Found 2 bookmarks
Custom sorting
Scattered LAPSUS$ Hunters Ransomware Group Claims New Victims on New Website
Scattered LAPSUS$ Hunters Ransomware Group Claims New Victims on New Website
  • Daily Dark Web - dailydarkweb.net October 3, 2025 The newly formed cybercrime alliance, โ€œScattered LAPSUS$ Hunters,โ€ has launched a new website detailing its claims of a massive data breach affecting Salesforce and its extensive customer base. This development is the latest move by the group, a notorious collaboration between members of the established threat actor crews ShinyHunters, Scattered Spider, and LAPSUS$. On their new site, the group is extorting Salesforce directly, threatening to leak nearly one billion records with a ransom deadline of October 10, 2025. This situation stems from a widespread and coordinated campaign that targeted Salesforce customers throughout mid-2025. According to security researchers, the attacks did not exploit a vulnerability in Salesforceโ€™s core platform. Instead, the threat actors, particularly those from the Scattered Spider group, employed sophisticated social engineering tactics. The primary method involved voice phishing (vishing), where attackers impersonated corporate IT or help desk staff in phone calls to employees of target companies. These employees were then manipulated into authorizing malicious third-party applications within their companyโ€™s Salesforce environment. This action granted the attackers persistent access tokens (OAuth), allowing them to bypass multi-factor authentication and exfiltrate vast amounts of data. The alliance has now consolidated the data from these numerous breaches for this large-scale extortion attempt against Salesforce itself. The website lists dozens of high-profile Salesforce customers allegedly compromised in the campaign. The list of alleged victims posted by the group includes: Toyota Motor Corporations (๐Ÿ‡ฏ๐Ÿ‡ต): A multinational automotive manufacturer. FedEx (๐Ÿ‡บ๐Ÿ‡ธ): A global courier delivery services company. Disney/Hulu (๐Ÿ‡บ๐Ÿ‡ธ): A multinational mass media and entertainment conglomerate. Republic Services (๐Ÿ‡บ๐Ÿ‡ธ): An American waste disposal company. UPS (๐Ÿ‡บ๐Ÿ‡ธ): A multinational shipping, receiving, and supply chain management company. Aeromรฉxico (๐Ÿ‡ฒ๐Ÿ‡ฝ): The flag carrier airline of Mexico. Home Depot (๐Ÿ‡บ๐Ÿ‡ธ): The largest home improvement retailer in the United States. Marriott (๐Ÿ‡บ๐Ÿ‡ธ): A multinational company that operates, franchises, and licenses lodging. Vietnam Airlines (๐Ÿ‡ป๐Ÿ‡ณ): The flag carrier of Vietnam. Walgreens (๐Ÿ‡บ๐Ÿ‡ธ): An American company that operates the second-largest pharmacy store chain in the United States. Stellantis (๐Ÿ‡ณ๐Ÿ‡ฑ): A multinational automotive manufacturing corporation. McDonaldโ€™s (๐Ÿ‡บ๐Ÿ‡ธ): A multinational fast food chain. KFC (๐Ÿ‡บ๐Ÿ‡ธ): A fast food restaurant chain that specializes in fried chicken. ASICS (๐Ÿ‡ฏ๐Ÿ‡ต): A Japanese multinational corporation which produces sportswear. GAP, INC. (๐Ÿ‡บ๐Ÿ‡ธ): A worldwide clothing and accessories retailer. HMH (hmhco.com) (๐Ÿ‡บ๐Ÿ‡ธ): A publisher of textbooks, instructional technology materials, and assessments. Fujifilm (๐Ÿ‡ฏ๐Ÿ‡ต): A multinational photography and imaging company. Instructure.com โ€“ Canvas (๐Ÿ‡บ๐Ÿ‡ธ): An educational technology company. Albertsons (Jewel Osco, etc) (๐Ÿ‡บ๐Ÿ‡ธ): An American grocery company. Engie Resources (Plymouth) (๐Ÿ‡บ๐Ÿ‡ธ): A retail electricity provider. Kering (๐Ÿ‡ซ๐Ÿ‡ท): A global luxury group that manages brands like Gucci, Balenciaga, and Brioni. HBO Max (๐Ÿ‡บ๐Ÿ‡ธ): A subscription video on-demand service. Instacart (๐Ÿ‡บ๐Ÿ‡ธ): A grocery delivery and pick-up service. Petco (๐Ÿ‡บ๐Ÿ‡ธ): An American pet retailer. Puma (๐Ÿ‡ฉ๐Ÿ‡ช): A German multinational corporation that designs and manufactures athletic footwear and apparel. Cartier (๐Ÿ‡ซ๐Ÿ‡ท): A French luxury goods conglomerate. Adidas (๐Ÿ‡ฉ๐Ÿ‡ช): A multinational corporation that designs and manufactures shoes, clothing, and accessories. TripleA (aaa.com) (๐Ÿ‡บ๐Ÿ‡ธ): A federation of motor clubs throughout North America. Qantas Airways (๐Ÿ‡ฆ๐Ÿ‡บ): The flag carrier of Australia. CarMax (๐Ÿ‡บ๐Ÿ‡ธ): A used vehicle retailer. Saks Fifth (๐Ÿ‡บ๐Ÿ‡ธ): An American luxury department store chain. 1-800Accountant (๐Ÿ‡บ๐Ÿ‡ธ): A nationwide accounting firm. Air France & KLM (๐Ÿ‡ซ๐Ÿ‡ท/๐Ÿ‡ณ๐Ÿ‡ฑ): A major European airline partnership. Google Adsense (๐Ÿ‡บ๐Ÿ‡ธ): A program run by Google through which website publishers serve advertisements. Cisco (๐Ÿ‡บ๐Ÿ‡ธ): A multinational digital communications technology conglomerate. Pandora.net (๐Ÿ‡ฉ๐Ÿ‡ฐ): A Danish jewelry manufacturer and retailer. TransUnion (๐Ÿ‡บ๐Ÿ‡ธ): An American consumer credit reporting agency. Chanel (๐Ÿ‡ซ๐Ÿ‡ท): A French luxury fashion house. IKEA (๐Ÿ‡ธ๐Ÿ‡ช): A Swedish-founded multinational group that designs and sells ready-to-assemble furniture. According to the actor, the breach involves nearly 1 billion records from Salesforce and its clients. The allegedly compromised data includes: Sensitive Personally Identifiable Information (PII) Strategic business records that could impact market position Data from over 100 other demand instances hosted on Salesforce infrastructure
#dailydarkweb.net#EN#2025#data-breach#extortion#Salesforce#Scattered#Lapsus$#Hunters#scattered-spiderShinyHunters#supply-chain-attack#vishing
ยทdailydarkweb.netยท
Scattered LAPSUS$ Hunters Ransomware Group Claims New Victims on New Website
Hackers leak Allianz Life data stolen in Salesforce attacks
Hackers leak Allianz Life data stolen in Salesforce attacks
bleepingcomputer.com - Hackers have released stolen data belonging to US insurance giant Allianz Life, exposing 2.8 million records with sensitive information on business partners and customers in ongoing Salesforce data theft attacks. Last month, Allianz Life disclosed that it suffered a data breach when the personal information for the "majority" of its 1.4 million customers was stolen from a third-party, cloud-based CRM system on July 16th. While the company did not name the provider, BleepingComputer first reported the incident was part of a wave of Salesforce-targeted thefts carried out by the ShinyHunters extortion group. Over the weekend, ShinyHunters and other threat actors claiming overlap with "Scattered Spider" and "Lapsus$" created a Telegram channel called "ScatteredLapsuSp1d3rHunters" to taunt cybersecurity researchers, law enforcement, and journalists while taking credit for a string of high-profile breaches. Many of these attacks had not previously been attributed to any threat actor, including the attacks on Internet Archive, Pearson, and Coinbase. One of the attacks claimed by the threat actors is Allianz Life, for which they proceeded to leak the complete databases that were stolen from the company's Salesforce instances. These files consist of the Salesforce "Accounts" and "Contacts" database tables, containing approximately 2.8 million data records for individual customers and business partners, such as wealth management companies, brokers, and financial advisors. The leaked Salesforce data includes sensitive personal information, such as names, addresses, phone numbers, dates of birth, and Tax Identification Numbers, as well as professional details like licenses, firm affiliations, product approvals, and marketing classifications. BleepingComputer has been able to confirm with multiple people that their data in the leaked files is accurate, including their phone numbers, email addresses, tax IDs, and other information contained in the database. BleepingComputer contacted Allianz Life about the leaked database but was told that they could not comment as the investigation is ongoing. The Salesforce data-theft attacks The Salesforce data theft attacks are believed to have started at the beginning of the year, with the threat actors conducting social engineering attacks to trick employees into linking a malicious OAuth app with their company's Salesforce instances. Once linked, the threat actors used the connection to download and steal the databases, which were then used to extort the company through email. Extortion demands were sent to the companies via email and were signed as coming from ShinyHunters. This notorious extortion group has been linked to many high-profile attacks over the years, including those against AT&T, PowerSchool, and the SnowFlake attacks. While ShinyHunters is known to target cloud SaaS applications and website databases, they are not known for these types of social engineering attacks, causing many researchers and the media to attribute some of the Salesforce attacks to Scattered Spider. However, ShinyHunters told BleepingComputer the "ShinyHunters" group and "Scattered Spider" are now one and the same. "Like we have said repeatedly already, ShinyHunters and Scattered Spider are one and the same," ShinyHunters told BleepingComputer. "They provide us with initial access and we conduct the dump and exfiltration of the Salesforce CRM instances. Just like we did with Snowflake." It is also believed that many of the group's members share their roots in another hacking group known as Lapsus$, which was responsible for numerous attacks in 2022-2023, before some of their members were arrested. Lapsus$ was behind breaches at Rockstar Games, Uber, 2K, Okta, T-Mobile, Microsoft, Ubisoft, and NVIDIA. Like Scattered Spider, Lapsus$ was also adept at social engineering attacks and SIM swap attacks, allowing them to run over billion and trillion-dollar companies' IT defenses. Over the past couple of years, there have been many arrests linked to all three collectives, so it's not clear if the current threat actors are old threat actors, new ones who have picked up the mantle, or are simply utilizing these names to plant false flags.
#bleepingcomputer.com#EN#2025#llianz-Life#Data-Breach#Lapsus$#Personal-Information#Salesforce#Scattered-Spider#ShinyHunters
ยทbleepingcomputer.comยท
Hackers leak Allianz Life data stolen in Salesforce attacks