Cybercriminals claiming ties to the “LAPSUS$” hacking group say they have stolen nearly 1 billion records from companies that use Salesforce, exposing vast amounts of personally identifiable information.
In a message to Reuters, the group, calling itself “Scattered LAPSUS$ Hunters,” insists it did not breach Salesforce’s internal systems.
Rather than directly exploiting Salesforce, its members say they targeted clients using the platform by deploying “vishing” attacks – voice phishing techniques in which attackers impersonate employees or technical staff and trick helpdesk workers into granting access.
They also claim to have used modified versions of Salesforce’s Data Loader tool to siphon data from compromised environments.
Salesforce has stated that there is “no indication the Salesforce platform has been compromised” and that the claims “do not appear tied to any known vulnerability in our technology.”
The company says it is working with affected customers to provide support and is investigating the extortion attempts.
The hackers published a dark-web leak site listing around 40 companies they claimed to have breached, though it remains unclear whether all are actual Salesforce users.
Law enforcement in the U.K. previously arrested four individuals under age 21 in connection with earlier attacks on British retailers, and cybersecurity researchers believe this operation may be tied to a wider criminal ecosystem known as “The Com.”
John Hultquist, an analyst at Google’s cybersecurity arm, warned earlier this year that US retailers are now facing cyberattacks involving ransomware and extortion tactics, similar to what UK businesses have just been contending with.
Says Google in a recent blog post,
“After shifting to ransomware and data theft extortion in early 2023, they impacted organizations in a broader range of industries. Since then, we have regularly observed UNC3944 conduct waves of targeting against a specific sector, such as financial services organizations in late 2023 and food services in May 2024. Notably, UNC3944 has also previously targeted prominent brands, possibly in an attempt to gain prestige and increased attention by news media.”
Follow us on X, Facebook and TelegramGenerated Image: Midjourney