authentication and say they successfully targeted more than 100 additional unnamed instances through OAuth application weaknesses.
Salesforce’s Response
Salesforce issued a statement saying it had no indication that its platform was hacked, and that the group’s claims do not appear related to vulnerabilities in its platform. The company noted it is “aware of recent extortion attempts by threat actors” and that findings indicate “these attempts relate to past or unsubstantiated incidents.” Salesforce says it remains engaged with affected customers to provide support.
What This Means for Organizations
This incident highlights a few critical realities about modern cybersecurity threats.
First, the human element remains the weakest link. No matter how strong your technical controls are, a convincing phone call from someone posing as IT support can bypass them. These attackers didn’t exploit some zero-day vulnerability or break through firewalls. They talked their way in.
Second, third-party integrations and OAuth tokens create significant risk if not properly managed. Organizations need visibility into what apps have been authorized, who authorized them, and what data they can access. A malicious OAuth token can sit quietly for months, giving attackers persistent access without raising any red flags.
Third, privilege management matters. When an attacker convinces an employee to authorize an OAuth app, that app inherits whatever permissions the employee has. If that employee has broad access to sensitive data, the attacker now has that same access. Limiting what any single user can access reduces the blast radius when credentials are compromised.
Protecting Against Social Engineering Attacks
The Scattered LAPSUS$ Hunters coalition has been targeting Salesforce customers with voice phishing attacks since the beginning of 2025, and this campaign shows no signs of stopping despite law enforcement action.
Here’s what organizations can do:
- Verify before you trust. Implement additional layers of verification for calls to IT help desk personnel, for both internal employees and third-party partners. If someone calls claiming to be from IT and asks you to authorize an app or reset MFA, hang up and call them back using a known number.
- Control OAuth permissions. Review what third-party apps have been authorized to access your SaaS platforms. Remove apps that aren’t actively needed. Monitor for new OAuth authorizations and flag suspicious activity.
- Enforce MFA everywhere. While OAuth tokens can bypass MFA, proper MFA implementation still makes initial access harder. Use hardware security keys or authenticator apps rather than SMS-based codes.
- Limit privilege by default. Users should only have access to the data and systems they need to do their jobs. Admin By Request EPM helps by granting elevated privileges only when needed, for specific tasks, rather than giving users permanent admin rights that could be exploited.
- Train your team. Regular security awareness training that focuses on tactics (like vishing) helps employees recognize and report suspicious requests. Make it clear that it’s okay to say no and verify before taking any action that grants access.
The Scattered LAPSUS$ Hunters incident is a reminder that even with arrests and apparent shutdowns, cybercrime groups adapt and continue operating. The threat isn’t going away, which means organizations need to stay vigilant and keep their defenses current.
