Hacking group claims theft of one billion Salesforce records

Salesforce denies compromise as gang demands just under $1bn in ransom

Scattered Lapsus$ Hunters claims to have stolen more than one billion Salesforce records just days after announcing their supposed retirement.

A hacking group connected to three other cybercrime gangs claims to have stolen more than one billion Salesforce records. It is demanding the payment of $989.45 million by 10 October in return for not publishing the records.

The cyber-extortion demand comes from a group called Scattered Lapsus$ Hunters, which is connected with the debilitating cyberattack on Jaguar LandRover that shut down the company’s manufacturing facilities.

Salesforce, which was contacted by the group last week, published an advisory in response before news of the incident came out. It downplayed the severity of the attack.

“We are aware of recent extortion attempts by threat actors, which we have investigated in partnership with external experts and authorities. Our findings indicate these attempts relate to past or unsubstantiated incidents, and we remain engaged with affected customers to provide support.

“At this time, there is no indication that the Salesforce platform has been compromised, nor is this activity related to any known vulnerability in our technology.”

The claims by the group may be connected to earlier reports of attempts to take advantage of security flaws in the third-party authentication app Drift to gain access to Salesforce accounts.

“Upon detecting the activity, Salesloft, in collaboration with Salesforce, invalidated active Access and Refresh Tokens, and removed Drift from AppExchange. We then notified affected customers,” Salesforce claimed in an advisory.

Scattered Lapsus$ Hunters is a cybercrime collective whose members also belong to other groups, including ShinyHunters, Scattered Spider and Lapsus$.

Just last month, the group claimed in a message on Telegram and Dark Web marketplace BreachForums that it had “decided to go dark”. That followed the arrest and court appearance of two suspected members over a cyberattack on Transport for London (TfL). Four members are also in custody in France.

“You may see our names in new data breach disclosure reports from the tens of other multibillion dollar companies that have yet to disclose a breach, as well as some governmental agencies, including highly secured ones, that does not mean we are still active,” they wrote in their ‘good-bye message’.

In the message, they implied that Air France, American Airlines and British Airways “among many other critical infrastructure” companies might also be receiving big-money ransom demands soon.

It is not the first time that the group has claimed a serious breach of a major technology vendor. In August, the group claimed responsibility for an attack supposedly compromising the accounts of all 2.5 billion users of Gmail, an attack that Google comprehensively debunked.

Security vendor Panda speculated that there had been an attempt to crack Gmail security that was picked up by Google, hence a warning email to users advising them to change passwords, but that the attackers did not demonstrate possession of anything more than was already in the public domain. Google labelled the claims as “entirely false”.