Overview

• A Tor site operated by actors using Lapsus$, Scattered Spider and ShinyHunters branding lists 39 companies and publishes samples allegedly taken from their Salesforce environments.
• The operators demand negotiations by October 10 from the listed firms and from Salesforce, threatening to support lawsuits and regulatory complaints if payments are not made.
• Security firms report that leaked samples contain extensive PII with few passwords, indicating access likely came via social engineering and stolen OAuth tokens rather than a platform vulnerability.
• Salesforce says investigations with external experts and authorities show no indication of a platform breach and characterizes the claims as connected to prior or unverified incidents.
• The group claims possession of roughly 1–1.5 billion records across hundreds of companies, the FBI issued a flash alert with detection guidance, and the leak site has reportedly faced DDoS attacks.