.png)
1 month ago
3
Despite multiple arrests and talk of retirement, a crew now calling itself Scattered LAPSUS$ Hunters has reemerged with a data-leak site listing about 40 companies’ Salesforce environments, and is demanding $989.45 to prevent what it claims is about 1 billion stolen records from being published online.
The gang set an October 10 deadline for Salesforce to negotiate a payment, "or all your customers' data will be leaked."
When asked about the criminals' claims, a Salesforce spokesperson directed The Register to the company's Thursday security advisory.
"We are aware of recent extortion attempts by threat actors, which we have investigated in partnership with external experts and authorities," the advisory said.
"Our findings indicate these attempts relate to past or unsubstantiated incidents, and we remain engaged with affected customers to provide support," it continued. "At this time, there is no indication that the Salesforce platform has been compromised, nor is this activity related to any known vulnerability in our technology."
In August, a campaign abusing OAuth tokens via Salesloft's Drift integration came to light, allowing attackers to access numerous companies' Salesforce instances - Cloudflare says the compromise hit "hundreds" of organizations - and steal customer data.
Google Threat Intelligence Group later confirmed the attacks, while Salesloft brought in Chocolate Factory's Mandiant incident response team to investigate the Drift campaign.
Prior to the leak site going live on Friday, Google and Salesforce notified organizations believed to be affected.
- Salesforce facing multiple lawsuits after Salesloft breach
- Alleged Scattered Spider teen cuffed after extortion Bitcoin used to buy games, meals
- Cops cuff another teen over alleged Scattered Spider attack that broke Vegas casinos
- Oh, great. Three notorious cybercrime gangs appear to be collaborating
Google, in an August 8 update about the Salesforce intrusions, warned organizations that ShinyHunters was preparing to launch a data leak site.
"These new tactics are likely intended to increase pressure on victims, including those associated with the recent UNC6040 Salesforce-related data breaches," Google said at the time.
That same day, Scattered Spider, ShinyHunters, and Lapsus$ claimed they were now working together via a short-lived "Scattered LAPSUS$ Hunters" Telegram channel that disappeared by the following Monday.
By mid-September, however, Scattered Spider and Lapsus$ said they were going dark, and, instead of extortion, wanted to "enjoy our golden parachutes with the millions the group accumulated."
Days later, two UK teens were charged with offenses related to the cyberattack on Transport for London (TfL) in August 2024 and accused by both US and UK law enforcement of being Scattered Spider members.
A third teen turned himself in to Las Vegas police on September 17 and was booked on suspicion of multiple Las Vegas casino hacks in 2023, as part of a series of hacks attributed to Scattered Spider.
When contacted by The Register, the "SLH/SLSH Press Newsroom" declined to answer specific questions except one about why the crew rolled out a new leak site after pledging to go dark: "Yes it does have something to do with recent arrests, no further elaboration will be commented on." ®
