A clandestine hacking group operating under the name Scattered LAPSUS$ Hunters has reportedly breached the global cloud service provider Salesforce, claiming to have compromised nearly one billion customer records. This revelation heightens concerns about the increasing prevalence of supply chain attacks targeting major corporations.
Despite Salesforce’s firm denial of any compromise within its systems, the hackers allege that they accessed Salesforce’s infrastructure by exploiting vulnerabilities in third-party retail companies using its software. Notable firms such as Marks & Spencer, Co-op, and Jaguar Land Rover have already faced ransomware attacks this year, raising critical questions about overall security practices within these organizations.
Salesforce Denial and Attack Methodology
In a statement provided to Reuters, Salesforce reassured stakeholders that its infrastructure remains intact, emphasizing, “At this time, there is no indication that the Salesforce platform has been compromised, nor is this activity related to any known vulnerability in our technology.”
Reports indicate that the attackers utilized “vishing” tactics—voice phishing aimed at IT help desk personnel—to persuade employees to grant unauthorized access to Salesforce-related environments. They allegedly exploited Salesforce’s proprietary Data Loader tool, which, once deployed on compromised systems, was modified to extract large amounts of sensitive data.
Dark Web Claims and Data Concerns
This past Friday, Scattered LAPSUS$ Hunters launched a dark web portal disclosing approximately 40 companies they claim to have infiltrated. Interestingly, the group has not issued any ransom demands, and both Salesforce and the hackers have refrained from confirming any ongoing negotiations.
The implications of this data leak raise significant concerns about the potential exposure of personally identifiable information (PII) belonging to millions of customers. Security experts emphasize that access to such records could facilitate identity theft, fraud, and large-scale phishing endeavors.
Connections to Broader Cybercriminal Networks
Google’s Threat Intelligence Group (GTIG) is monitoring the group under the codename “UNC6040,” highlighting their skill in manipulating employees into compromising their own networks. Investigators note that the group’s operational infrastructure bears similarities to networks associated with “The Com,” a loosely organized cybercriminal collective known for various fraudulent activities, including some instances of violent crime.
The context for these developments is further complicated by recent arrests in the UK, where four individuals under the age of 21 were taken into custody for their involvement in ransomware incidents affecting British retailers. Despite these apprehensions, authorities suggest that this group remains active, emphasizing the decentralized structure characteristic of modern cybercrime syndicates.
Wider Implications for the Retail Sector
Cybersecurity analysts argue that the accusations levied against Salesforce point to a more extensive vulnerability within multinational corporations’ dependence on third-party cloud services. By targeting end-users instead of directly assaulting vendors, attackers can circumvent sophisticated security barriers that protect cloud platforms.
Retailers, which typically house substantial amounts of consumer and payment data, continue to be particularly appealing targets for cybercriminals. Experts note that without robust authentication mechanisms, comprehensive employee training, and effective incident response strategies, issues like vishing and data exfiltration will likely escalate.
Overall, the purported theft of one billion records from Salesforce represents one of the most audacious claims made by the Scattered LAPSUS$ Hunters. While Salesforce maintains that its systems are secure, this incident underscores the ongoing threats posed by social engineering and third-party attacks in an era where cloud platforms are fundamental to global commerce.
