Cybercriminals connected to a recent string of ransomware attacks on major British retailers have claimed to have stolen nearly 1 billion records from companies that store customer data in cloud databases hosted by Salesforce. The same hacking collective—known by aliases such as Lapsus$, Scattered Spider, and ShinyHunters—launched a dark web site called Scattered LAPSUS$ Hunters in early October to extort victims, threatening to publish stolen information unless a ransom is paid.
The hackers’ site, first spotted by threat researchers and reported by TechCrunch October 3, demands ransom payments from companies to prevent the release of stolen data.
The group alleges it has breached the databases of dozens of major companies—including Allianz Life, Google, Kering, Qantas, Stellantis, TransUnion, and Workday—by exploiting access to Salesforce-based environments. Other high-profile names such as FedEx, Hulu, and Toyota Motors also appear on the leak site.
While some organizations have confirmed data exposure, it’s unclear whether others have quietly paid ransoms to prevent public release. A spokesperson for Salesforce said the company is aware of the extortion attempts but maintains there is no evidence that its core platform was compromised.
“Our findings indicate these attempts relate to past or unsubstantiated incidents, and we remain engaged with affected customers to provide support,” Salesforce stated.
TransUnion Another Recent Target
Another recent victim of the Salesforce breach is credit reporting giant TransUnion, already reeling from a September breach affecting 4.4 million individuals, has acknowledged that its recent incident involved a third-party platform used for U.S. consumer support operations—likely connected to this broader Salesforce-linked campaign.
The company confirmed that while credit reports and core credit data were not accessed, the exposed information includes names, birthdates, and Social Security numbers—enough to enable identity theft. Impacted consumers are being offered 24 months of free credit monitoring and fraud assistance.
According to filings with the Maine Attorney General’s Office, TransUnion notified regulators that 4,461,511 individuals were affected. Security researchers say the stolen dataset was likely exfiltrated from TransUnion’s Salesforce account, though the company has not confirmed those details.
Broader Implications
This series of attacks underscores the growing concentration of risk in customer relationship management (CRM) and cloud-based support systems, where sensitive personal data often sits alongside customer service records and communication logs.
Recent federal advisories have warned about phishing, credential theft, and session hijacking tactics that target these applications—bypassing traditional perimeter defenses once access is obtained.
What Consumers Should Do
Authorities and cybersecurity experts urge consumers to take immediate precautions if they believe their data may have been compromised:
- Freeze your credit with TransUnion, Equifax, and Experian to prevent new accounts from being opened in your name.
- If you prefer not to freeze, place a fraud alert—this requires lenders to take extra steps to verify your identity.
- Enroll in any offered credit monitoring services and set up alerts for new credit applications, address changes, or unusual activity.
- Be cautious of phishing attempts referencing the breach. Avoid clicking links in unsolicited emails or texts.
- Use unique passwords for each account and enable multi-factor authentication wherever possible.
How Enfortra Can Help
As breaches like these continue to rise, identity protection is no longer optional—it’s essential. Enfortra helps individuals and businesses detect, monitor, and respond to potential identity risks in real time. With proactive alerts, credit monitoring, and fraud resolution tools, you can take back control of your personal information before criminals do.
Stay vigilant. Stay informed. And let Enfortra help you stay one step ahead.
