Cybercrime
,
Fraud Management & Cybercrime
Criminals Claim Leak of Customer Data From Six Victims, Including Qantas Airlines
A digital cybercrime group that’s been extorting Salesforce customers leaked some stolen data, following the FBI disrupting its shakedown sites.
See Also: Why Cyberattackers Love ‘Living Off the Land’
Scattered Lapsus$ Hunters said Saturday it leaked data stolen from six victims: grocery giant Albertsons, global energy and services firm Engie Resources, Japanese camera maker Fuji Film, clothing retailer Gap, the Australian airline Qantas and Vietnam Airlines.
Compromised data from Vietnam Airlines includes 7.3 million unique email addresses as well as names, phone numbers, dates of birth and loyalty program membership numbers, found Have I Been Pwned, a public service breach notification service.
Qantas said Sunday that “with the help of specialist cybersecurity experts, we are investigating what data was part of the release.” In July, the airline notified 5 million customers that their personal data leaked, including names, email addresses and frequent flier numbers.
Members of the Scattered Lapsus$ Hunters collective, largely comprised of Western teenagers, stole the data earlier this year by socially engineering victims into giving them access to their Salesforce instances, allowing them to steal customer data. In August, they compromised more Salesforce-using organizations by first breaching a GitHub repository used by Salesloft Drift’s chatbot, giving them access to source code. The attackers combed the Drift source code for OAuth tokens, which allowed them to access software integrated with Drift, including for 760 Salesforce instances. The extortionists claimed Thursday that “the data of the companies who have not paid” was set to be automatically leaked Friday at “11:59 PM New York time,” including on the BreachForums data leak and extortion site being run by ShinyHunters.
“Don’t be the next headline, protect yourself, your customers, make the right decision and reach out to us,” read a shakedown notice posted on another darkweb site the group created to list and threaten 39 victims, which it said accounted for 1 billion of the 1.5 billion records it stole, at least in part through the Salesloft breach. Other claimed victims include Cisco, Disney, KFC, Ikea, Marriott, McDonald’s, Walgreens and retailer Saks Fifth Avenue (see: Salesforce Rebuffs ShinyHunters Extortionists’ Ransom Demand).
U.S. and French authorities responded by knocking offline on Tuesday the clearnet and darknet versions of BreachForums, as well as the darknet site listing 39 Salesforce customers. Scattered Lapsus$ Hunters restored a darknet version of BreachForums, but one darkweb domain used as a forums site and the clearnet version at breachforums.hn have remained offline.
American law enforcement on Thursday redirected the clearnet version to two Cloudflare-hosted nameservers, ns1.fbi.seized.gov and ns2.fbi.seized.gov, also used in previous seizures, reported BleepingComputer.
On Saturday, after claiming to leak data for six victims, the group declared its Salesforce customer extortion effort to be over. “What was leaked was leaked – we are not leaking anything else because we can’t,” a member of the group said in a post to Telegram. The group didn’t specify the nature of the purported limitation.
Scattered Lapsus$ Hunters said law enforcement destroyed all BreachForums backup servers, and appeared to have obtained copies of every database backup for BreachForums since 2023, as well as all escrow payment databases. Those databases would likely reveal which users purchased credits, and which data leaks they paid to access.
The data-extortion group claimed none of its members were arrested alongside the disruption – at least yet (see: French Police Reportedly Bust Five BreachForums Administrators).
ShinyHunters’ failure to follow through on leaking data for the 33 other victims it listed on its data-leak site, or any of the other more than 700 victims, appears to have stoked chaos among members, judging by their posts to Telegram, which revealed squabbles over what to do next, security researchers reported.
Open Questions
Whether or not the group succeeded in leaking all stolen data pertaining to the six customers, and how much of it could be publicly accessed, is unclear.
“Extortion campaigns generate a lot of noise, like false claims, inflated data, overlapping aliases,” said threat intelligence firm Flashpoint. “The real work lies in verifying what’s actually been compromised and how it impacts the organization.”
ShinyHunters’ dedicated Salesforce leak site includes links to file-sharing platform Limewire.com, through which the stolen data appears to be available.
The group also posted at least some of the data to BreachStars, a data leak platform launched in August as an alternative to the repeatedly seized BreachForums.
On the BreachStars site, users who paid to access data listed under “5.7M+ Qantas Airways Limited” reported Saturday that it was a bust. “Link is dead, content was removed, re upload?” one posted. “I paid for the credits and now its content not found. bruhh,” posted another.
Another repeat challenge for the cybercrime community centers on data-leak sites such as BreachForums, which facilitate the buying and selling of stolen databases and hacking tools, which helps data thieves monetize their attacks.
After being founded in 2022 and repeatedly seized, the ShinyHunters cybercrime group recently relaunched BreachForums as a place to host leaks. But on Saturday, a member of the group said attempting to keep a data-leak platform active under sustained law enforcement disruption efforts was no longer worth the trouble. “We are not fighting this war anymore,” the member claimed. “BreachForums is never coming back, if it comes back, it should immediately be considered a honeypot.”
ShinyHunters Carries On
The Salesforce customer extortion aside, members of Scattered Lapsus$ Hunters have been carrying on in other ways. In posts to Telegram – while also claiming they’ll soon no longer use Telegram – some members have solicited help from insiders for targeting large Australian firms.
The group also posted on its leak site a file that allegedly contained data stolen from Red Hat’s consulting arm, for which a group calling itself “Crimson Collective” claimed responsibility (see: Red Hat Confirms Consulting Arm’s GitLab Instance Breached).
Scattered Lapsus$ Hunters has also vowed to take revenge on Russian-speaking ransomware group, Clop aka Cl0p, which it accused of stealing its zero-day exploit for the Oracle E-Business Suite vulnerability now tracked as CVE-2025-61882, and using it in supply-chain attacks. The group notably avoided any mention of how Clop supposedly came to possess its exploit code (see: Clop Attacks Against Oracle E-Business Suite Trace to July).