ShinyHunters hackers are ransoming 1 billion Salesforce records

Does your company use Salesforce? A hacker group may very well have stolen your data. Or, at the very least, they want you to think so.

On Friday, cybersecurity researchers discovered a website on the dark web that is attempting to extort victims of a major Salesforce data breach. According to TechCrunch, which first reported the story, hackers claim that roughly one billion customer records have been stolen in recent weeks from companies that use Salesforce.

The data includes records of each companies' own customers, which are stored in cloud databases run by Salesforce, a company known for its cloud-based business software.

The hackers' website lists numerous companies that they say have been victimized by this breach, including FedEx, Toyota, and Disney Hulu. Some companies, such as Google and credit report company TransUnion, have confirmed that their data was recently stolen in a Salesforce breach; however, they do not appear on the ransom website, for reasons unknown.

The hackers behind the website have previously gone by names such as Scattered Spider, ShinyHunters, and Lapsus$. The dark web site that has published the leak is called Scattered LAPSUS$ Hunters.

Mashable has previously reported on this hacker collective. The group has taken responsibility for numerous high-profile hacks in recent years, including the Ticketmaster breach and the AT&T data leak. The group's targets range from major airlines to the video game makers behind Grand Theft Auto.

“Contact us to regain control on data governance and prevent public disclosure of your data,” the hackers' dark web site says, per Tech Crunch. “Do not be the next headline. All communications demand strict verification and will be handled with discretion.”

The hacker group appears to be trying to extort Salesforce directly. The group is threatening to release the company's customers' data if Salesforce doesn't pay a ransom.

In response, Salesforce put out a security advisory on its website titled "Ongoing Response to Social Engineering Threats":

We are aware of recent extortion attempts by threat actors, which we have investigated in partnership with external experts and authorities. Our findings indicate these attempts relate to past or unsubstantiated incidents, and we remain engaged with affected customers to provide support. At this time, there is no indication that the Salesforce platform has been compromised, nor is this activity related to any known vulnerability in our technology. 

We understand how concerning these situations can be. Protecting customer environments and data remains our top priority, and our security teams are fully engaged to provide guidance and support. As we continue to monitor the situation, we encourage customers to remain vigilant against phishing and social engineering attempts, which remain common tactics for threat actors.