After days of endlessly urging Salesforce or companies to pay them so that their data would not be leaked, the deadline for Salesforce to pay came and went. And as it went, ScatteredLAPSUS$Hunters leaked data from six of the 39 companies listed on its dark web leak site.
But that’s where the massive leak that many people stayed up late to watch ended.
What Happened?
As the time approached for the leaks to start, it appeared that the group had prepared for the possibility that the onion site might be seized or just became overwhelmed by traffic. When the onion site did start timing out, messages in the group’s Telegram channel pointed people to links on a clear net forum where ShinyHunters posted the links to the leaked data. For four token credits each, people who registered for that forum would get a link to Limewire to download the data.
The first six (and ultimately, only) leaks involved data from Qantas, Albertsons, GAP, Vietnam Airlines, Fujifilm, and Engie Resources.
Qantas, who received more media coverage than other entities because of the court injunction it obtained to try to stop access to or use of any stolen data, confirmed that their data had been leaked. Would they have been one of the six if they had not gotten an injunction is unknown to DataBreaches, but it seemed predictable to DataBreaches that having announced that no one can leak or use the data that the attackers would then leak it.
The group also opened a new clear net site where people could download the data for free.
For those keeping count, then, there were three sites: one clear net forum, one onion site, and one clear net leak site, all with leaks of the six companies’ data.
And Then There Were … No More Leaks
But there were no further leaks, and when the group’s followers on Telegram asked why the group hadn’t followed through by leaking all 39 of the Salesforce-related listings, they received responses such as:
man watching you guys complain, whine, and cry because we aren’t leaking the good stuff (because we literally CAN’T) is fucking hilarious you guys are fucking LOSERS LOL
and
A lot of people are asking what else will be leaked.
Nothing else will be leaked. Everything that was leaked was leaked, we have nothing else to leak and obviously the things we have cannot be leaked for obvious reasons :D.
The first answer was just insulting to their own followers and doesn’t explain why suddenly the group “CAN’T” leak any data, and the second answer was not particularly credible.
What “obvious reasons” do they allude to? If they decided not to leak some companies’ data because they had suddenly been paid, then they should have de-listed those companies. Instead, all of the listings — with their corresponding samples and larger data samples — remain freely available.
As a reminder, here’s what the threat actors had threatened on the leak site:
Salesforce, Inc.
989.45m/~1B+ records
Contact us to negociate (sic) this ransom or all your customers data will be leaked.
If we come to a resolution all indiviual extortions against your customers will be withdrawn from.
Nobody else will have to pay us, if you pay, Salesforce, Inc.“If Salesforce does not engage with us to resolve this, we will completely target each and every indiviual customers of theirs listed below, failure to comply will result in massive consequences. If you are listed below we advise you to take every action to protect yourselves and reach out to us to resolve this. Do not be mistaken that your SaaS provider will protect all of you, they won’t. Don’t be the next headline, make the correct decision and reach out.”
So maybe the “obvious reasons” were just them hoping people would interpret that to assume that they had gotten a big payment when they hadn’t even gotten a dime? Even though they didn’t remove any listings? If Salesforce had paid — and they had indicated they wouldn’t — then all of the 39 listings should have been removed. But six were leaked and 33 remained, without real explanation. If some other party paid, certainly at least one listing should have been removed, right?
If they got paid, why didn’t they remove any of the listings?
Post-publication, ShinyHunters contacted this site to answer that question: “Because we were told not to delist the companies who paid so they can protect themselves.” DataBreaches has no proof of that, but agreed to edit this post to include their explanation.
The Take-Home Messages They Don’t Want Us to Take Home
In a longer statement later, they write, in part:
This should serve as an example to every government in the world that when you suffer a databreach, then you receive a ransom demand. Your best choice is to comply with us and negotiate a settlement with us.
To the contrary: what happened with their leak site should serve as a reminder to every government and future target of any future campaigns or attacks that victims shouldn’t — and don’t need to — pay them if they receive a ransom demand in data exfiltration incident.
What the incident demonstrates is that even if the vast majority of companies didn’t pay, their data wasn’t leaked, and if the attackers did get paid, they didn’t remove listings (although that might be at the victims’ requests, according to ShinyHunters).
By their own statement, Salesforce did not pay. And although their stock dropped a bit, the bulk of the drop in Salesforce’s stock price since 2024 has been attributed by analysts to their investment in AI and uncertainty about its future and flat revenues. This massive campaign and press coverage about Salesforce has not significantly impacted Salesforce’s stock prices, despite the threat actors’ predictions.
“For obvious reasons,”then, it seems clear that future victims should not pay them. After all, the group claimed to have more than 750 victims from one campaign. Out of hundreds of victims of the different campaigns, only a few threatened leaks came to pass. The odds are in the victims’ favor that most companies won’t have their data leaked in this group’s massive campaigns.
Paying threat actors only reinforces them for engaging in crime. Their conduct with respect to Salesforce and its clients provides a clear example of why victims shouldn’t pay.
Update: This post was updated post-publication after ShinyHunters reached out to DataBreaches to respond to the question about why victims weren’t delisted. He also added that the onion and clear net leak sites will be taken offline on Tuesday.