Scattered LAPSUS$ Hunters Data Leaks from Salesforce Breaches
A hacking group known as Scattered LAPSUS$ Hunters publicly released data stolen from the Salesforce environments of multiple companies, including Qantas and Vietnam Airlines. The group had previously threatened to leak data unless Salesforce or the affected companies paid a ransom, but the deadline passed without payment, prompting the attackers to publish data from six of the 39 companies they claimed to have compromised. The initial leaks included data from Qantas, Albertsons, GAP, Vietnam Airlines, Fujifilm, and Engie Resources. Qantas received significant media attention due to a court injunction it obtained in an attempt to prevent the use or dissemination of the stolen data, but the injunction proved ineffective as the data was still widely distributed. The attackers used multiple platforms to share the stolen information, including an onion site, a clear net forum, and a new clear net leak site, making the data accessible to a broad audience. For Vietnam Airlines, the breach resulted in the exposure of 7.5 million unique customer email addresses, along with names, phone numbers, dates of birth, and loyalty program membership numbers. The breach of Vietnam Airlines' Salesforce environment reportedly occurred in June 2025, but the data was not publicly released until October. The group’s leak strategy included charging for access to the data on some platforms, while later making it freely available on others. Despite initial claims of a massive leak affecting 39 companies, only six organizations' data was actually released, leading to speculation about the group’s motives and capabilities. The attackers communicated with followers via Telegram, providing updates and alternative download links when their primary leak site experienced technical issues. The incident highlighted the limitations of legal measures such as injunctions in preventing the spread of stolen data once it is in the hands of threat actors. Media and security experts, including Troy Hunt, provided commentary on the situation, emphasizing the inevitability of the data’s release and the challenges faced by affected organizations. The breach underscores the risks associated with third-party cloud platforms like Salesforce and the importance of robust security controls and incident response plans. Companies affected by the breach were advised to notify impacted customers, recommend password changes, and implement additional security measures such as two-factor authentication. The event also demonstrated the evolving tactics of cybercriminal groups in monetizing and publicizing stolen data, as well as the ongoing threat posed by supply chain and third-party breaches.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Vietnam Airlines breach was added to Have I Been Pwned
Have I Been Pwned published an entry for the Vietnam Airlines data breach, identifying it as part of the October 2025 public release of data stolen from Salesforce instances. The listing summarized the exposed customer data and attributed the release to Scattered LAPSUS$ Hunters.
Threat actors said no further Salesforce-related leaks would occur
Following the initial releases, Scattered LAPSUS$ Hunters claimed it could not leak more data and said nothing else would be published, while leaving the broader victim listings and samples online. This marked a de-escalation from earlier expectations of a much larger leak.
Group publicly released data for six companies including Vietnam Airlines
After the ransom deadline passed, the group leaked data for only six companies: Qantas, Albertsons, GAP, Vietnam Airlines, Fujifilm, and Engie Resources. The Vietnam Airlines data included 7.3 million unique customer email addresses along with names, phone numbers, dates of birth, and loyalty program membership numbers.
Scattered LAPSUS$ Hunters threatened Salesforce and listed 39 companies
A hacking group calling itself Scattered LAPSUS$ Hunters threatened Salesforce with a ransom deadline and claimed to hold data tied to Salesforce and its customers. The group listed 39 companies on its leak site as alleged victims.
Vietnam Airlines' Salesforce environment was breached
Vietnam Airlines was identified as one of multiple organizations whose Salesforce environments were compromised. The breach of Vietnam Airlines' Salesforce instance occurred in June 2025.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Scattered Lapsus$ Hunters extortion site goes dark: What’s next?
csoonline.com
Open sourceWeekly Update 473
troyhunt.com
Open sourceFrom sizzle to drizzle to fizzle: The massive data leak that wasn’t
databreaches.net
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Salesforce Data Breach and Ransomware Group Data Leak Site Targeting Salesloft Drift Integrations
A ransomware group known as Scattered Lapsus$ Hunters, also referred to as ShinyHunters, has launched a darkweb data-leak site to pressure victims of a significant Salesforce data breach into paying extortion demands. The group claims to have stolen 1.5 billion Salesforce records from 760 companies that integrated their Salesforce customer relationship management (CRM) software with the Salesloft Drift artificial intelligence chatbot. The leak site, which debuted on a Friday, lists 39 victim organizations, including major brands such as Cisco, Disney, KFC, Ikea, Marriott, McDonald's, Walgreens, Albertsons, and Saks Fifth Avenue. The attackers are demanding separate ransoms from Salesforce itself to prevent the release of data pertaining to the remaining 721 affected companies. Samples of the stolen data published by the group include extensive personally identifiable information (PII), such as names, dates of birth, nationalities, passport numbers, full contact information, and employment histories. Cybersecurity researcher Milivoj Rajić has tested multiple samples of the leaked data and confirmed their validity, indicating the breach is authentic and the data is genuine. Additional compromised data includes shipping information, marketing lead data, customer support case records, chat transcripts, flight details, and car ownership records. The attack specifically targeted organizations that had integrated Salesforce with the Salesloft Drift AI chatbot, suggesting a possible exploitation of integration points or third-party application vulnerabilities. The public exposure of such a large volume of sensitive data significantly increases the risk of identity theft, fraud, and further targeted attacks against both individuals and organizations. The ransomware group’s strategy of publishing a leak site and naming high-profile victims is designed to maximize pressure and reputational damage, thereby increasing the likelihood of ransom payments. The incident highlights the risks associated with third-party integrations in cloud environments, especially when sensitive customer data is involved. Security teams at affected organizations are likely conducting forensic investigations, assessing the scope of the breach, and notifying impacted customers. The breach underscores the importance of robust access controls, regular security assessments of third-party integrations, and rapid incident response capabilities. Salesforce and Salesloft Drift users are advised to review their security configurations and monitor for suspicious activity. The event has drawn significant attention from the cybersecurity community due to the scale of the breach and the high-profile nature of the victims. Organizations are being urged to remain vigilant and to implement additional security measures to protect against similar attacks in the future.
Mar 21, 2026
Scattered Lapsus$ Hunters Data Leaks and Threats Following Law Enforcement Action
The Scattered Lapsus$ Hunters (SLSH), a cybercrime collective formed from members of Scattered Spider, Lapsus$, and ShinyHunters, announced a temporary retreat from online activity after the FBI seized their clearweb site. The group, known for its Western and English-speaking membership, issued a series of aggressive messages on Telegram, vowing to retaliate against the FBI and promising a return in 2026. This announcement followed a period of heightened law enforcement scrutiny, including the arrest and charging of two teenagers in the UK for their alleged involvement in attacks attributed to Scattered Spider, a component of SLSH. The group has a history of dramatic exits and returns, having previously declared a hiatus only to reappear days later. SLSH has gained notoriety for targeting large organizations and for the scale of its operations. In parallel with their public threats, the group claimed responsibility for a massive data breach affecting 39 major companies worldwide, exploiting a Salesforce vulnerability to steal 989 million records. They demanded negotiations with Salesforce and the affected firms, threatening to release the data if ignored. When their demands were unmet, SLSH published data allegedly belonging to six companies, including Qantas Airways, Vietnam Airlines, Fujifilm, GAP Inc., Engie Resources, and Albertsons Companies. The leaked datasets reportedly contain extensive personally identifiable information (PII), such as full names, addresses, passport numbers, phone numbers, email addresses, and, in the case of Qantas, detailed frequent flyer information and internal business data. The Qantas dataset alone is said to be 153 GB and includes over 5 million records. The authenticity of the data has been partially verified by independent analysis, though only the affected companies can fully confirm the breach. The exposure of such sensitive information poses significant risks for identity theft, fraud, and targeted attacks against both individuals and organizations. The SLSH collective's actions have prompted calls for increased vigilance and improved cybersecurity measures among large enterprises, especially those using cloud-based platforms like Salesforce. Law enforcement agencies continue to investigate and pursue members of the group, while the cybersecurity community monitors for further developments and potential retaliatory actions promised by SLSH upon their return.
Mar 21, 2026
Scattered LAPSUS$ Hunters Target Salesforce via Gainsight Supply Chain Attack
The cybercriminal alliance known as Scattered LAPSUS$ Hunters (SLSH), an amalgamation of groups including Scattered Spider, LAPSUS$, and ShinyHunters, has intensified its campaign of data theft and extortion against major corporations. In November 2025, Salesforce detected unusual activity involving Gainsight-published applications, leading to the revocation of access tokens and removal of affected apps from its AppExchange. Salesforce determined that the incident was not due to a vulnerability in its platform, but rather unauthorized access to customer data through compromised app connections. The breach was traced back to a supply chain attack on Salesloft Drift in August 2025, which enabled attackers to obtain secrets used to access additional Salesforce instances. Gainsight confirmed that stolen OAuth tokens were used in the attack, and indicators of compromise were shared with affected customers. SLSH has leveraged this access to threaten public data leaks and extort both Salesforce and its customers, with a new extortion portal listing dozens of victim companies, including Toyota, FedEx, Disney/Hulu, and UPS. The group has also escalated its tactics by openly recruiting insiders from large organizations, offering rewards for internal access to facilitate further breaches. Recent reports indicate that SLSH's activities are coordinated through Telegram channels, and the group has been linked to high-profile incidents involving both data theft and attempted insider recruitment. Security advisories and ongoing investigations highlight the persistent threat posed by SLSH and the importance of monitoring supply chain risks and insider threats.
Mar 21, 2026