A notorious hacking collective known as ShinyHunters has launched a dark web extortion site, threatening to release roughly one billion customer records stolen from companies using Salesforce's cloud databases. The brazen move marks a dangerous escalation in enterprise cybersecurity threats, with Fortune 500 companies like FedEx, Qantas, and TransUnion caught in the crosshairs.
The cybersecurity landscape just got significantly more dangerous. A loosely organized English-speaking hacking group that's operated under multiple aliases - Lapsus$, Scattered Spider, and ShinyHunters - has taken their extortion game public with a dedicated dark web leak site called 'Scattered LAPSUS$ Hunters.'
The site, discovered by threat intelligence researchers Friday and verified by TechCrunch, reads like a corporate negotiation gone rogue: 'Contact us to regain control on data governance and prevent public disclosure of your data. Do not be the next headline. All communications demand strict verification and will be handled with discretion.'
What makes this particularly alarming is the scope. Over recent weeks, the group has systematically breached dozens of high-profile companies by exploiting their Salesforce cloud database configurations. The victim list reads like a Fortune 500 directory: insurance giant Allianz Life, tech behemoth Google, luxury conglomerate Kering, airline Qantas, automaker Stellantis, credit bureau TransUnion, and HR platform Workday.
But the hackers aren't stopping there. Their leak site also names FedEx, Hulu (owned by Disney), and Toyota Motors as additional targets - none of which responded to requests for comment Friday.
The most brazen element? The hackers are directly targeting Salesforce itself. At the top of their extortion site, they demand the cloud giant negotiate a ransom, threatening that otherwise 'all your customers data will be leaked.' The aggressive tone suggests Salesforce hasn't engaged with the group's demands.
Salesforce representatives didn't respond to multiple requests for comment about the breach or the hackers' ultimatum.
This represents a fundamental shift in cybercrime tactics. Historically, such public extortion sites were the domain of Russian-speaking ransomware cartels who operated in the shadows. But this English-speaking group is borrowing those playbook pages while targeting the enterprise cloud infrastructure that powers modern business.
