Scattered LAPSUS$ Hunters Target Salesforce via Gainsight Supply Chain Attack
The cybercriminal alliance known as Scattered LAPSUS$ Hunters (SLSH), an amalgamation of groups including Scattered Spider, LAPSUS$, and ShinyHunters, has intensified its campaign of data theft and extortion against major corporations. In November 2025, Salesforce detected unusual activity involving Gainsight-published applications, leading to the revocation of access tokens and removal of affected apps from its AppExchange. Salesforce determined that the incident was not due to a vulnerability in its platform, but rather unauthorized access to customer data through compromised app connections. The breach was traced back to a supply chain attack on Salesloft Drift in August 2025, which enabled attackers to obtain secrets used to access additional Salesforce instances. Gainsight confirmed that stolen OAuth tokens were used in the attack, and indicators of compromise were shared with affected customers.
SLSH has leveraged this access to threaten public data leaks and extort both Salesforce and its customers, with a new extortion portal listing dozens of victim companies, including Toyota, FedEx, Disney/Hulu, and UPS. The group has also escalated its tactics by openly recruiting insiders from large organizations, offering rewards for internal access to facilitate further breaches. Recent reports indicate that SLSH's activities are coordinated through Telegram channels, and the group has been linked to high-profile incidents involving both data theft and attempted insider recruitment. Security advisories and ongoing investigations highlight the persistent threat posed by SLSH and the importance of monitoring supply chain risks and insider threats.
Timeline
Nov 26, 2025
Law enforcement scrutiny of SLSH and BreachForums becomes public
Reporting indicated that the FBI had targeted BreachForums and was aware of SLSH's activities, highlighting ongoing law-enforcement attention to the group's ecosystem.
Nov 26, 2025
Researchers identify 'Rey' as Saif Al-Din Khader
Operational security mistakes exposed the identity of SLSH technical operator 'Rey,' who was identified as teenager Saif Al-Din Khader from Amman, Jordan.
Nov 26, 2025
Plans emerge for Linux and ESXi versions of ShinySp1d3r
Researchers reported that the group intends to expand ShinySp1d3r beyond Windows with planned Linux and ESXi variants, signaling broader targeting ambitions.
Nov 26, 2025
SLSH launches ShinySp1d3r ransomware-as-a-service
The alliance introduced its own ransomware-as-a-service operation, ShinySp1d3r, initially for Windows, after previously relying on other affiliates' ransomware tooling.
Nov 26, 2025
SLSH threatens to leak stolen data unless ransoms are paid
After obtaining victim data, SLSH warned organizations that stolen information would be published unless ransom demands were met.
Nov 26, 2025
Bling Libra claims access to 285 more Salesforce instances
The threat group Bling Libra, also known as ShinyHunters, claimed it had obtained access to 285 additional Salesforce instances, indicating broader compromise and follow-on extortion potential.
Nov 26, 2025
Gainsight suspends SaaS connections as a precaution
In response to the incident, Gainsight suspended connections to other SaaS platforms to limit further risk while the compromise was being addressed.
Nov 26, 2025
Supply-chain breach traced to Salesloft Drift integration
Investigation linked the Salesforce-related compromise to a supply-chain attack involving Salesloft Drift, expanding the scope beyond a direct single-platform intrusion.
Nov 26, 2025
Salesforce detects unusual activity tied to Gainsight apps
Salesforce identified unusual activity involving Gainsight-published applications, prompting revocation of tokens and customer notifications about the incident.
Nov 26, 2025
Former CrowdStrike employee reportedly paid for internal access
SLSH recently succeeded in paying a former CrowdStrike employee in exchange for internal access, marking a concrete insider-recruitment success for the group.
Jan 1, 2025
SLSH begins recruiting corporate insiders across industries
During 2025, the group actively sought insiders in sectors including retail and hospitality to facilitate intrusions and data theft.
Jan 1, 2025
SLSH conducts 2025 extortion campaign against major companies
Throughout 2025, SLSH used social engineering, including voice phishing, to compromise Salesforce portals and steal data from companies including Toyota, FedEx, Disney/Hulu, and UPS, threatening leaks unless ransoms were paid.
Jan 1, 2025
SLSH resumes operations after a brief hiatus
The Scattered LAPSUS$ Hunters alliance resumed activity in 2025, returning to data theft, extortion, and insider-recruitment operations against organizations.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Malware
Organizations
Sources
Related Stories
Scattered Lapsus$ Hunters Data Leaks and Threats Following Law Enforcement Action
The Scattered Lapsus$ Hunters (SLSH), a cybercrime collective formed from members of Scattered Spider, Lapsus$, and ShinyHunters, announced a temporary retreat from online activity after the FBI seized their clearweb site. The group, known for its Western and English-speaking membership, issued a series of aggressive messages on Telegram, vowing to retaliate against the FBI and promising a return in 2026. This announcement followed a period of heightened law enforcement scrutiny, including the arrest and charging of two teenagers in the UK for their alleged involvement in attacks attributed to Scattered Spider, a component of SLSH. The group has a history of dramatic exits and returns, having previously declared a hiatus only to reappear days later. SLSH has gained notoriety for targeting large organizations and for the scale of its operations. In parallel with their public threats, the group claimed responsibility for a massive data breach affecting 39 major companies worldwide, exploiting a Salesforce vulnerability to steal 989 million records. They demanded negotiations with Salesforce and the affected firms, threatening to release the data if ignored. When their demands were unmet, SLSH published data allegedly belonging to six companies, including Qantas Airways, Vietnam Airlines, Fujifilm, GAP Inc., Engie Resources, and Albertsons Companies. The leaked datasets reportedly contain extensive personally identifiable information (PII), such as full names, addresses, passport numbers, phone numbers, email addresses, and, in the case of Qantas, detailed frequent flyer information and internal business data. The Qantas dataset alone is said to be 153 GB and includes over 5 million records. The authenticity of the data has been partially verified by independent analysis, though only the affected companies can fully confirm the breach. The exposure of such sensitive information poses significant risks for identity theft, fraud, and targeted attacks against both individuals and organizations. The SLSH collective's actions have prompted calls for increased vigilance and improved cybersecurity measures among large enterprises, especially those using cloud-based platforms like Salesforce. Law enforcement agencies continue to investigate and pursue members of the group, while the cybersecurity community monitors for further developments and potential retaliatory actions promised by SLSH upon their return.
1 months ago
Salesforce Data Breach and Ransomware Group Data Leak Site Targeting Salesloft Drift Integrations
A ransomware group known as Scattered Lapsus$ Hunters, also referred to as ShinyHunters, has launched a darkweb data-leak site to pressure victims of a significant Salesforce data breach into paying extortion demands. The group claims to have stolen 1.5 billion Salesforce records from 760 companies that integrated their Salesforce customer relationship management (CRM) software with the Salesloft Drift artificial intelligence chatbot. The leak site, which debuted on a Friday, lists 39 victim organizations, including major brands such as Cisco, Disney, KFC, Ikea, Marriott, McDonald's, Walgreens, Albertsons, and Saks Fifth Avenue. The attackers are demanding separate ransoms from Salesforce itself to prevent the release of data pertaining to the remaining 721 affected companies. Samples of the stolen data published by the group include extensive personally identifiable information (PII), such as names, dates of birth, nationalities, passport numbers, full contact information, and employment histories. Cybersecurity researcher Milivoj Rajić has tested multiple samples of the leaked data and confirmed their validity, indicating the breach is authentic and the data is genuine. Additional compromised data includes shipping information, marketing lead data, customer support case records, chat transcripts, flight details, and car ownership records. The attack specifically targeted organizations that had integrated Salesforce with the Salesloft Drift AI chatbot, suggesting a possible exploitation of integration points or third-party application vulnerabilities. The public exposure of such a large volume of sensitive data significantly increases the risk of identity theft, fraud, and further targeted attacks against both individuals and organizations. The ransomware group’s strategy of publishing a leak site and naming high-profile victims is designed to maximize pressure and reputational damage, thereby increasing the likelihood of ransom payments. The incident highlights the risks associated with third-party integrations in cloud environments, especially when sensitive customer data is involved. Security teams at affected organizations are likely conducting forensic investigations, assessing the scope of the breach, and notifying impacted customers. The breach underscores the importance of robust access controls, regular security assessments of third-party integrations, and rapid incident response capabilities. Salesforce and Salesloft Drift users are advised to review their security configurations and monitor for suspicious activity. The event has drawn significant attention from the cybersecurity community due to the scale of the breach and the high-profile nature of the victims. Organizations are being urged to remain vigilant and to implement additional security measures to protect against similar attacks in the future.
1 months ago
Scattered LAPSUS$ Hunters Data Leaks from Salesforce Breaches
A hacking group known as Scattered LAPSUS$ Hunters publicly released data stolen from the Salesforce environments of multiple companies, including Qantas and Vietnam Airlines. The group had previously threatened to leak data unless Salesforce or the affected companies paid a ransom, but the deadline passed without payment, prompting the attackers to publish data from six of the 39 companies they claimed to have compromised. The initial leaks included data from Qantas, Albertsons, GAP, Vietnam Airlines, Fujifilm, and Engie Resources. Qantas received significant media attention due to a court injunction it obtained in an attempt to prevent the use or dissemination of the stolen data, but the injunction proved ineffective as the data was still widely distributed. The attackers used multiple platforms to share the stolen information, including an onion site, a clear net forum, and a new clear net leak site, making the data accessible to a broad audience. For Vietnam Airlines, the breach resulted in the exposure of 7.5 million unique customer email addresses, along with names, phone numbers, dates of birth, and loyalty program membership numbers. The breach of Vietnam Airlines' Salesforce environment reportedly occurred in June 2025, but the data was not publicly released until October. The group’s leak strategy included charging for access to the data on some platforms, while later making it freely available on others. Despite initial claims of a massive leak affecting 39 companies, only six organizations' data was actually released, leading to speculation about the group’s motives and capabilities. The attackers communicated with followers via Telegram, providing updates and alternative download links when their primary leak site experienced technical issues. The incident highlighted the limitations of legal measures such as injunctions in preventing the spread of stolen data once it is in the hands of threat actors. Media and security experts, including Troy Hunt, provided commentary on the situation, emphasizing the inevitability of the data’s release and the challenges faced by affected organizations. The breach underscores the risks associated with third-party cloud platforms like Salesforce and the importance of robust security controls and incident response plans. Companies affected by the breach were advised to notify impacted customers, recommend password changes, and implement additional security measures such as two-factor authentication. The event also demonstrated the evolving tactics of cybercriminal groups in monetizing and publicizing stolen data, as well as the ongoing threat posed by supply chain and third-party breaches.
1 months ago