A group of cybercriminals calling itself “Scattered LAPSUS$ Hunters” has claimed responsibility for stealing nearly 1 billion records tied to Salesforce software users, raising serious concerns about the security of customer data managed through the cloud giant’s platforms. The group made the claim via a dark web portal on Friday, saying the data includes personally identifiable information (PII) from companies that use Salesforce’s tools.
While Salesforce has denied that its own systems were compromised, the breach appears to have targeted its customers using a method known as “vishing” — a form of voice phishing where hackers impersonate employees to deceive IT help desks. In a statement to Reuters, a Salesforce spokesperson clarified: “At this time, there is no indication that the Salesforce platform has been compromised, nor is this activity related to any known vulnerability in our technology.”
Phishing and Malware Exploits Tied to Campaign
The hacking group reportedly employed a malicious version of Salesforce’s Data Loader tool to gain unauthorized access. According to Google’s Threat Intelligence Group, the attackers — also tracked as “UNC6040” — tricked employees into installing the tampered tool, allowing deep infiltration into customer environments.
Security experts have linked the group’s technical infrastructure to the loosely organized cybercriminal ecosystem known as “The Com,” notorious for engaging in both digital fraud and physical intimidation.
A Pattern of Retail-Focused Attacks
Scattered LAPSUS$ Hunters have also claimed responsibility for recent cyberattacks on major UK retailers including Marks & Spencer, Co-op, and Jaguar Land Rover. In those cases, the fallout was substantial — M&S reportedly suffered hundreds of millions in losses, while Jaguar Land Rover faced a month-long production halt.
A leak site associated with the group listed over 40 companies allegedly breached, though it remains unclear how many of them are connected to Salesforce.
Global Law Enforcement on Alert
The UK’s Metropolitan Police previously arrested four individuals under the age of 21 in July 2025 as part of an investigation into attacks on British retailers. These developments underscore the increasing threat posed by decentralized cybercriminal groups leveraging phishing, malware, and social engineering at scale.
While Salesforce maintains that its core systems remain uncompromised, the breach is a wake-up call for enterprise users to bolster defenses not just within platforms but across their entire employee ecosystem.
