The threat involves a coalition of cybercriminal groups—Scattered LAPSUS$ Hunters, which includes members from Lapsus$, Scattered Spider, and ShinyHunters—claiming to have stolen data from dozens of Salesforce customers by compromising their Salesforce instances. The attackers have published a list of 39 targeted organizations, including prominent European companies such as Adidas, Air France/KLM, Allianz Life, Dior, Kering, Louis Vuitton, and Stellantis. They claim to have exfiltrated roughly 1 billion records and are demanding ransom payments from Salesforce and affected customers to prevent data leaks. Salesforce has publicly stated that it has found no evidence of recent breaches of its platform and attributes the extortion attempts to past or unsubstantiated incidents. The attackers likely gained access through social engineering and stolen credentials rather than exploiting Salesforce platform vulnerabilities, indicating weaknesses in customer-side security controls and identity management. The extortion campaign is unusual in that the attackers threaten to participate in ongoing lawsuits against Salesforce, attempting to pressure the vendor beyond typical ransom demands. This case underscores the challenges of shared responsibility in cloud security, where customer misconfigurations or credential compromises can lead to significant data exposure despite the vendor's platform security. No known exploits or patches are associated with this incident, and the attack does not appear to involve remote code execution vulnerabilities in Salesforce itself. The incident highlights the importance of robust identity and access management, monitoring for credential theft, and incident response readiness for cloud SaaS environments.

European organizations using Salesforce, especially those named in the extortion list, face significant risks including data confidentiality breaches, reputational damage, and potential regulatory penalties under GDPR due to exposure of personal or sensitive data. The theft of large volumes of customer data can lead to secondary attacks such as phishing, identity theft, and fraud targeting European customers and employees. The extortion attempts against Salesforce and its customers may disrupt business operations and increase legal and compliance costs. The involvement of high-profile European brands elevates the strategic importance of this threat, potentially attracting further targeted attacks. Additionally, the attackers’ novel tactic of leveraging ongoing litigation against Salesforce could complicate legal and risk management responses. While Salesforce denies recent platform vulnerabilities, the incident reveals gaps in customer security hygiene and shared responsibility adherence, which could impact trust in cloud services across Europe. The medium severity reflects the large scale of data exposure and extortion risk, though no active exploitation of Salesforce platform vulnerabilities has been confirmed.

European organizations should immediately review and strengthen identity and access management controls for Salesforce instances, including enforcing multi-factor authentication (MFA) for all users and administrators. Implement continuous monitoring and anomaly detection to identify unusual login patterns or data access indicative of credential compromise. Conduct thorough audits of user permissions and remove excessive or outdated access rights. Enhance employee security awareness training focused on social engineering and phishing risks to reduce credential theft. Collaborate closely with Salesforce support and security teams to investigate any suspicious activity and receive guidance on incident response. Employ data loss prevention (DLP) tools and encryption to protect sensitive data within Salesforce environments. Establish clear incident response plans that include coordination with legal and compliance teams to address extortion attempts and potential data breach notifications under GDPR. Consider engaging external cybersecurity experts for penetration testing and security posture assessments of cloud configurations. Finally, monitor threat intelligence sources for updates on this extortion campaign and related attacker tactics to adapt defenses accordingly.