06/10/2025
Cyber Gang Relaunches as Scattered LAPSUS$ Hunters, Targets Salesforce Users with $989 Million Extortion
The Threat: 1 Billion Customer Records at Risk
A notorious hacking collective has reemerged as Scattered LAPSUS$ Hunters, demanding a massive $989 million ransom from Salesforce users. The group claims to have breached systems of roughly 40 companies utilizing the CRM platform, putting an estimated one billion customer records at risk of public leak by the October 10th deadline.
The Attack: Tricking Users, Not Hacking the Platform
Salesforce insists its core platform has not been hacked. The attackers, linked to the group UNC6040, rely on sophisticated telephone social engineering ("vishing"). They trick legitimate users into authorizing a malicious third-party application, which grants them API access to customer data—bypassing security controls without exploiting technical vulnerabilities. This technique, which Google also observed in an attack on its own Salesforce instance, highlights the growing threat of human manipulation.
The Defense: Tightening Access Controls
This incident serves as a critical warning. Organizations must urgently tighten access controls and focus on user training. Key security recommendations include:
Mandatory Multi-Factor Authentication (MFA).
Strict auditing and control of connected apps.
Restricting user rights for powerful tools like Data Loader.
The return of this financially motivated cyber gang proves that vigilance against social engineering is non-negotiable.
14s