The threat group operating under the moniker Scattered Lapsus$ Hunters has published the first tranche of stolen Salesforce client data on their dark web site.
The leak, which includes millions of customer records from Qantas, Vietnam Airlines, and four other major firms, marks the continuation of an extortion campaign that has so far proven resilient to law enforcement intervention.
The leak was published late on October 10, 2025, just hours after the FBI and France's BL2C cybercrime unit seized BreachForums.hn, the Clearnet extortion portal tied to the same group. However, law enforcement did not succeed in taking down the onion version of the site, which remains online and is now being used to disseminate the stolen data, along with a new Clearnet portal on a different domain. The threat actors had previously announced a release deadline, stating that failure to pay ransom demands would result in public exposure of the compromised information.
The initial wave of leaked firms includes:
- Qantas Airways
- Vietnam Airlines
- Albertsons
- Gap
- FujiFilm
- Engie Resources
Qantas Airways, Australia's largest airline, confirmed that 5.7 million customer records were exposed in a June 2025 breach involving a Salesforce-connected third-party call center platform. The stolen data includes names, birth dates, email addresses, phone numbers, and frequent flyer numbers, though not financial or passport information. Although there’s a court injunction in place to legally restrict dissemination, the data has now been fully leaked.
Vietnam Airlines has also had its customer data compromised in the same Salesforce attack vector. According to Have I Been Pwned, 7.3 million unique email addresses were part of the dataset, along with full names, dates of birth, loyalty program details, and contact numbers. The breach occurred in June and was officially added to HIBP’s database on October 11, one day after the leak.
Albertsons, one of the largest food and drug retailers in the US with over 2,200 stores under various brand names, Gap, a multinational clothing retailer with a presence in over 40 countries, FujiFilm, a Japanese imaging and biotechnology conglomerate, and Engie Resources, a major North American energy provider, have also been listed in the leak. While data specifics for these firms have not yet been independently verified, all have been tagged as “non-compliant” by the extortion group, signaling that ransom demands were not met.
Salesforce, a leading provider of cloud-based CRM and enterprise applications, has denied any platform-level compromise. In a public statement, the company noted that the incidents are tied to customer misconfigurations, third-party integrations, or legacy access tokens rather than a flaw in Salesforce itself. The firm has reiterated its refusal to negotiate with or pay threat actors, and says it is providing assistance to impacted clients.
The threat group remains active through their onion site and Telegram channels, where they have pledged to continue releasing data in stages. Based on their posts and previous disclosures, potentially up to 40 more firms may have their private data published soon.
Leave a Reply