#Salesforce says it won’t pay #extortion demand in 1 billion records #breach

The threat group behind the campaign is calling itself #ScatteredLAPSUS$ Hunters, a mashup of three prolific data-extortion actors: #ScatteredSpider , #LAPSuS$ , and #ShinyHunters. #Mandiant, meanwhile, tracks the group as #UNC6040, because the researchers so far have been unable to positively identify the connections.
#privacy #security

https://arstechnica.com/security/2025/10/salesforce-says-it-wont-pay-extortion-demand-in-1-billion-records-breach/

ShinyHunters Wage Broad Corporate Extortion Spree

https://krebsonsecurity.com/2025/10/shinyhunters-wage-broad-corporate-extortion-spree/

#ScatteredLAPSUS$Hunters #OracleE-BusinessSuite #Ne'er-Do-WellNews #CharlesCarmichael #CrimsonCollective #ALittleSunshine #LatestWarnings #TheComingStorm #CVE-2025-61882 #AustinLarsen #ShinyHunters #Ransomware #Salesforce #Salesloft #ASYNCRAT #UNC6040 #UNC6395

"The ShinyHunters extortion group claims to have stolen over 1.5 billion Salesforce records from 760 companies using compromised Salesloft Drift OAuth tokens.

[...]

In March, one of the threat actors breached Salesloft's GitHub repository, which contained the private source code for the company.

ShinyHunters told BleepingComputer that the threat actors used the TruffleHog security tool to scan the source code for secrets, which resulted in the finding of OAuth tokens for the Salesloft Drift and the Drift Email platforms."

Read more of Lawrence Abrams' great reporting on Bleeping Computer:
https://www.bleepingcomputer.com/news/security/shinyhunters-claims-15-billion-salesforce-records-stolen-in-drift-hacks/

#Salesforce #Salesloft #Oauth #Drift #databreach #ransom #ShinyyHunters #ScatteredSpider #LAPSUS$ #UNC6040 #UNC6395

So many news reports have repeated the BBC's mistaken estimate about the number of customers affected by the Kering data breaches. So...

No, folks, it's not 7.4 million affected or fewer. It's a lot more because the BBC's estimate was based on just the second and smaller breach (Balenciaga, Brioni, and Alexander McQueen), and not the Gucci data which allegedly has more than 43 million records. Even assuming repeat customers are in there, there are likely a lot of unique customers in the Gucci data.

If we use the same percent based on 7.4 million out of almost 13 million recordsin the second data set, then that would yield 24-25 million unique email addresses for the Gucci data set, for an estimated total of more than 31 million customers all told.

I didn't estimate the number of unique customers in my reporting because it's too sloppy. But it's highly unlikely to be 7.4 million or fewer as BBC reported.

#Kering #Gucci #Balenciaga #Brioni #AlexanderMcQueen #databreach #Salesforce #ShinyHunters #UNC6040 #incidentresponse #transparency

My reports:
https://databreaches.net/2025/09/11/exclusive-high-end-fashion-retailers-gucci-balenciaga-brion-and-alexander-mcqueen-hit-by-salesforce-attacks/

https://databreaches.net/2025/09/15/update-kering-confirms-gucci-and-other-brands-hacked-claims-no-conversations-with-hackers/

@euroinfosec @zackwhittaker

Last week, I broke the story about Gucci and other Kering brands being hacked by ShinyHunters as part of the Salesforce campaign. In my reporting, I included chat logs and other exclusive details. You can read my original reporting here: https://databreaches.net/2025/09/11/exclusive-high-end-fashion-retailers-gucci-balenciaga-brion-and-alexander-mcqueen-hit-by-salesforce-attacks/

There is now an update that refutes Kering's reported claim today that they didn't have any conversations with the hackers. I also highlight their failures to be more transparent about the incidents:
https://databreaches.net/2025/09/15/update-kering-confirms-gucci-and-other-brands-hacked-claims-no-conversations-with-hackers/

#databreach #Salesforce #ShinyHunters #Gucci #Brioni #Balenciaga #KERING #AlexanderMcQueen #UNC6040

#FBI warns of #UNC6040, #UNC6395 #hackers stealing #Salesforce #data

https://www.bleepingcomputer.com/news/security/fbi-warns-of-unc6040-unc6395-hackers-stealing-salesforce-data/