Found 4 bookmarks
Custom sorting
ShinyHunters launches Salesforce data leak site to extort 39 victims
ShinyHunters launches Salesforce data leak site to extort 39 victims
bleepingcomputer.com By Sergiu Gatlan October 3, 2025 An extortion group has launched a new data leak site to publicly extort dozens of companies impacted by a wave of Salesforce breaches, leaking samples of data stolen in the attacks. The threat actors responsible for these attacks claim to be part of the ShinyHunters, Scattered Spider, and Lapsus$ groups, collectively referring to themselves as "Scattered Lapsus$ Hunters." Today, they launched a new data leak site containing 39 companies impacted by the attacks. Each entry includes samples of data allegedly stolen from victims' Salesforce instances, and warns the victims to reach out to "prevent public disclosure" of their data before the October 10 deadline is reached. The companies being extorted on the data leak site include well-known brands and organizations, including FedEx, Disney/Hulu, Home Depot, Marriott, Google, Cisco, Toyota, Gap, McDonald's, Walgreens, Instacart, Cartier, Adidas, Sake Fifth Avenue, Air France & KLM, Transunion, HBO MAX, UPS, Chanel, and IKEA. "All of them have been contacted long ago, they saw the email because I saw them download the samples multiple times. Most of them chose to not disclose and ignore," ShinyHunters told BleepingComputer. "We highly advise you proceed into the right decision, your organisation can prevent the release of this data, regain control over the situation and all operations remain stable as always. We highly recommend a decision-maker to get involved as we are presenting a clear and mutually beneficial opportunity to resolve this matter," they warned on the leak site. The threat actors also added a separate entry requesting that Salesforce pay a ransom to prevent all impacted customers' data (approximately 1 billion records containing personal information) from being leaked. "Should you comply, we will withdraw from any active or pending negotiation indiviually from your customers. Your customers will not be attacked again nor will they face a ransom from us again, should you pay," they added. The extortion group also threatened the company, stating that it would help law firms pursue civil and commercial lawsuits against Salesforce following the data breaches and warned that the company had also failed to protect customers' data as required by the European General Data Protection Regulation (GDPR).
#bleepingcomputer.com#EN#2025#Breach#Data-Breach#Leak#Salesforce#Scattered-Lapsus$-Hunters#ShinyHunters
·bleepingcomputer.com·
ShinyHunters launches Salesforce data leak site to extort 39 victims
Google confirms fraudulent account created in law enforcement portal
Google confirms fraudulent account created in law enforcement portal
Google has confirmed that hackers created a fraudulent account in its Law Enforcement Request System (LERS) platform that law enforcement uses to submit official data requests to the company "We have identified that a fraudulent account was created in our system for law enforcement requests and have disabled the account," Google told BleepingComputer. "No requests were made with this fraudulent account, and no data was accessed." The FBI declined to comment on the threat actor's claims. This statement comes after a group of threat actors calling itself "Scattered Lapsus$ Hunters" claimed on Telegram to have gained access to both Google's LERS portal and the FBI's eCheck background check system. The group posted screenshots of their alleged access shortly after announcing on Thursday that they were "going dark." The hackers' claims raised concerns as both LERS and the FBI's eCheck system are used by police and intelligence agencies worldwide to submit subpoenas, court orders, and emergency disclosure requests. Unauthorized access could allow attackers to impersonate law enforcement and gain access to sensitive user data that should normally be protected. The "Scattered Lapsus$ Hunters" group, which claims to consist of members linked to the Shiny Hunters, Scattered Spider, and Lapsus$ extortion groups, is behind widespread data theft attacks targeting Salesforce data this year. The threat actors initially utilized social engineering scams to trick employees into connecting Salesforce's Data Loader tool to corporate Salesforce instances, which was then used to steal data and extort companies. The threat actors later breached Salesloft's GitHub repository and used Trufflehog to scan for secrets exposed in the private source code. This allowed them to find authentication tokens for Salesloft Drift, which were used to conduct further Salesforce data theft attacks. These attacks have impacted many companies, including Google, Adidas, Qantas, Allianz Life, Cisco, Kering, Louis Vuitton, Dior, Tiffany & Co, Cloudflare, Zscaler, Elastic, Proofpoint, JFrog, Rubrik, Palo Alto Networks, and many more. Google Threat Intelligence (Mandiant) has been a thorn in the side of these threat actors, being the first to disclose the Salesforce and Salesloft attacks and warning companies to shore up their defenses. Since then, the threat actors have been taunting the FBI, Google, Mandiant, and security researchers in posts to various Telegram channels. Late Thursday night, the group posted a lengthy message to a BreachForums-linked domain causing some to believe the threat actors were retiring. "This is why we have decided that silence will now be our strength," wrote the threat actors. "You may see our names in new databreach disclosure reports from the tens of other multi billion dollar companies that have yet to disclose a breach, as well as some governmental agencies, including highly secured ones, that does not mean we are still active." However, cybersecurity researchers who spoke with BleepingComputer believe the group will continue conducting attacks quietly despite their claims of going dark. Update 9/15/25: Article title updated as some felt it indicated a breach.
#bleepingcomputer.com#EN#2025#Data-Request#Extortion#FBI#Google#Lapsus$#Scattered-Spider#ShinyHunters
·bleepingcomputer.com·
Google confirms fraudulent account created in law enforcement portal
Farmers Insurance data breach impacts 1.1M people after Salesforce attack
Farmers Insurance data breach impacts 1.1M people after Salesforce attack
bleepingcomputer.com By Lawrence Abrams August 25, 2025 - U.S. insurance giant Farmers Insurance has disclosed a data breach impacting 1.1 million customers, with BleepingComputer learning that the data was stolen in the widespread Salesforce attacks. Farmers Insurance is a U.S.-based insurer that provides auto, home, life, and business insurance products. It operates through a network of agents and subsidiaries, serving more than 10 million households nationwide. The company disclosed the data breach in an advisory on its website, saying that its database at a third-party vendor was breached on May 29, 2025. "On May 30, 2025, one of Farmers' third-party vendors alerted Farmers to suspicious activity involving an unauthorized actor accessing one of the vendor's databases containing Farmers customer information (the "Incident")," reads the data breach notification on its website. "The third-party vendor had monitoring tools in place, which allowed the vendor to quickly detect the activity and take appropriate containment measures, including blocking the unauthorized actor. After learning of the activity, Farmers immediately launched a comprehensive investigation to determine the nature and scope of the Incident and notified appropriate law enforcement authorities." The company says that its investigation determined that customers' names, addresses, dates of birth, driver's license numbers, and/or last four digits of Social Security numbers were stolen during the breach. Farmers began sending data breach notifications to impacted individuals on August 22, with a sample notification [1, 2] shared with the Maine Attorney General's Office, stating that a combined total of 1,111,386 customers were impacted. While Farmers did not disclose the name of the third-party vendor, BleepingComputer has learned that the data was stolen in the widespread Salesforce data theft attacks that have impacted numerous organizations this year. BleepingComputer contacted Farmers with additional questions about the breach and will update the story if we receive a response. The Salesforce data theft attacks Since the beginning of the year, threat actors classified as 'UNC6040' or 'UNC6240' have been conducting social engineering attacks on Salesforce customers. During these attacks, threat actors conduct voice phishing (vishing) to trick employees into linking a malicious OAuth app with their company's Salesforce instances. Once linked, the threat actors used the connection to download and steal the databases, which were then used to extort the company through email. The extortion demands come from the ShinyHunters cybercrime group, who told BleepingComputer that the attacks involve multiple overlapping threat groups, with each group handling specific tasks to breach Salesforce instances and steal data. "Like we have said repeatedly already, ShinyHunters and Scattered Spider are one and the same," ShinyHunters told BleepingComputer. "They provide us with initial access and we conduct the dump and exfiltration of the Salesforce CRM instances. Just like we did with Snowflake." Other companies impacted in these attacks include Google, Cisco, Workday, Adidas, Qantas, Allianz Life, and the LVMH subsidiaries Louis Vuitton, Dior, and Tiffany & Co.
#bleepingcomputer.com#EN#2025#Data-Breach#Data-Theft#Farmers-Insurance#Insurance#Salesforce#ShinyHunters
·bleepingcomputer.com·
Farmers Insurance data breach impacts 1.1M people after Salesforce attack
Hackers leak Allianz Life data stolen in Salesforce attacks
Hackers leak Allianz Life data stolen in Salesforce attacks
bleepingcomputer.com - Hackers have released stolen data belonging to US insurance giant Allianz Life, exposing 2.8 million records with sensitive information on business partners and customers in ongoing Salesforce data theft attacks. Last month, Allianz Life disclosed that it suffered a data breach when the personal information for the "majority" of its 1.4 million customers was stolen from a third-party, cloud-based CRM system on July 16th. While the company did not name the provider, BleepingComputer first reported the incident was part of a wave of Salesforce-targeted thefts carried out by the ShinyHunters extortion group. Over the weekend, ShinyHunters and other threat actors claiming overlap with "Scattered Spider" and "Lapsus$" created a Telegram channel called "ScatteredLapsuSp1d3rHunters" to taunt cybersecurity researchers, law enforcement, and journalists while taking credit for a string of high-profile breaches. Many of these attacks had not previously been attributed to any threat actor, including the attacks on Internet Archive, Pearson, and Coinbase. One of the attacks claimed by the threat actors is Allianz Life, for which they proceeded to leak the complete databases that were stolen from the company's Salesforce instances. These files consist of the Salesforce "Accounts" and "Contacts" database tables, containing approximately 2.8 million data records for individual customers and business partners, such as wealth management companies, brokers, and financial advisors. The leaked Salesforce data includes sensitive personal information, such as names, addresses, phone numbers, dates of birth, and Tax Identification Numbers, as well as professional details like licenses, firm affiliations, product approvals, and marketing classifications. BleepingComputer has been able to confirm with multiple people that their data in the leaked files is accurate, including their phone numbers, email addresses, tax IDs, and other information contained in the database. BleepingComputer contacted Allianz Life about the leaked database but was told that they could not comment as the investigation is ongoing. The Salesforce data-theft attacks The Salesforce data theft attacks are believed to have started at the beginning of the year, with the threat actors conducting social engineering attacks to trick employees into linking a malicious OAuth app with their company's Salesforce instances. Once linked, the threat actors used the connection to download and steal the databases, which were then used to extort the company through email. Extortion demands were sent to the companies via email and were signed as coming from ShinyHunters. This notorious extortion group has been linked to many high-profile attacks over the years, including those against AT&T, PowerSchool, and the SnowFlake attacks. While ShinyHunters is known to target cloud SaaS applications and website databases, they are not known for these types of social engineering attacks, causing many researchers and the media to attribute some of the Salesforce attacks to Scattered Spider. However, ShinyHunters told BleepingComputer the "ShinyHunters" group and "Scattered Spider" are now one and the same. "Like we have said repeatedly already, ShinyHunters and Scattered Spider are one and the same," ShinyHunters told BleepingComputer. "They provide us with initial access and we conduct the dump and exfiltration of the Salesforce CRM instances. Just like we did with Snowflake." It is also believed that many of the group's members share their roots in another hacking group known as Lapsus$, which was responsible for numerous attacks in 2022-2023, before some of their members were arrested. Lapsus$ was behind breaches at Rockstar Games, Uber, 2K, Okta, T-Mobile, Microsoft, Ubisoft, and NVIDIA. Like Scattered Spider, Lapsus$ was also adept at social engineering attacks and SIM swap attacks, allowing them to run over billion and trillion-dollar companies' IT defenses. Over the past couple of years, there have been many arrests linked to all three collectives, so it's not clear if the current threat actors are old threat actors, new ones who have picked up the mantle, or are simply utilizing these names to plant false flags.
#bleepingcomputer.com#EN#2025#llianz-Life#Data-Breach#Lapsus$#Personal-Information#Salesforce#Scattered-Spider#ShinyHunters
·bleepingcomputer.com·
Hackers leak Allianz Life data stolen in Salesforce attacks