Found 5 bookmarks
Newest
ShinyHunters launches Salesforce data leak site to extort 39 victims
ShinyHunters launches Salesforce data leak site to extort 39 victims
bleepingcomputer.com By Sergiu Gatlan October 3, 2025 An extortion group has launched a new data leak site to publicly extort dozens of companies impacted by a wave of Salesforce breaches, leaking samples of data stolen in the attacks. The threat actors responsible for these attacks claim to be part of the ShinyHunters, Scattered Spider, and Lapsus$ groups, collectively referring to themselves as "Scattered Lapsus$ Hunters." Today, they launched a new data leak site containing 39 companies impacted by the attacks. Each entry includes samples of data allegedly stolen from victims' Salesforce instances, and warns the victims to reach out to "prevent public disclosure" of their data before the October 10 deadline is reached. The companies being extorted on the data leak site include well-known brands and organizations, including FedEx, Disney/Hulu, Home Depot, Marriott, Google, Cisco, Toyota, Gap, McDonald's, Walgreens, Instacart, Cartier, Adidas, Sake Fifth Avenue, Air France & KLM, Transunion, HBO MAX, UPS, Chanel, and IKEA. "All of them have been contacted long ago, they saw the email because I saw them download the samples multiple times. Most of them chose to not disclose and ignore," ShinyHunters told BleepingComputer. "We highly advise you proceed into the right decision, your organisation can prevent the release of this data, regain control over the situation and all operations remain stable as always. We highly recommend a decision-maker to get involved as we are presenting a clear and mutually beneficial opportunity to resolve this matter," they warned on the leak site. The threat actors also added a separate entry requesting that Salesforce pay a ransom to prevent all impacted customers' data (approximately 1 billion records containing personal information) from being leaked. "Should you comply, we will withdraw from any active or pending negotiation indiviually from your customers. Your customers will not be attacked again nor will they face a ransom from us again, should you pay," they added. The extortion group also threatened the company, stating that it would help law firms pursue civil and commercial lawsuits against Salesforce following the data breaches and warned that the company had also failed to protect customers' data as required by the European General Data Protection Regulation (GDPR).
#bleepingcomputer.com#EN#2025#Breach#Data-Breach#Leak#Salesforce#Scattered-Lapsus$-Hunters#ShinyHunters
·bleepingcomputer.com·
ShinyHunters launches Salesforce data leak site to extort 39 victims
FBI warns of Scattered Spider and ShinyHunters attacks on Salesforce platforms
FBI warns of Scattered Spider and ShinyHunters attacks on Salesforce platforms
| The Record from Recorded Future News Jonathan Greig September 15th, 2025 Hackers connected to the Scattered Spider and ShinyHunters cybercriminal operations are extorting organizations for exorbitant ransoms after stealing data from Salesforce, the FBI warned. The agency released a flash notice on Friday with information about an ongoing data theft campaign that has impacted hundreds of businesses this year. The FBI refers to the hackers as both UNC6040 and UNC6395 and by their colloquial names of ShinyHunters and Scattered Spider, respectively. After months spent breaching some of the largest companies in the world, the hackers are now attempting to extort victim organizations — threatening to leak troves of customer data, business documents and more. The FBI did not say how many victims have received extortion emails demanding payment in cryptocurrency but they noted that the monetary demands have varied widely and are made at seemingly random times. Some extortion incidents were initiated days after data exfiltration while others took place months later. The FBI said the campaign began in October 2024 when members of the group gained access to organizations through social engineering attacks that involved contacting call centers and posing as IT employees. That scheme typically gave the cybercriminals access to employee credentials that were then leveraged to access Salesforce instances holding customer data. In other cases, the hackers used phishing emails or texts to take over employees’ phones or computers. The hackers evolved their tactics throughout the summer, switching to exploiting third-party applications that organizations linked to their Salesforce instances. “UNC6040 threat actors have deceived victims into authorizing malicious connected apps to their organization's Salesforce portal,” the FBI said. “This grants UNC6040 threat actors significant capabilities to access, query, and exfiltrate sensitive information directly from the compromised Salesforce customer environments.” By August, the hackers began targeting the Salesloft Drift application, an AI chatbot that can be integrated with Salesforce. The tactic allowed them to bypass traditional defenses like multifactor authentication, login monitoring and password resets, the FBI explained. In some cases, the FBI has found that the hackers created malicious applications within Salesforce trial accounts that allowed them to register connected apps without using a legitimate corporate account. On Monday, Reuters and the BBC confirmed that Kering — the French conglomerate that owns Gucci, Balenciaga and Alexander McQueen — was attacked by the same ShinyHunters cybercriminals. ShinyHunters told the BBC that it stole information connected to 7.4 million unique email addresses. The hackers told another news outlet that they stole the information in late 2024 but only began negotiating a ransom in June 2025. Last week, a critical government agency in Vietnam confirmed that millions of financial records were stolen in an attack claimed by ShinyHunters. The cybercriminals previously took credit for devastating campaigns targeting giants in the insurance, retail and aviation industries. The FBI provided indicators of compromise that potential victims can use to see whether they have been affected by the hacking campaigns and urged companies to train call center employees on the tactics used. The agency also said companies should limit the privileges of almost every employee account, enforce IP-based access restrictions, monitor API usage and more. Experts said the information provided by the FBI showed how sophisticated the actors are at abusing legitimate tools for nefarious purposes, like Azure cloud infrastructure, virtual servers, Tor exit nodes and proxy services to obfuscate their origin. Scattered retirement? The FBI notice came shortly after the group made several posts on Telegram claiming to be retiring. The group blamed a recent string of arrests, law enforcement activity and criminal convictions against members as their reason for ceasing the current operation. Cybersecurity experts were dubious about the disbanding claims, noting that cybercriminal operations often make similar claims before reconstituting under different names. Some theorized the hackers are likely going to enjoy the spoils of their recent extortion campaigns before returning to cybercriminal activity. Sam Rubin, a senior official with Palo Alto Networks’ Unit 42, said recent arrests may have prompted the group to lay low, but history says such activity is often temporary. “Groups like this splinter, rebrand, and resurface — much like ShinyHunters. Even if public operations pause, the risks remain: stolen data can resurface, undetected backdoors may persist, and actors may re-emerge under new names,” he said. “Silence from a threat group does not equal safety.”
#therecord.media#EN#2025#ScatteredSpider#ShinyHunters#FBI#Salesforce
·therecord.media·
FBI warns of Scattered Spider and ShinyHunters attacks on Salesforce platforms
Update: Kering confirms Gucci and other brands hacked; claims no conversations with hackers?
Update: Kering confirms Gucci and other brands hacked; claims no conversations with hackers?
databreaches.net Posted on September 15, 2025 by Dissent On September 11, DataBreaches broke the story that customers of several high-end fashion brands owned by Paris-headquartered Kering had their personal information acquired by ShinyHunters as part of two Salesforce attacks. As we reported, a spokesperson for ShinyHunters claimed to have acquired more than 43 million customer records from Gucci and almost 13 million records from Balenciaga, Brioni, and Alexander McQueen combined. Kering never responded to emailed inquiries, but ShinyHunters provided DataBreaches with samples from both attacks that appeared legitimate. They also provided chat logs from negotiations they claimed took place with someone presenting themselves as Balenciaga’s safety manager. Those negotiations appeared to go on for more than a month and a half between June 20 and mid-August. According to the logs, it appeared Kering agreed to pay a ransom of 500,000 euros, but then they went silent and never followed through. Kering Issues a Statement Although they did not respond to DataBreaches’ questions at the time, Kering issued a statement that they provided to other news sites, including LeMagIT and The Guardian. Their statement, as reported by LeMagIT, does not answer all of the questions DataBreaches had, but it’s a start. Kering states: « En juin 2025, nous avons constaté qu’un tiers non autorisé avait temporairement accédé à nos systèmes et consulté des données clients limitées provenant de certaines de nos Maisons », explique le service de presse de Kering dans une déclaration adressée à la rédaction. Celle-ci ajoute que « nos Maisons ont immédiatement signalé cette intrusion aux autorités compétentes et ont informé les clients conformément aux réglementations locales ». Et de préciser qu’aucune « information financière, telle que des numéros de compte bancaire ou de carte de crédit, ni aucun numéro d’identification personnelle (numéro de sécurité sociale), n’ont été compromise lors de cet incident ». Selon le service de presse de Kering « l’intrusion a été rapidement identifiée et des mesures appropriées ont été prises pour sécuriser les systèmes concernés et éviter que de tels incidents ne se reproduisent à l’avenir ». A machine translation roughly yields: In June 2025, we found that an unauthorized third party had temporarily accessed our systems and accessed limited customer data from some of our Houses. Our Houses immediately reported this intrusion to the competent authorities and informed the customers in accordance with local regulations….. No financial information, such as bank account or credit card numbers, nor any personal identification number (social security number), was compromised during this incident. According to Kering’s statement, “the intrusion was quickly identified and appropriate measures were taken to secure the affected systems and prevent such incidents from recurring in the future.” They do not name the brands affected, they do not disclose the total number of affected individuals, and when asked what countries were affected, Kering reportedly declined to answer Reuter’s question. An Inconsistent Statement? It appears that neither Kering nor any of the affected brands detected the breaches on their own, and they only first found out when ShinyHunters contacted them in June. Why they did not discover the breaches by their own means is unknown to DataBreaches. DataBreaches can confirm that there was no financial information in the samples of records that DataBreaches inspected. However, Kering’s statement to another news outlet contradicts claims made by ShinyHunters to DataBreaches.net in important respects. As previously reported, ShinyHunters provided this site with chat logs of negotiations between ShinyHunters and someone claiming to be a representative of Balenciaga. But Kering has apparently told the BBC that it did not engage in conversations with the criminal(s), and it didn’t pay any ransom, consistent with long-standing law enforcement advice. Their denial appears to be factually inaccurate, at least in part. At the time of our first publication, DataBreaches reported that Balenciaga had made a small test payment in BTC to ShinyHunters. This site did not include specific proof in that article, but ShinyHunters had provided this site with evidence at the time. We are posting that proof now in light of Kering’s denial that they engaged in any conversations or paid any ransom. The chat log provided to this site showed that Balenciaga was to make a small test payment in BTC to ShinyHunters on or about July 4. The amount mentioned in the chat log was 0,00045 BTC. The chat log also showed the BTC address as bc1qzwpshyadethrqum0yyjh7uxxzhsnjjgapdmr4c. DataBreaches had redacted that address from the published report. On July 4, Balenciaga’s “user” told ShinyHunters that the test payment had been made: [en attente] : 2025-07-04 [03:09:08] shinycorp: Bonjour, vous nous aviez promis un paiement hier, mais nous n’avons rien reçu. des nouvelles ? [04:23:45] Utilisateur: Bonjour [04:24:05] Utilisateur: nous avons eu du retard pour la création du compte [04:24:09] Utilisateur: https://blockstream.info/tx/a4d9c24a90fdbcf652f18bafae89740094ad7a555e4e747e7e2602771e9a1d6b [04:24:18] Utilisateur: ci joint la preuve du paiement test [04:24:24] Utilisateur: je vous invite à vérifier [04:52:42] shinycorp: Reçu pour la première fois [06:17:52] shinycorp: Veuillez diffuser la transaction. [07: 45: 06] Utilisateur: fichier: / / / C: / Utilisateurs / X / Bureau / flux de blocs.htm [07:46:28] Utilisateur: https://blockstream.info/tx/a4d9c24a90fdbcf652f18bafae89740094ad7a555e4e747e7e2602771e9a1d6b DataBreaches had looked up the wallet address and found confirmation of the payment. The following is a screengrab showing the payment. Btcpaid Kering’s reported claims about no conversations and no payment appear to be refuted by the chat log and corresponding BTC transaction. ShinyHunters did not claim that Kering paid their ransom demand, but they do claim that there were extensive negotiations and that a small test payment was made, and there seems to be proof of that. Kering’s statement to other news sites also leaves a lot of other unanswered questions. They told the BBC that they had emailed all affected customers, but that raises other questions. DataBreaches emailed Kering again today to ask for additional details. Specifically, DataBreaches asked them: Have you notified data protection regulators in all of the countries where your customers reside? When did you send emails to customers to notify them? Have you notified store customers by postal mail if the customers did not provide email addresses? If not, how have you notified those without email addresses? Your statement claims that you did not have any conversations with the attackers. Has your legal department obtained IP addresses from qtox to find out the IP address of the person representing themself as Balenciaga’s negotiator? Are you claiming that ShinyHunters was lying about negotiations, or are you saying something else? No reply has been received. Furthermore, we still do not know how many unique customers, total, were affected by these attacks on their brands. The BBC reported that it might be less than 7.4 million based on the number of unique email addresses. But the 7.4 million unique email addresses were only for the Balenciaga, Brioni, and Alexander McQueen data. There were more than 43 million records for the Gucci data set, so there would be a significant number of unique email addresses and customers there, too, and not all customers provide an email address. Although Kering does not seem to be embracing public transparency in its incident response, we may eventually find out more if investors demand accountability or if data protection regulators report on any investigations and findings.
#databreaches.net#EN#2025#Kering#Gucci#Data-Breach#Salesforce#ShinyHunters
·databreaches.net·
Update: Kering confirms Gucci and other brands hacked; claims no conversations with hackers?
Farmers Insurance data breach impacts 1.1M people after Salesforce attack
Farmers Insurance data breach impacts 1.1M people after Salesforce attack
bleepingcomputer.com By Lawrence Abrams August 25, 2025 - U.S. insurance giant Farmers Insurance has disclosed a data breach impacting 1.1 million customers, with BleepingComputer learning that the data was stolen in the widespread Salesforce attacks. Farmers Insurance is a U.S.-based insurer that provides auto, home, life, and business insurance products. It operates through a network of agents and subsidiaries, serving more than 10 million households nationwide. The company disclosed the data breach in an advisory on its website, saying that its database at a third-party vendor was breached on May 29, 2025. "On May 30, 2025, one of Farmers' third-party vendors alerted Farmers to suspicious activity involving an unauthorized actor accessing one of the vendor's databases containing Farmers customer information (the "Incident")," reads the data breach notification on its website. "The third-party vendor had monitoring tools in place, which allowed the vendor to quickly detect the activity and take appropriate containment measures, including blocking the unauthorized actor. After learning of the activity, Farmers immediately launched a comprehensive investigation to determine the nature and scope of the Incident and notified appropriate law enforcement authorities." The company says that its investigation determined that customers' names, addresses, dates of birth, driver's license numbers, and/or last four digits of Social Security numbers were stolen during the breach. Farmers began sending data breach notifications to impacted individuals on August 22, with a sample notification [1, 2] shared with the Maine Attorney General's Office, stating that a combined total of 1,111,386 customers were impacted. While Farmers did not disclose the name of the third-party vendor, BleepingComputer has learned that the data was stolen in the widespread Salesforce data theft attacks that have impacted numerous organizations this year. BleepingComputer contacted Farmers with additional questions about the breach and will update the story if we receive a response. The Salesforce data theft attacks Since the beginning of the year, threat actors classified as 'UNC6040' or 'UNC6240' have been conducting social engineering attacks on Salesforce customers. During these attacks, threat actors conduct voice phishing (vishing) to trick employees into linking a malicious OAuth app with their company's Salesforce instances. Once linked, the threat actors used the connection to download and steal the databases, which were then used to extort the company through email. The extortion demands come from the ShinyHunters cybercrime group, who told BleepingComputer that the attacks involve multiple overlapping threat groups, with each group handling specific tasks to breach Salesforce instances and steal data. "Like we have said repeatedly already, ShinyHunters and Scattered Spider are one and the same," ShinyHunters told BleepingComputer. "They provide us with initial access and we conduct the dump and exfiltration of the Salesforce CRM instances. Just like we did with Snowflake." Other companies impacted in these attacks include Google, Cisco, Workday, Adidas, Qantas, Allianz Life, and the LVMH subsidiaries Louis Vuitton, Dior, and Tiffany & Co.
#bleepingcomputer.com#EN#2025#Data-Breach#Data-Theft#Farmers-Insurance#Insurance#Salesforce#ShinyHunters
·bleepingcomputer.com·
Farmers Insurance data breach impacts 1.1M people after Salesforce attack
Hackers leak Allianz Life data stolen in Salesforce attacks
Hackers leak Allianz Life data stolen in Salesforce attacks
bleepingcomputer.com - Hackers have released stolen data belonging to US insurance giant Allianz Life, exposing 2.8 million records with sensitive information on business partners and customers in ongoing Salesforce data theft attacks. Last month, Allianz Life disclosed that it suffered a data breach when the personal information for the "majority" of its 1.4 million customers was stolen from a third-party, cloud-based CRM system on July 16th. While the company did not name the provider, BleepingComputer first reported the incident was part of a wave of Salesforce-targeted thefts carried out by the ShinyHunters extortion group. Over the weekend, ShinyHunters and other threat actors claiming overlap with "Scattered Spider" and "Lapsus$" created a Telegram channel called "ScatteredLapsuSp1d3rHunters" to taunt cybersecurity researchers, law enforcement, and journalists while taking credit for a string of high-profile breaches. Many of these attacks had not previously been attributed to any threat actor, including the attacks on Internet Archive, Pearson, and Coinbase. One of the attacks claimed by the threat actors is Allianz Life, for which they proceeded to leak the complete databases that were stolen from the company's Salesforce instances. These files consist of the Salesforce "Accounts" and "Contacts" database tables, containing approximately 2.8 million data records for individual customers and business partners, such as wealth management companies, brokers, and financial advisors. The leaked Salesforce data includes sensitive personal information, such as names, addresses, phone numbers, dates of birth, and Tax Identification Numbers, as well as professional details like licenses, firm affiliations, product approvals, and marketing classifications. BleepingComputer has been able to confirm with multiple people that their data in the leaked files is accurate, including their phone numbers, email addresses, tax IDs, and other information contained in the database. BleepingComputer contacted Allianz Life about the leaked database but was told that they could not comment as the investigation is ongoing. The Salesforce data-theft attacks The Salesforce data theft attacks are believed to have started at the beginning of the year, with the threat actors conducting social engineering attacks to trick employees into linking a malicious OAuth app with their company's Salesforce instances. Once linked, the threat actors used the connection to download and steal the databases, which were then used to extort the company through email. Extortion demands were sent to the companies via email and were signed as coming from ShinyHunters. This notorious extortion group has been linked to many high-profile attacks over the years, including those against AT&T, PowerSchool, and the SnowFlake attacks. While ShinyHunters is known to target cloud SaaS applications and website databases, they are not known for these types of social engineering attacks, causing many researchers and the media to attribute some of the Salesforce attacks to Scattered Spider. However, ShinyHunters told BleepingComputer the "ShinyHunters" group and "Scattered Spider" are now one and the same. "Like we have said repeatedly already, ShinyHunters and Scattered Spider are one and the same," ShinyHunters told BleepingComputer. "They provide us with initial access and we conduct the dump and exfiltration of the Salesforce CRM instances. Just like we did with Snowflake." It is also believed that many of the group's members share their roots in another hacking group known as Lapsus$, which was responsible for numerous attacks in 2022-2023, before some of their members were arrested. Lapsus$ was behind breaches at Rockstar Games, Uber, 2K, Okta, T-Mobile, Microsoft, Ubisoft, and NVIDIA. Like Scattered Spider, Lapsus$ was also adept at social engineering attacks and SIM swap attacks, allowing them to run over billion and trillion-dollar companies' IT defenses. Over the past couple of years, there have been many arrests linked to all three collectives, so it's not clear if the current threat actors are old threat actors, new ones who have picked up the mantle, or are simply utilizing these names to plant false flags.
#bleepingcomputer.com#EN#2025#llianz-Life#Data-Breach#Lapsus$#Personal-Information#Salesforce#Scattered-Spider#ShinyHunters
·bleepingcomputer.com·
Hackers leak Allianz Life data stolen in Salesforce attacks