Hackers Who Claimed Retirement Now Behind Salesforce Data Breach

Nearly one billion customer records tied to companies using Salesforce have allegedly been stolen and used in a large-scale extortion campaign. The cybercriminals behind the breach, now calling themselves “Scattered LAPSUS$ Hunters,” have launched a dark web leak site to pressure victims into paying ransoms.

Despite the size and visibility of the attack, Salesforce maintains that its core systems were not compromised.

What makes the campaign more troubling is that it involves the same hacking groups previously known as Scattered Spider and ShinyHunters, both of which claimed to have “retired” from cybercrime just weeks before the leak site went live.

Their sudden reappearance supports long-standing doubts within the security industry about the credibility of such retirement claims and raises important questions about the security assumptions built into cloud ecosystems.

Why It Matters: This breach shows that many of the most damaging cyberattacks today rely on social manipulation, psychological tactics, and weaknesses in how people and systems interact. Even platforms with strong security can be affected when attackers target customers, exploit cloud-based connections, and take advantage of trusted access. The Salesforce incident serves as a clear reminder that in modern cybersecurity, threat boundaries often stretch well beyond a single organization’s control.

• Cybercrime “Retirement” Was Likely a Strategic Pause: In August and September 2025, members of Scattered Spider and ShinyHunters posted farewell messages on Telegram claiming their hacking operations had ended. However, researchers noticed inconsistencies early in the process, including the sudden reactivation of their channels. The launch of the Scattered LAPSUS$ Hunters leak site confirms concerns that these statements were likely smokescreens meant to avoid law enforcement attention and resume activity under a new name.

• Salesforce Confirms No Platform Compromise, But Customers Hit: Salesforce issued a statement saying its infrastructure remains intact, with “no indication” of a platform breach or software vulnerability. Instead, the attackers reportedly used advanced social engineering techniques such as vishing, where they called IT help desks while posing as internal staff to compromise Salesforce customers. Some were also tricked into installing a trojanized version of Salesforce’s Data Loader, allowing large-scale unauthorized data extraction.

• A Dark Web Leak Site Names Victims: The Scattered LAPSUS$ Hunters leak site lists dozens of high-profile companies, including Allianz Life, Google, Toyota, FedEx, Qantas, and Hulu. Victims are urged to “negotiate data governance” before their data is made public. The hackers adopt corporate language in their messaging but have clearly embraced public pressure tactics to force compliance, which blurs the line between data theft and corporate extortion.

• Cloud Used as Point of Entry: Though Salesforce’s systems remain untouched, the attacks highlight a deeper issue involving the risks that surface when large volumes of customer data are concentrated in a single platform. When one organization is compromised, the impact can spread across its partners and service providers to reach end users who were never the direct target. In this case, the attackers did not breach Salesforce but took advantage of the surrounding network of tools, users, and support systems.

• Experts Warn This Is the New Normal for Cybercrime: Cybersecurity professionals have long doubted that threat groups like Scattered Spider ever truly disband. Analysts warn that rebranding and radio silence are now common parts of how these groups operate. These actors are becoming more organized by shifting between aggressive campaigns, periods of silence, and renewed activity under new identities, making detection and prevention more difficult.

Go Deeper -> Almost 1 billion Salesforce records stolen, hacker group claims – Reuters

Hacking group claims theft of 1 billion records from Salesforce customer databases – TechCrunch

Security Industry Skeptical of Scattered Spider-ShinyHunters Retirement Claims – SecurityWeek