Headlines
Almost 1 billion Salesforce records stolen, hacker group claims
Published by Global Banking and Finance Review
Posted on October 3, 2025
2 min readLast updated: January 21, 2026
Global Banking and Finance Review
Company
Published by Global Banking and Finance Review
Posted on October 3, 2025
2 min readLast updated: January 21, 2026
A hacker group claims to have stolen nearly 1 billion Salesforce records via vishing attacks on customers. Salesforce denies any platform breach.
LONDON (Reuters) -Cybercriminals connected to a recent string of ransomware attacks on major British retailers said on Friday they had stolen almost 1 billion records from cloud technology giant Salesforce by focusing on companies that use its software.
A group calling itself "Scattered LAPSUS$ Hunters" told Reuters it had obtained the Salesforce records, and said they contain personally identifiable information. The group also claimed responsibility for the hacks of Marks & Spencer, Co-op and Jaguar Land Rover earlier this year.
Reuters was not able to verify the group’s claims. Salesforce said its systems were not hacked.
"At this time, there is no indication that the Salesforce platform has been compromised, nor is this activity related to any known vulnerability in our technology," a Salesforce spokesperson said.
One of the hackers, who identified themselves as Shiny, told Reuters in an email they did not directly hack Salesforce, but targeted Salesforce customers using "vishing," or voice phishing, a form of social engineering attack in which hackers impersonate employees to IT help desks over the phone.
Scattered LAPSUS$ Hunters published a leak site on the darkweb on Friday which listed around 40 other companies it said it had hacked. It was not clear if those companies were Salesforce clients. Both the hackers and Salesforce declined to say if they were negotiating a ransom.
In June, security researchers at Google's Threat Intelligence Group said the group, which it tracks as "UNC6040," had “proven particularly effective at tricking employees” into installing a modified version of Salesforce’s Data Loader, a proprietary tool used to bulk import data into Salesforce environments.
Technical infrastructure tied to the hacking campaign shares characteristics with suspected ties to the broader and loosely organised ecosystem known as “The Com,” which is known for small, disparate groups engaging in cybercriminal and sometimes violent activity, the Google researchers said.
In July, British police arrested four people under 21 as part of a police investigation into cyberattacks that disrupted operations at UK retailers.
(Reporting by James Pearson; Editing by Sergio Non and Diane Craft)
Vishing, or voice phishing, is a type of social engineering attack where attackers impersonate legitimate entities over the phone to trick individuals into revealing sensitive information.
Ransomware is a type of malicious software that encrypts a victim's files, making them inaccessible until a ransom is paid to the attacker.
Personally identifiable information (PII) refers to any data that can be used to identify an individual, such as names, addresses, phone numbers, and social security numbers.
A data breach is an incident where unauthorized individuals gain access to sensitive, protected, or confidential data, often leading to identity theft or financial loss.
Social engineering is a manipulation technique that exploits human psychology to gain confidential information, often used in cyber attacks.
Explore more articles in the Headlines category
