A sprawling coalition of hackers styling themselves as Scattered LAPSUS$ Hunters has claimed responsibility for one of the largest alleged data thefts in recent years, asserting that nearly one billion records have been siphoned from companies relying on Salesforce, the dominant US cloud software provider.
The group’s revelation, paired with the launch of a dark-web extortion portal, takes aim at multinational corporations and financial institutions that depend heavily on Salesforce to run customer operations.
Salesforce, which provides cloud-based customer relationship management tools to retailers, banks, insurers and wealth managers, has rejected the suggestion that its own platform was breached.
“At this time, there is no indication that the Salesforce platform has been compromised, nor is this activity related to any known vulnerability in our technology,” a company spokesperson told TechCrunch.
The self-branded “hunters” are linked to familiar names in cybercrime – ShinyHunters, Scattered Spider and the remnants of the Lapsus$ collective. Security analysts say the group has shifted away from traditional ransomware and toward public extortion: rather than encrypting systems, they threaten to release data unless companies comply with ransom demands.
The attackers’ tactics rely less on exploiting coding flaws and more on human manipulation. In recent months, researchers say, the hackers used “vishing” – voice-based phishing calls – convincing employees to provide access credentials or authorize rogue applications.
In some cases, investigators at Google’s Threat Intelligence Group observed employees tricked into downloading a doctored version of Salesforce’s own Data Loader, a tool designed for bulk data imports.
The dark-web portal created by the group lists dozens of household names, from Allianz Life – which disclosed a breach affecting nearly 1.5 million persons to the Office of the Maine Attorney General this week – to Google, Qantas, Toyota and Workday.
Extortion notices reviewed by multiple cybersecurity outlets cite companies across sectors – retail, airlines, automotive, finance – underscoring the reach of the campaign.
Brands from FedEx and Home Depot to McDonald’s, Marriott, Cartier, and Disney’s Hulu unit also appear on the site, though several have declined public comment.
Within the wealth space, Salesforce's reach through its Salesforce Financial Services Cloud and Salesforce Sales Cloud systems accounted for just over 10% of market share among advisors in the CRM space, according to the most recent T3 Advisortech survey this year.
The hackers claim to hold personal and corporate records numbering in the billions. Samples of data tied to at least 39 enterprises have been released, with the threat of full disclosure if no settlement is reached by October 10.
In a post aimed directly at Salesforce, the group demanded payment to halt publication of client data, warning that otherwise “all your customers data will be leaked.”
Beyond the immediate ransom threats, the hackers have suggested they may assist in legal action against Salesforce itself, citing obligations under Europe’s General Data Protection Regulation.
“Your organisation can prevent the release of this data, regain control over the situation and all operations remain stable as always,” the group wrote in one notice, while hinting that noncompliance could lead to civil exposure for Salesforce.
For financial services providers – particularly US wealth managers and insurers that have adopted Salesforce Financial Services Cloud or overlays such as Practifi and Salentica – the stakes are acute.
Firms like RBC Wealth Management, US Bank, and Pacific Life have publicly described using Salesforce to centralize client data, meaning a breach of customer instances could spill sensitive investment and planning information into criminal hands.
Compounding unease, Salesforce only days earlier disclosed a separate issue: a flaw dubbed “ForcedLeak” in its Agentforce AI platform. That bug, now patched, could have allowed attackers to exfiltrate CRM data through maliciously crafted inputs.
Though unrelated to the current extortion campaign, the incident highlights the widening attack surface as financial firms increasingly experiment with AI agents layered atop their CRM systems.
LPL recently has softened its antipathy to mainstream marketing.
The veteran independent broker-dealer executive brings crisis-tested leadership to the AI-powered data platform
Arax and Waverly also staged their own East Coast expansions by acquiring a family-owned practice and a Maryland-based wealth firm.
Portfolios are built for specific environments, but most investors are still positioned for one shaped by intervention and conditioning that may no longer exist.
Foundation for Financial Planning CEO tells InvestmentNews how the wirehouse’s wealth management division steps up to the plate for those in need.
As $84 trillion prepares to change hands, advisors who treat estate planning as peripheral are quietly building a sieve, not a book.
In volatile markets, the advisors who win aren't the ones with the best calls - they're the ones whose clients stay the course.
