
Cybercriminals linked to a wave of ransomware incidents targeting British retailers have claimed responsibility for stealing almost one billion records from US cloud technology giant Salesforce. The group, calling itself Scattered LAPSUS$ Hunters, told Reuters on Friday that it had obtained vast troves of personal information by exploiting companies that rely on Salesforce software.
Who are the hackers?
The group, an apparent offshoot of the wider LAPSUS$ cybercrime network, said it was behind recent breaches at Marks & Spencer, the Co-op and Jaguar Land Rover earlier this year. Security experts say it is tracked under the designation UNC6040 by Google’s Threat Intelligence Group, which has previously warned of its social-engineering tactics.
How the data was allegedly stolen
Salesforce denied its systems had been compromised. Instead, one hacker, who identified themselves as “Shiny,” said the operation used vishing, voice phishing calls to IT help desks, to trick employees of Salesforce customers. In some cases, attackers reportedly persuaded staff to install a tampered version of Salesforce’s Data Loader tool, allowing bulk extraction of information.
What was leaked?
On Friday, Scattered LAPSUS$ Hunters launched a dark web leak site listing around 40 organisations it claimed to have breached. The authenticity of the alleged billion-record haul remains unverified, and it is unclear whether all of the companies cited are Salesforce clients.
Salesforce’s response
A Salesforce spokesperson insisted there was “no indication that the Salesforce platform has been compromised, nor is this activity related to any known vulnerability in our technology.” The firm declined to confirm whether ransom talks had taken place.
Links to broader cybercrime networks
According to Google researchers, the group’s infrastructure overlaps with “The Com,” a loosely-organised cybercriminal ecosystem notorious for smaller cells engaging not only in data theft but also violent activity.
Police investigations underway
In July, British police arrested four people under the age of 21 as part of a probe into the retail cyberattacks. Law enforcement has not confirmed whether those arrests are tied to the latest claims.
(With inputs from Reuters)