Found 3 bookmarks
Custom sorting
Scattered LAPSUS$ Hunters Ransomware Group Claims New Victims on New Website
Scattered LAPSUS$ Hunters Ransomware Group Claims New Victims on New Website
  • Daily Dark Web - dailydarkweb.net October 3, 2025 The newly formed cybercrime alliance, “Scattered LAPSUS$ Hunters,” has launched a new website detailing its claims of a massive data breach affecting Salesforce and its extensive customer base. This development is the latest move by the group, a notorious collaboration between members of the established threat actor crews ShinyHunters, Scattered Spider, and LAPSUS$. On their new site, the group is extorting Salesforce directly, threatening to leak nearly one billion records with a ransom deadline of October 10, 2025. This situation stems from a widespread and coordinated campaign that targeted Salesforce customers throughout mid-2025. According to security researchers, the attacks did not exploit a vulnerability in Salesforce’s core platform. Instead, the threat actors, particularly those from the Scattered Spider group, employed sophisticated social engineering tactics. The primary method involved voice phishing (vishing), where attackers impersonated corporate IT or help desk staff in phone calls to employees of target companies. These employees were then manipulated into authorizing malicious third-party applications within their company’s Salesforce environment. This action granted the attackers persistent access tokens (OAuth), allowing them to bypass multi-factor authentication and exfiltrate vast amounts of data. The alliance has now consolidated the data from these numerous breaches for this large-scale extortion attempt against Salesforce itself. The website lists dozens of high-profile Salesforce customers allegedly compromised in the campaign. The list of alleged victims posted by the group includes: Toyota Motor Corporations (🇯🇵): A multinational automotive manufacturer. FedEx (🇺🇸): A global courier delivery services company. Disney/Hulu (🇺🇸): A multinational mass media and entertainment conglomerate. Republic Services (🇺🇸): An American waste disposal company. UPS (🇺🇸): A multinational shipping, receiving, and supply chain management company. Aeroméxico (🇲🇽): The flag carrier airline of Mexico. Home Depot (🇺🇸): The largest home improvement retailer in the United States. Marriott (🇺🇸): A multinational company that operates, franchises, and licenses lodging. Vietnam Airlines (🇻🇳): The flag carrier of Vietnam. Walgreens (🇺🇸): An American company that operates the second-largest pharmacy store chain in the United States. Stellantis (🇳🇱): A multinational automotive manufacturing corporation. McDonald’s (🇺🇸): A multinational fast food chain. KFC (🇺🇸): A fast food restaurant chain that specializes in fried chicken. ASICS (🇯🇵): A Japanese multinational corporation which produces sportswear. GAP, INC. (🇺🇸): A worldwide clothing and accessories retailer. HMH (hmhco.com) (🇺🇸): A publisher of textbooks, instructional technology materials, and assessments. Fujifilm (🇯🇵): A multinational photography and imaging company. Instructure.com – Canvas (🇺🇸): An educational technology company. Albertsons (Jewel Osco, etc) (🇺🇸): An American grocery company. Engie Resources (Plymouth) (🇺🇸): A retail electricity provider. Kering (🇫🇷): A global luxury group that manages brands like Gucci, Balenciaga, and Brioni. HBO Max (🇺🇸): A subscription video on-demand service. Instacart (🇺🇸): A grocery delivery and pick-up service. Petco (🇺🇸): An American pet retailer. Puma (🇩🇪): A German multinational corporation that designs and manufactures athletic footwear and apparel. Cartier (🇫🇷): A French luxury goods conglomerate. Adidas (🇩🇪): A multinational corporation that designs and manufactures shoes, clothing, and accessories. TripleA (aaa.com) (🇺🇸): A federation of motor clubs throughout North America. Qantas Airways (🇦🇺): The flag carrier of Australia. CarMax (🇺🇸): A used vehicle retailer. Saks Fifth (🇺🇸): An American luxury department store chain. 1-800Accountant (🇺🇸): A nationwide accounting firm. Air France & KLM (🇫🇷/🇳🇱): A major European airline partnership. Google Adsense (🇺🇸): A program run by Google through which website publishers serve advertisements. Cisco (🇺🇸): A multinational digital communications technology conglomerate. Pandora.net (🇩🇰): A Danish jewelry manufacturer and retailer. TransUnion (🇺🇸): An American consumer credit reporting agency. Chanel (🇫🇷): A French luxury fashion house. IKEA (🇸🇪): A Swedish-founded multinational group that designs and sells ready-to-assemble furniture. According to the actor, the breach involves nearly 1 billion records from Salesforce and its clients. The allegedly compromised data includes: Sensitive Personally Identifiable Information (PII) Strategic business records that could impact market position Data from over 100 other demand instances hosted on Salesforce infrastructure
#dailydarkweb.net#EN#2025#data-breach#extortion#Salesforce#Scattered#Lapsus$#Hunters#scattered-spiderShinyHunters#supply-chain-attack#vishing
·dailydarkweb.net·
Scattered LAPSUS$ Hunters Ransomware Group Claims New Victims on New Website
Cloudflare hit by data breach in Salesloft Drift supply chain attack
Cloudflare hit by data breach in Salesloft Drift supply chain attack
bleepingcomputer.com By Sergiu Gatlan September 2, 2025 Cloudflare is the latest company impacted in a recent string of Salesloft Drift breaches, part of a supply-chain attack disclosed last week. The internet giant revealed on Tuesday that the attackers gained access to a Salesforce instance it uses for internal customer case management and customer support, which contained 104 Cloudflare API tokens. Cloudflare was notified of the breach on August 23, and it alerted impacted customers of the incident on September 2. Before informing customers of the attack, it also rotated all 104 Cloudflare platform-issued tokens exfiltrated during the breach, even though it has yet to discover any suspicious activity linked to these tokens. "Most of this information is customer contact information and basic support case data, but some customer support interactions may reveal information about a customer's configuration and could contain sensitive information like access tokens," Cloudflare said. "Given that Salesforce support case data contains the contents of support tickets with Cloudflare, any information that a customer may have shared with Cloudflare in our support system—including logs, tokens or passwords—should be considered compromised, and we strongly urge you to rotate any credentials that you may have shared with us through this channel." The company's investigation found that the threat actors stole only the text contained within the Salesforce case objects (including customer support tickets and their associated data, but no attachments) between August 12 and August 17, after an initial reconnaissance stage on August 9. These exfiltrated case objects contained only text-based data, including: The subject line of the Salesforce case The body of the case (which may include keys, secrets, etc., if provided by the customer to Cloudflare) Customer contact information (for example, company name, requester's email address and phone number, company domain name, and company country) "We believe this incident was not an isolated event but that the threat actor intended to harvest credentials and customer information for future attacks," Cloudflare added. "Given that hundreds of organizations were affected through this Drift compromise, we suspect the threat actor will use this information to launch targeted attacks against customers across the affected organizations." Wave of Salesforce data breaches Since the start of the year, the ShinyHunters extortion group has been targeting Salesforce customers in data theft attacks, using voice phishing (vishing) to trick employees into linking malicious OAuth apps with their company's Salesforce instances. This tactic enabled the attackers to steal databases, which were later used to extort victims. Since Google first wrote about these attacks in June, numerous data breaches have been linked to ShinyHunters' social engineering tactics, including those targeting Google itself, Cisco, Qantas, Allianz Life, Farmers Insurance, Workday, Adidas, as well as LVMH subsidiaries Louis Vuitton, Dior, and Tiffany & Co. While some security researchers have told BleepingComputer that the Salesloft supply chain attacks involve the same threat actors, Google has found no conclusive evidence linking them. Palo Alto Networks also confirmed over the weekend that the threat actors behind the Salesloft Drift breaches stole some support data submitted by customers, including contact info and text comments. The Palo Alto Networks incident was also limited to its Salesforce CRM and, as the company told BleepingComputer, it did not affect any of its products, systems, or services. The cybersecurity company observed the attackers searching for secrets, including AWS access keys (AKIA), VPN and SSO login strings, Snowflake tokens, as well as generic keywords such as "secret," "password," or "key," which could be used to breach more cloud platforms to steal data in other extortion attacks.
#bleepingcomputer.com#EN#2025#Breach#Cloudflare#Data-Breach#Salesforce#Salesloft#Salesloft-Drift#Supply-Chain-Attack
·bleepingcomputer.com·
Cloudflare hit by data breach in Salesloft Drift supply chain attack
Salesloft Drift Supply Chain Incident: Key Details and Zscaler’s
Salesloft Drift Supply Chain Incident: Key Details and Zscaler’s
zscaler.com August 30, 2025 Zscaler swiftly mitigates a security incident impacting Salesloft Drift, and ensuring robust protection against potential vulnerabilities. At Zscaler, protecting your data and maintaining transparency are core to our mission to secure, simplify and accelerate businesses transformation. We are committed to keeping you informed about key developments that may impact your organization. What Happened? Zscaler was made aware of a campaign targeted at Salesloft Drift (marketing software-as-a-service) and impacting a large number of Salesforce customers. This incident involved the theft of OAuth tokens connected to Salesloft Drift, a third-party application used for automating sales workflows that integrates with Salesforce databases to manage leads and contact information. The scope of the incident is confined to Salesforce and does not involve access to any of Zscaler's products, services or underlying systems and infrastructure. As part of this campaign, unauthorized actors gained access to Salesloft Drift credentials of its customers including Zscaler. Following a detailed review as part of our ongoing investigation, we have determined that these credentials have allowed limited access to some Zscaler Salesforce information. What Information May Be Affected? The information accessed was limited to commonly available business contact details for points of contact and specific Salesforce related content, including: Names Business email addresses Job titles Phone numbers Regional/location details Zscaler product licensing and commercial information Plain text content from certain support cases [this does NOT include attachments, files, and images] After extensive investigation, Zscaler has currently found no evidence to suggest misuse of this information. If anything changes, we will provide further communications and updates. What Did Zscaler Do? Zscaler acted swiftly to address the incident and mitigate risks. Steps taken include: Revoking Salesloft Drift’s access to Zscaler’s Salesforce data Out of an abundance of caution, rotating other API access tokens. Launching a detailed investigation into the scope of the event, working closely with Salesforce to assess and understand impacts as they continue investigating. Implementing additional safeguards and strengthening protocols to defend against similar incidents in the future. Immediately launched a third party risk management investigation for third party vendors used by Zscaler. Zscaler Customer Support team has further strengthened customer authentication protocol when responding to customer calls to safeguard against potential phishing attacks. What You Can Do Although the incident’s scope remains limited (as stated above) and no evidence of misuse has been found, we recommend that customers maintain heightened vigilance. Please be wary of potential phishing attacks or social engineering attempts, which could leverage exposed contact details. Given that other organizations have suffered similar incidents stemming from Salesloft Drift, it’s crucial to exercise caution regarding unsolicited communications, including emails, phone calls, or requests for sensitive information. Always verify the source of communication and never disclose passwords or financial data via unofficial channels. Zscaler Support will never request authentication or authorization details through unsolicited outreach, including phone calls or SMS. All official Zscaler communications come from trusted Zscaler channels. Please exercise caution and report any suspicious phishing activity to security@zscaler.com.
#zscaler.com#EN#2025#SalesloftDrift#Supply-Chain-attack#Salesloft#Zscaler#Data-Breach
·zscaler.com·
Salesloft Drift Supply Chain Incident: Key Details and Zscaler’s