A notorious, predominantly English-speaking hacking group has launched a website to extort its victims. The group is threatening to release approximately one billion records stolen from companies that store customer data in cloud databases hosted by Salesforce.
This loosely organized group, known as Lapsus, Scattered Spider, and ShinyHunters, has published a dedicated data leak site on the dark web called Scattered LAPSUS Hunters. First spotted by threat intelligence researchers, the website aims to pressure victims into paying the hackers to avoid having their stolen data published online. The site reads, “Contact us to regain control on data governance and prevent public disclosure of your data. Do not be the next headline. All communications demand strict verification and will be handled with discretion.”
Over the last few weeks, the ShinyHunters gang allegedly hacked dozens of high-profile companies by breaking into their cloud-based databases hosted by Salesforce. Insurance giant Allianz Life, Google, fashion conglomerate Kering, the airline Qantas, carmaking giant Stellantis, credit bureau TransUnion, and the employee management platform Workday, among several others, have confirmed their data was stolen in these mass hacks.
The hackers’ leak site lists several alleged victims, including FedEx, Hulu, and Toyota Motors. None of these companies responded to a request for comment. It is not clear if the companies known to have been hacked but not listed on the site have paid a ransom to prevent their data from being published. A representative from ShinyHunters said, “there are numerous other companies that have not been listed,” but declined to say why.
At the top of the site, the hackers mention Salesforce and demand that the company negotiate a ransom, threatening that otherwise “all your customers data will be leaked.” The tone of the message suggests that Salesforce has not yet engaged with the hackers.
Salesforce spokesperson Nicole Aranda provided a link to the company’s statement, which notes that the company is “aware of recent extortion attempts by threat actors.” The statement reads, “Our findings indicate these attempts relate to past or unsubstantiated incidents, and we remain engaged with affected customers to provide support. At this time, there is no indication that the Salesforce platform has been compromised, nor is this activity related to any known vulnerability in our technology.” Aranda did not immediately answer questions about the incidents.
For weeks, security researchers have speculated that the group, which has historically avoided a public presence online, was planning to publish a data leak website to extort its victims. Historically, such websites have been associated with foreign, often Russian-speaking, ransomware gangs. In the last few years, these organized cybercrime groups have evolved from stealing and encrypting victim data and then privately asking for a ransom, to simply threatening to publish the stolen data online unless they get paid.