Earlier this year, a team-up of some of the most infamous hacking groups claimed to have conducted a Salesforce data breach, stealing nearly 1 billion records from major global companies. The group, known as Scattered Lapsus$ Hunters, has now launched a website to ransom victims of the data breach. Some of these victims are major tech firms, like Cloudflare, Zscaler, Google, and Workday.
Threat actors have launched a website to extort Salesforce data breach victims
The loosely organized group, known as Lapsus$, Scattered Spider, and ShinyHunters, has published a Salesforce data breach site on the dark web. The website seeks to pressure victims of the data breach into paying the attackers to prevent the exposure of their sensitive data online. Scattered Lapsus$ Hunters’ website mentions several alleged victims, such as FedEx, Hulu, and Toyota Motors.
Notably, some of the largest firms, including Google, Allianz Life, Kering, Qantas, Stellantis, TransUnion, and Workday, have confirmed that hackers stole sensitive information during the Salesforce data breach. Currently, no information has emerged about whether the companies listed on the website have paid a ransom to the attackers to prevent the publication of their data online.
“Contact us to regain control of data governance and prevent public disclosure of your data,” reads the site. “Do not be the next headline. All communications demand strict verification and will be handled with discretion.”
Salesforce says its platform remains uncompromised
Salesforce states that the data breach didn’t happen from a compromise of its platform . It was due to social engineering attacks targeting Salesforce users. Salesforce further stated that this data leak isn’t related to any known vulnerability. The firm declined to confirm whether ransom talks had taken place with the threat actors.
The incident primarily originated from a compromise of a third-party application , Salesloft’s Drift integration. Attackers successfully breached this integration to steal OAuth and refresh tokens. Attackers used these API access-granting tokens to target the users of the customized application.
That said, these hackers have published a list of 39 companies on their site that the data breach has impacted. They have given a deadline of October 10 to the victims of the breach to reach out to “prevent public disclosure” of their data.
