Salesforce data breach
Categories

Hackers Leak Data from Six Salesforce Customers After Extortion Attempt

The Scattered LAPSUS$ Hunters, an extortion group linked to Scattered Spider and ShinyHunters, has leaked millions of records allegedly stolen from Salesforce customers. The leaks, published on dark web and clear net sites, came after Salesforce refused to pay a ransom tied to claims of data theft from 39 major organizations worldwide.

What Happened in the Salesforce Data Leak

In early October 2025, the Scattered LAPSUS$ Hunters began threatening to publish sensitive data allegedly stolen from dozens of Salesforce clients unless a ransom was paid. Despite the threats, Salesforce publicly stated the extortion attempt was linked to “past or unsubstantiated incidents” and confirmed it would not negotiate with the hackers.

Days later, the group followed through by leaking records on their Tor-based leak site. The initial leaks included data allegedly belonging to six well-known companies: Albertsons, Engie Resources, Fujifilm, GAP, Qantas, and Vietnam Airlines. According to cybersecurity researchers, the data was later mirrored on clear net websites and even offered on underground forums, first to paying users and then freely to the public.

The attackers had originally claimed to hold data from 39 Salesforce customers, suggesting a far larger breach. However, only a fraction of that data has been released, raising questions about the group’s actual capabilities and intentions.

Which Companies Were Impacted

Although the hackers claimed they had stolen data from 39 different Salesforce clients, only six organizations had their information published. The leaked data has been tied to household names across industries, including retail, energy, aviation, and technology.

  • Qantas – The Australian airline confirmed that attackers accessed data from a third-party platform connected to one of its call centers. Around six million customers may have been impacted, with stolen records including names, phone numbers, email addresses, dates of birth, and frequent flyer numbers. Qantas obtained a court injunction in an effort to restrict access to the leaked data, but acknowledged the information had already been posted online.
  • Vietnam Airlines – According to breach notification service Have I Been Pwned, data associated with roughly 7.3 million accounts was leaked. The exposed information appears to include loyalty program records, names, contact details, and dates of birth taken from the airline’s Salesforce environment earlier in the year.
  • GAP – The clothing retailer was named among the six victims, though specific details on the scope of its leaked data have not been publicly confirmed. The breach highlights how retail companies dependent on customer relationship management systems remain attractive targets for cybercriminals.
  • Fujifilm – The multinational imaging and technology company was also identified in the leak. Like GAP, few details about the nature of the compromised records have been released, but the inclusion of Fujifilm adds to the high-profile nature of the incident.
  • Albertsons – One of the largest food and drug retailers in the United States, Albertsons was listed as a victim in the data leak. While the scope remains unclear, any compromise of customer data at this scale could have widespread consequences.
  • Engie Resources – The Houston-based energy provider was among those whose information was exposed. Given the company’s role in servicing large-scale commercial and industrial customers, the breach raises concerns about potential secondary risks in the energy sector.

These organizations represent only a fraction of the companies allegedly targeted. Many other well-known global brands remain listed on the hackers’ leak site without additional data being released, leaving uncertainty about the full scope of the data breach.

What Data Was Exposed

The leaked datasets vary by company, but investigators and breach monitoring services have confirmed that millions of records were made public. In many cases, the stolen information includes highly personal details that could be abused for identity theft, phishing, or financial fraud.

  • Personal Identifiers: Full names, dates of birth, phone numbers, and email addresses were among the most common data types leaked. Such information can easily be combined with other sources to craft targeted scams or impersonation attempts.
  • Loyalty and Customer Accounts: Qantas frequent flyer numbers and Vietnam Airlines loyalty program details were published, exposing sensitive travel records and benefits data.
  • Contact Center Records: Some of the stolen data originated from third-party platforms integrated with Salesforce, including call center logs and customer support tickets. These records may contain additional context about customer complaints or transactions.
  • Unconfirmed Business Data: For organizations such as GAP, Albertsons, and Fujifilm, the full scope of exposed records remains unclear. However, researchers warn that corporate CRM platforms often contain addresses, transaction histories, and other sensitive business information that could have been compromised.

While the hackers initially claimed possession of nearly one billion Salesforce customer records, only six companies’ data has surfaced. The limited release has led to speculation over whether the group truly holds additional information or whether its claims were exaggerated as part of the extortion campaign. Regardless, the confirmed leaks highlight the dangers of large-scale cybersecurity incidents involving trusted cloud platforms.

Conflicting Claims and Ransom Demands

The Scattered LAPSUS$ Hunters promoted the Salesforce attack as one of the largest data thefts in history, boasting that nearly one billion records had been stolen from 39 different companies. They threatened to publish the information unless Salesforce paid a lump-sum ransom on behalf of its customers. The hackers framed this approach as a way to “protect” individual victims by forcing the CRM provider to take responsibility.

Salesforce dismissed the extortion attempt, describing it as connected to “past or unsubstantiated incidents.” The company made it clear that it would not negotiate with cybercriminals or pay any ransom demand. This refusal appears to have triggered the publication of data on dark web leak sites and clear net forums.

Despite the group’s bold claims, only six victims had data released. Followers on the group’s Telegram channel pressed for explanations about the missing leaks. In response, the hackers claimed they “can’t leak” any more records, fueling speculation that their claims were exaggerated or that some companies may have quietly negotiated payments.

In messages shared with DataBreaches.net, the attackers suggested certain organizations had paid but specifically requested not to be removed from the leak site to avoid drawing attention. There is no public evidence to support this claim. The inconsistency between the group’s threats and actions has raised doubts among researchers about whether the extortion campaign was as large as originally advertised.

Ultimately, the release of only a fraction of the promised data illustrates how extortion groups often use inflated claims, uncertainty, and fear to pressure victims into compliance. Even without delivering on all threats, these tactics create enough disruption to harm reputations and alarm customers affected by the malware threats and breaches.

Company Responses

Salesforce reiterated that it would not negotiate with the extortionists, stating firmly that the incident involved “past or unsubstantiated” activity and that no ransom would be paid. The company has urged customers to remain cautious of phishing attempts and to review their security practices following the leak.

Among the named victims, Qantas confirmed that customer information had been compromised. The airline obtained a court injunction to restrict access to the leaked data while working with cybersecurity experts to assess the scope of exposure. Qantas emphasized that the types of data at risk — names, contact details, and frequent flyer information — had already been disclosed to affected customers earlier in the year.

Vietnam Airlines was identified through records added to the Have I Been Pwned breach database. The leaked dataset contained information from approximately 7.3 million loyalty program accounts, including personal details and membership numbers.

Other companies, including GAP, Fujifilm, Albertsons, and Engie Resources, have not publicly released detailed statements about the incident. Their inclusion in the leaks underscores the diverse industries impacted by the attack.

Meanwhile, Telstra was forced to respond after Scattered LAPSUS$ Hunters claimed to have stolen 19 million customer records. The Australian telecommunications giant quickly refuted the claims, explaining that the data in question was scraped from public sources rather than obtained from internal systems. According to Telstra, no financial or identification data had been exposed.

These responses reflect a mixed picture: some companies are acknowledging breaches and engaging with customers, while others are disputing the attackers’ claims or choosing to remain silent. The lack of clarity adds to the uncertainty surrounding the true scale of the Salesforce data leak.

What Security Experts Are Saying

Security researchers remain divided on the true scope of the Salesforce leaks. While the attackers initially advertised nearly one billion stolen records from 39 companies, only six victims have seen data released publicly. This discrepancy has raised questions about whether the Scattered LAPSUS$ Hunters exaggerated their capabilities or whether some companies quietly paid ransoms behind closed doors.

Analysts at firms such as Mandiant and Rapid7 note that the group’s tactics mirror previous campaigns linked to Scattered Spider, LAPSUS$, and ShinyHunters. These collectives have historically relied on social engineering, stolen credentials, and cloud misconfigurations rather than traditional malware payloads. By targeting large SaaS providers, attackers gain access to multiple downstream victims, amplifying the scale of disruption.

Independent researcher Kevin Beaumont emphasized that incidents like these reinforce the importance of not paying ransoms. He has criticized organizations that indirectly fund cybercrime by negotiating with extortionists, warning that such payments only incentivize future attacks. Beaumont noted that in this case, most of the threatened companies have not had their data leaked, which undermines the attackers’ credibility.

Experts also caution that even partial leaks can have serious consequences. Exposed loyalty program records, contact details, and customer support information could fuel identity theft, phishing campaigns, and corporate espionage. “Even if hackers exaggerate the numbers, the information that is published can still be weaponized against users,” one researcher told industry media outlets.

Overall, cybersecurity specialists agree that the Salesforce data breach highlights the growing risks of third-party cloud compromises and the evolving tactics of criminal groups that blend elements of extortion, hacking, and fraud.

Key Takeaways

  • The Scattered LAPSUS$ Hunters leaked data allegedly stolen from six Salesforce customers, including Qantas, Vietnam Airlines, GAP, Fujifilm, Albertsons, and Engie Resources.
  • Although the hackers claimed nearly one billion records from 39 organizations, only a fraction of that data has surfaced, raising doubts about the group’s credibility.
  • Leaked records include names, dates of birth, contact details, loyalty program numbers, and customer support data, all of which could be exploited for identity theft or phishing.
  • Salesforce refused to pay the ransom, calling the extortion attempt “past or unsubstantiated,” while Qantas and Vietnam Airlines confirmed significant customer impacts.
  • Security experts warn that even partial leaks carry risks, and they advise companies not to pay ransoms, as doing so only encourages further cybercrime.

The Salesforce data leak underscores the growing risks of supply-chain and cloud-based compromises, demonstrating how attackers can exploit trusted platforms to impact multiple industries at once.

Written by

Sean Doyle

Sean is a distinguished tech author and entrepreneur with over 20 years of extensive experience in cybersecurity, privacy, malware, Google Analytics, online marketing, and various other tech domains. His expertise and contributions to the industry have been recognized in numerous esteemed publications. Sean is widely acclaimed for his sharp intellect and innovative insights, solidifying his reputation as a leading figure in the tech community. His work not only advances the field but also helps businesses and individuals navigate the complexities of the digital world.

More Reading

Post navigation

Leave a Comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.