Scattered LAPSUS$ Hunters Leak Millions of Salesforce Customer Records

A cybercriminal group calling itself Scattered LAPSUS$ Hunters has reportedly leaked millions of records allegedly stolen from multiple Salesforce customers, escalating an ongoing campaign of extortion and data exposure. The group, believed to be an offshoot of Lapsus$, Scattered Spider, and ShinyHunters, claimed responsibility for breaching 39 Salesforce instances and demanded ransom payments to prevent public release of the stolen data.

Details of the Breach and Leak

The leak surfaced on the group’s Tor-based leak site days after Salesforce refused to meet their ransom demands. According to the hackers, the data includes sensitive records belonging to organizations such as Albertsons, Engie Resources, Fujifilm, GAP, Qantas, and Vietnam Airlines.

The attackers initially shared the stolen data with paying subscribers on a surface-web forum before releasing it freely on another clear-net website. Salesforce responded by stating that the incident involved “past or unsubstantiated events” and reaffirmed that its core systems remain uncompromised.

Impact on Affected Organizations

Qantas Airlines

The Australian carrier Qantas confirmed it is working with cybersecurity experts to verify the legitimacy of the leaked data and has obtained a court injunction to limit access to it.

Back in July 2025, Qantas disclosed that a third-party vendor used by its contact center had been breached, exposing data related to six million customers. Stolen information included names, email addresses, phone numbers, dates of birth, and frequent flyer numbers. The airline reiterated that no new information appears to have been compromised beyond what was already reported.

Vietnam Airlines

Similarly, cybersecurity database Have I Been Pwned identified that approximately 7.3 million Vietnam Airlines accounts were leaked. The dataset, reportedly stolen from the airline’s Salesforce instance in June, includes customer names, contact information, birthdates, and loyalty program details.

The Extortion Campaign and Possible Motivations

Despite naming 39 victim organizations, Scattered LAPSUS$ Hunters has only published data belonging to six. When questioned about the missing datasets on their Telegram channel, the hackers claimed they were “unable to leak more data,” suggesting possible technical or strategic reasons.

The group also told DataBreaches.net that some victims had paid ransoms but requested to remain listed on the leak site “for protection” — a statement that remains unverified. Experts note that such contradictory behavior is typical in ransomware and extortion operations, where actors often exaggerate their impact to amplify fear and pressure potential targets.

Broader Context

This campaign follows a recent claim by the same group that they had stolen 19 million records from Telstra, Australia’s largest telecom provider. Telstra refuted the claim, confirming that the data in question had been scraped from public sources, not from internal systems.

The incident underscores the growing complexity and opportunism of data extortion campaigns, where groups combine stolen information, public data, and fabricated claims to extract ransom payments and attention.