A notorious hacker collective, previously known under names like Lapsus$, Scattered Spider, and ShinyHunters, has launched a new extortion website threatening to release about a billion records allegedly stolen from cloud databases hosted by Salesforce.
The site, called Scattered LAPSUS$ Hunters, was first spotted by threat intelligence researchers on Friday and reviewed by TechCrunch. It pressures victims to pay up or risk having their stolen data exposed online.
“Contact us to regain control on data governance and prevent public disclosure of your data,” the hackers wrote. “Do not be the next headline.”
Over recent weeks, the group has claimed responsibility for a wave of data breaches targeting Salesforce-hosted databases, allegedly compromising dozens of major companies. Confirmed victims include:
- Allianz Life
- Google
- Kering (luxury fashion conglomerate)
- Qantas (airline)
- Stellantis (carmaker)
- TransUnion (credit bureau)
- Workday (employee management platform)
The leak site also lists FedEx, Hulu, and Toyota Motors as victims, though those companies have not confirmed the breaches.
At the top of the site, the hackers explicitly name Salesforce, demanding ransom negotiations and threatening to leak “all your customers [sic] data” if the company does not comply. Salesforce has not yet commented on the situation.
Related: Salesforce Launches Missionforce to Bring AI Into U.S. Defense Workflows
Security researchers have long speculated that the group, which has previously avoided running a public leak site, was preparing such a move. Traditionally, ransomware gangs (often Russian-speaking) pioneered this model, shifting from encrypting data and demanding private payment to threatening public data leaks.
The development signals an escalation in tactics by English-speaking hacker groups, potentially exposing billions of sensitive records if no agreements are reached.
