Overview

• The Tor site lists 39 named companies and publishes data samples while claiming roughly 1–1.5 billion records stolen from corporate CRM environments.
• Salesforce says it sees no evidence of a platform compromise and characterizes the extortion claims as tied to past or unsubstantiated incidents.
• Security firms point to social engineering, credential theft, and OAuth tokens tied to third‑party integrations such as Salesloft/Drift as the likely access path, with the FBI issuing detection guidance.
• The attackers set an October 10 negotiation deadline for listed firms and for Salesforce, threaten regulatory complaints and involvement in litigation, and offer $10 Bitcoin bounties for crowdsourced harassment of executives.
• Red Hat confirms a separate consulting GitLab incident as Crimson Collective partners with the Scattered Lapsus$/ShinyHunters operation, which posts Customer Engagement Report samples and publicly runs an extortion‑as‑a‑service model with a stated revenue split.