ShinyHunters Unleashes Salesforce Data Leak Site, Targets 39 Victims for Extortion

A criminal group has created a new data leak website to publicly pressure dozens of companies affected by recent Salesforce breaches, releasing samples of the stolen data from these attacks.

The hacking collective known as Scattered Lapsus$ Hunters is believed to have formed through the merger of three well-known cybercrime groups. They openly brag about their attacks on platforms like Telegram, where they post evidence and taunt their victims. This group operates within a wider network of cybercriminal organisations connected to or overlapping with others like Lapsus$ and Scattered Spider, both infamous for high-profile security breaches.

Recently, the “Trinity of Chaos”, a ransomware collective reportedly linked to the Lapsus$, Scattered Spider, and ShinyHunters groups, launched a new data leak site that lists 39 companies affected by the attacks. Each entry includes samples of data allegedly stolen from victims’ Salesforce instances and urges the victims to contact the group to “prevent public disclosure” before the October 10 deadline.

The companies targeted for extortion on the data leak site include a range of prominent brands and organisations such as FedEx, Disney/Hulu, Home Depot, Marriott, Google, Cisco, Toyota, Gap, McDonald’s, Walgreens, Instacart, Cartier, Adidas, Saks Fifth Avenue, Air France & KLM, TransUnion, HBO Max, UPS, Chanel, and IKEA.

“We highly advise you proceed into the right decision, your organisation can prevent the release of this data, regain control over the situation and all operations remain stable as always. We highly recommend a decision-maker to get involved as we are presenting a clear and mutually beneficial opportunity to resolve this matter,” the group warned on its leak site.

The hacking group recently claimed responsibility for a significant cyberattack on Jaguar Land Rover that forced the company to shut down multiple critical systems, severely disrupting its production and retail operations.

The group also shared screenshots on their Telegram channel as proof of the breach, displaying internal instructions and computer logs from Jaguar Land Rover’s IT systems. However, they did not confirm whether any files were stolen or malware was deployed. Jaguar Land Rover stated that, based on the information available so far, there is no evidence of customer data being compromised, and the investigation is still ongoing.