A hacker collective calling itself “Scattered LAPSUS$ Hunters” claims to have stolen nearly 1 billion records linked to Salesforce, the global cloud software giant, by targeting companies that use its platform. The group—believed to be behind recent ransomware attacks on major U.K. retailers including Marks & Spencer, Co-op, and Jaguar Land Rover—told Reuters the stolen data contains personally identifiable information (PII).
Salesforce, however, firmly denied that its systems were compromised. “At this time, there is no indication that the Salesforce platform has been compromised, nor is this activity related to any known vulnerability in our technology,” a company spokesperson said.
One hacker, identifying themselves as “Shiny,” told Reuters that the group did not directly hack Salesforce infrastructure but instead exploited its customers through “vishing”—a voice-phishing technique where attackers impersonate employees in calls to IT help desks to gain system access.
The group published a leak site on the dark web on Friday listing around 40 allegedly hacked companies, though it remains unclear how many are Salesforce clients. Both Salesforce and the hackers declined to confirm whether any ransom demands had been made.
In a June report, Google’s Threat Intelligence Group (TAG)—which tracks the hackers as “UNC6040”—said the group had been highly effective at deceiving employees into installing modified versions of Salesforce’s Data Loader, a proprietary tool used to import large volumes of customer data.
Google researchers also noted that the attackers’ infrastructure overlaps with an amorphous cybercriminal network known as “The Com”, a loosely connected ecosystem infamous for social engineering, ransomware, and even violent activity.
The claims come amid an ongoing U.K. police investigation into the earlier wave of cyberattacks that disrupted retail operations nationwide. In July, authorities arrested four individuals under 21 suspected of involvement in the breaches.
While Salesforce’s denial suggests its core systems remain intact, the episode underscores a growing cybersecurity challenge: attackers are increasingly bypassing well-secured platforms by manipulating the humans who use them.
As digital ecosystems become ever more interconnected, the breach—real or exaggerated—illustrates how even the most secure cloud providers can be dragged into the fallout of their customers’ weakest link: trust.
