A cybercrime alliance tied to Lapsus$, Scattered Spider, and ShinyHunters is pressuring enterprises with a claimed billion-record haul by abusing OAuth and help-desk trust in Salesforce environments

Continue reading
A new dark‑web leak site branded Scattered LAPSUS$ Hunters is threatening to dump roughly a billion records allegedly stolen from companies using Salesforce, a pressure tactic typical of modern data‑extortion operations rather than encryption‑based ransomware.
Multiple enterprises have acknowledged recent Salesforce‑adjacent data theft, while Salesforce maintains there’s no evidence of a platform‑level compromise, aligning with reports that attackers targeted customers via social engineering and OAuth abuse, not a direct Salesforce breach.
The numbers are designed for shock value; the operational core is credentialed API access obtained through vishing and connected‑app authorization flows that grant durable exfiltration capability.
Evidence points to a coordinated alliance blending Lapsus$, Scattered Spider, and ShinyHunters into a single extortion machine that markets itself loudly, moves quickly, and leverages pooled playbooks: social engineering for initial access, OAuth for durable tokens, and public‑facing leak theater for leverage.
Public monitoring shows Telegram activity explicitly merging these brands, with a shared narrative that Scattered Spider specializes in initial access while ShinyHunters executes exfiltration and data dumps, echoing their advertised “shinysp1d3r” operations and joint claims tied to Salesforce and other SaaS ecosystems.
Third‑party threat profiles and incident recaps corroborate a mid‑2025 surge targeting Salesforce tenants across major enterprises, consistent with this merged identity.
This campaign preys on trust junctions in SaaS identity, not exotic exploits: a phone call to a help desk, a plausible app name, and a legitimate OAuth flow that converts a moment of social trust into long‑lived API access.
Desktop‑style OAuth and connected‑app experiences can be impersonated or repackaged to appear as standard Salesforce tooling (e.g., “Data Loader”), tricking staff into authorizing scopes like refresh_token + full that enable persistent bulk extraction with minimal noise.
This turns traditional perimeter and endpoint controls into bystanders; once a connected app is authorized, the attacker is “inside” through sanctioned API pathways until the token is revoked and the app is pruned.
Incident forensics from multiple vendors describes a repeatable chain: vishing to the connected‑apps page, user‑supplied verification code, app authorization, and then scripted REST or bulk API queries that sweep high‑value objects at scale.
Threat hunters have observed iterative testing with small chunk sizes before pivoting to full‑table pulls, and app aliases like “My Ticket Portal” to match the social pretext, allowing attackers to blend into operational noise until export volumes spike.
Event Monitoring and REST API logs reveal patterned queries against PII‑rich objects with per‑request payloads in the megabytes, a signature that becomes obvious with the right telemetry but invisible without it.
The leak‑site model operationalizes marketing: timers, victim lists, and public taunts amplify pressure while letting groups walk back into the shadows when it suits their private negotiations.
Analysts note that these crews have shifted to selective media use—public enough to validate credibility, private enough to optimize ransom yield—making the “shutdown and reappear” cycles part of the business model rather than a sign of weakness.
The Salesforce‑specific branding is a force multiplier, collapsing dozens of discreet tenant incidents into one narrative that helps drive larger payouts and faster executive attention.
The Salesforce wave underscores a broader SaaS security problem: sprawling connected apps, unattended machine identities, and permissive scopes create an identity debt that adversaries monetize via phone‑based persuasion rather than code execution.
Training and MFA help, but durable fixes require continuous, identity‑aware monitoring across SaaS estates and controls that make “consent” a governed process, not a casual click. Expect copycats to transpose this playbook to other high‑value SaaS platforms where connected apps and delegated access are ubiquitous.
This campaign is not about a novel exploit; it is about industrialized persuasion weaponizing OAuth trust to convert a polite phone call into a high‑bandwidth data siphon, then monetizing the haul via sophisticated extortion theater.
Organizations that treat connected‑app governance, Event Monitoring, and help‑desk hardening as first‑class controls will deflate the business model behind the “billion records” headline, while those relying on traditional perimeter thinking will remain easy marks for the next branded leak countdown.

A third-party software flaw inside one of Japan's largest telcos exposed login credentials for up to 14.2 million email accounts across six ISPs. The passwords? Some were hashed. Some may not have been