Scattered LAPSUS$ Hunters Target Salesforce via Gainsight Supply Chain Attack
The cybercriminal alliance known as Scattered LAPSUS$ Hunters (SLSH), an amalgamation of groups including Scattered Spider, LAPSUS$, and ShinyHunters, has intensified its campaign of data theft and extortion against major corporations. In November 2025, Salesforce detected unusual activity involving Gainsight-published applications, leading to the revocation of access tokens and removal of affected apps from its AppExchange. Salesforce determined that the incident was not due to a vulnerability in its platform, but rather unauthorized access to customer data through compromised app connections. The breach was traced back to a supply chain attack on Salesloft Drift in August 2025, which enabled attackers to obtain secrets used to access additional Salesforce instances. Gainsight confirmed that stolen OAuth tokens were used in the attack, and indicators of compromise were shared with affected customers.
SLSH has leveraged this access to threaten public data leaks and extort both Salesforce and its customers, with a new extortion portal listing dozens of victim companies, including Toyota, FedEx, Disney/Hulu, and UPS. The group has also escalated its tactics by openly recruiting insiders from large organizations, offering rewards for internal access to facilitate further breaches. Recent reports indicate that SLSH's activities are coordinated through Telegram channels, and the group has been linked to high-profile incidents involving both data theft and attempted insider recruitment. Security advisories and ongoing investigations highlight the persistent threat posed by SLSH and the importance of monitoring supply chain risks and insider threats.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
13 events from the most recent confirmed update back to the earliest known activity.
Law enforcement scrutiny of SLSH and BreachForums becomes public
Reporting indicated that the FBI had targeted BreachForums and was aware of SLSH's activities, highlighting ongoing law-enforcement attention to the group's ecosystem.
Researchers identify 'Rey' as Saif Al-Din Khader
Operational security mistakes exposed the identity of SLSH technical operator 'Rey,' who was identified as teenager Saif Al-Din Khader from Amman, Jordan.
Plans emerge for Linux and ESXi versions of ShinySp1d3r
Researchers reported that the group intends to expand ShinySp1d3r beyond Windows with planned Linux and ESXi variants, signaling broader targeting ambitions.
SLSH launches ShinySp1d3r ransomware-as-a-service
The alliance introduced its own ransomware-as-a-service operation, ShinySp1d3r, initially for Windows, after previously relying on other affiliates' ransomware tooling.
SLSH threatens to leak stolen data unless ransoms are paid
After obtaining victim data, SLSH warned organizations that stolen information would be published unless ransom demands were met.
Bling Libra claims access to 285 more Salesforce instances
The threat group Bling Libra, also known as ShinyHunters, claimed it had obtained access to 285 additional Salesforce instances, indicating broader compromise and follow-on extortion potential.
Gainsight suspends SaaS connections as a precaution
In response to the incident, Gainsight suspended connections to other SaaS platforms to limit further risk while the compromise was being addressed.
Supply-chain breach traced to Salesloft Drift integration
Investigation linked the Salesforce-related compromise to a supply-chain attack involving Salesloft Drift, expanding the scope beyond a direct single-platform intrusion.
Salesforce detects unusual activity tied to Gainsight apps
Salesforce identified unusual activity involving Gainsight-published applications, prompting revocation of tokens and customer notifications about the incident.
Former CrowdStrike employee reportedly paid for internal access
SLSH recently succeeded in paying a former CrowdStrike employee in exchange for internal access, marking a concrete insider-recruitment success for the group.
SLSH begins recruiting corporate insiders across industries
During 2025, the group actively sought insiders in sectors including retail and hospitality to facilitate intrusions and data theft.
SLSH conducts 2025 extortion campaign against major companies
Throughout 2025, SLSH used social engineering, including voice phishing, to compromise Salesforce portals and steal data from companies including Toyota, FedEx, Disney/Hulu, and UPS, threatening leaks unless ransoms were paid.
SLSH resumes operations after a brief hiatus
The Scattered LAPSUS$ Hunters alliance resumed activity in 2025, returning to data theft, extortion, and insider-recruitment operations against organizations.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Scattered Lapsus$ Hunters Data Leaks and Threats Following Law Enforcement Action
The Scattered Lapsus$ Hunters (SLSH), a cybercrime collective formed from members of Scattered Spider, Lapsus$, and ShinyHunters, announced a temporary retreat from online activity after the FBI seized their clearweb site. The group, known for its Western and English-speaking membership, issued a series of aggressive messages on Telegram, vowing to retaliate against the FBI and promising a return in 2026. This announcement followed a period of heightened law enforcement scrutiny, including the arrest and charging of two teenagers in the UK for their alleged involvement in attacks attributed to Scattered Spider, a component of SLSH. The group has a history of dramatic exits and returns, having previously declared a hiatus only to reappear days later. SLSH has gained notoriety for targeting large organizations and for the scale of its operations. In parallel with their public threats, the group claimed responsibility for a massive data breach affecting 39 major companies worldwide, exploiting a Salesforce vulnerability to steal 989 million records. They demanded negotiations with Salesforce and the affected firms, threatening to release the data if ignored. When their demands were unmet, SLSH published data allegedly belonging to six companies, including Qantas Airways, Vietnam Airlines, Fujifilm, GAP Inc., Engie Resources, and Albertsons Companies. The leaked datasets reportedly contain extensive personally identifiable information (PII), such as full names, addresses, passport numbers, phone numbers, email addresses, and, in the case of Qantas, detailed frequent flyer information and internal business data. The Qantas dataset alone is said to be 153 GB and includes over 5 million records. The authenticity of the data has been partially verified by independent analysis, though only the affected companies can fully confirm the breach. The exposure of such sensitive information poses significant risks for identity theft, fraud, and targeted attacks against both individuals and organizations. The SLSH collective's actions have prompted calls for increased vigilance and improved cybersecurity measures among large enterprises, especially those using cloud-based platforms like Salesforce. Law enforcement agencies continue to investigate and pursue members of the group, while the cybersecurity community monitors for further developments and potential retaliatory actions promised by SLSH upon their return.
Mar 21, 2026
Salesforce Data Breach and Ransomware Group Data Leak Site Targeting Salesloft Drift Integrations
A ransomware group known as Scattered Lapsus$ Hunters, also referred to as ShinyHunters, has launched a darkweb data-leak site to pressure victims of a significant Salesforce data breach into paying extortion demands. The group claims to have stolen 1.5 billion Salesforce records from 760 companies that integrated their Salesforce customer relationship management (CRM) software with the Salesloft Drift artificial intelligence chatbot. The leak site, which debuted on a Friday, lists 39 victim organizations, including major brands such as Cisco, Disney, KFC, Ikea, Marriott, McDonald's, Walgreens, Albertsons, and Saks Fifth Avenue. The attackers are demanding separate ransoms from Salesforce itself to prevent the release of data pertaining to the remaining 721 affected companies. Samples of the stolen data published by the group include extensive personally identifiable information (PII), such as names, dates of birth, nationalities, passport numbers, full contact information, and employment histories. Cybersecurity researcher Milivoj Rajić has tested multiple samples of the leaked data and confirmed their validity, indicating the breach is authentic and the data is genuine. Additional compromised data includes shipping information, marketing lead data, customer support case records, chat transcripts, flight details, and car ownership records. The attack specifically targeted organizations that had integrated Salesforce with the Salesloft Drift AI chatbot, suggesting a possible exploitation of integration points or third-party application vulnerabilities. The public exposure of such a large volume of sensitive data significantly increases the risk of identity theft, fraud, and further targeted attacks against both individuals and organizations. The ransomware group’s strategy of publishing a leak site and naming high-profile victims is designed to maximize pressure and reputational damage, thereby increasing the likelihood of ransom payments. The incident highlights the risks associated with third-party integrations in cloud environments, especially when sensitive customer data is involved. Security teams at affected organizations are likely conducting forensic investigations, assessing the scope of the breach, and notifying impacted customers. The breach underscores the importance of robust access controls, regular security assessments of third-party integrations, and rapid incident response capabilities. Salesforce and Salesloft Drift users are advised to review their security configurations and monitor for suspicious activity. The event has drawn significant attention from the cybersecurity community due to the scale of the breach and the high-profile nature of the victims. Organizations are being urged to remain vigilant and to implement additional security measures to protect against similar attacks in the future.
Mar 21, 2026
Scattered LAPSUS$ Hunters Data Leaks from Salesforce Breaches
A hacking group known as Scattered LAPSUS$ Hunters publicly released data stolen from the Salesforce environments of multiple companies, including Qantas and Vietnam Airlines. The group had previously threatened to leak data unless Salesforce or the affected companies paid a ransom, but the deadline passed without payment, prompting the attackers to publish data from six of the 39 companies they claimed to have compromised. The initial leaks included data from Qantas, Albertsons, GAP, Vietnam Airlines, Fujifilm, and Engie Resources. Qantas received significant media attention due to a court injunction it obtained in an attempt to prevent the use or dissemination of the stolen data, but the injunction proved ineffective as the data was still widely distributed. The attackers used multiple platforms to share the stolen information, including an onion site, a clear net forum, and a new clear net leak site, making the data accessible to a broad audience. For Vietnam Airlines, the breach resulted in the exposure of 7.5 million unique customer email addresses, along with names, phone numbers, dates of birth, and loyalty program membership numbers. The breach of Vietnam Airlines' Salesforce environment reportedly occurred in June 2025, but the data was not publicly released until October. The group’s leak strategy included charging for access to the data on some platforms, while later making it freely available on others. Despite initial claims of a massive leak affecting 39 companies, only six organizations' data was actually released, leading to speculation about the group’s motives and capabilities. The attackers communicated with followers via Telegram, providing updates and alternative download links when their primary leak site experienced technical issues. The incident highlighted the limitations of legal measures such as injunctions in preventing the spread of stolen data once it is in the hands of threat actors. Media and security experts, including Troy Hunt, provided commentary on the situation, emphasizing the inevitability of the data’s release and the challenges faced by affected organizations. The breach underscores the risks associated with third-party cloud platforms like Salesforce and the importance of robust security controls and incident response plans. Companies affected by the breach were advised to notify impacted customers, recommend password changes, and implement additional security measures such as two-factor authentication. The event also demonstrated the evolving tactics of cybercriminal groups in monetizing and publicizing stolen data, as well as the ongoing threat posed by supply chain and third-party breaches.
Mar 21, 2026