Data Breach Shock: Hackers Claim Theft of 1 Billion Salesforce Records Through UK Retailer Attacks

The Massive Breach Claim That Shook the Industry

In one of the largest alleged data thefts in recent memory, a hacker group named Scattered LAPSUS$ Hunters has claimed responsibility for stealing close to one billion customer records from companies using Salesforce. The hackers reportedly targeted major UK retailers including Marks & Spencer, the Co-op, and Jaguar Land Rover, using a sophisticated social engineering campaign to infiltrate customer systems.

While the authenticity of the data remains unverified, cybersecurity experts warn that even the possibility of such a large-scale compromise could have far-reaching implications for global data privacy and corporate trust in third-party software providers.

Who Are the Scattered LAPSUS$ Hunters?

The group appears to be an offshoot of the larger LAPSUS$ cybercrime network, which gained notoriety for high-profile attacks on major corporations including Microsoft, Nvidia, and Samsung in recent years. According to Google’s Threat Intelligence Group, the collective operates under the designation UNC6040 and is known for aggressive social engineering techniques rather than conventional malware-based attacks.

This subgroup, Scattered LAPSUS$ Hunters, has been linked to a series of ransomware incidents that targeted British retail giants earlier this year. Their name surfaced again after Reuters reported that the hackers had set up a dark web leak site listing 40 organisations allegedly affected by their campaign.

How the Hack Allegedly Happened

Contrary to initial assumptions, Salesforce’s own infrastructure does not appear to have been compromised. Instead, attackers reportedly exploited vulnerabilities within customer organisations. The hackers allegedly used a method known as “vishing,” or voice phishing, to impersonate IT support staff and convince employees to install a corrupted version of Salesforce’s Data Loader tool.

This tool, typically used to manage and transfer data between Salesforce systems, was reportedly modified to allow bulk extraction of sensitive information including customer records, contact details, and transactional data.

A hacker identifying as “Shiny” told Reuters that the operation focused on manipulating human trust rather than breaching secure code. “It’s easier to call someone and get what you need than hack through firewalls,” the individual claimed.

Salesforce Responds to the Allegations

Salesforce has firmly denied any breach within its own systems. A company spokesperson said, “There is no indication that the Salesforce platform has been compromised, nor is this activity related to any known vulnerability in our technology.”

While refusing to comment on potential ransom demands, Salesforce confirmed that it is cooperating with affected clients and law enforcement agencies. The company also urged its customers to strengthen internal security practices, particularly those related to employee verification and software installation procedures.

What Was Allegedly Leaked

According to early reports, the data set includes customer details, sales records, and internal communications from several UK-based companies. However, investigators have yet to confirm whether the one billion-record claim is accurate or exaggerated for publicity. Cybersecurity experts note that large breach claims often include duplicated or incomplete records.

Even so, the mere presence of customer data from reputable British brands on a dark web leak site has raised alarm among privacy watchdogs. Many analysts warn that phishing scams, identity theft, and corporate extortion attempts may rise in the coming weeks as hackers weaponise the stolen data.

Police and Cybercrime Agencies Investigate

The UK’s National Crime Agency and Metropolitan Police have reportedly been investigating multiple incidents tied to this wave of attacks since mid-2025. In July, authorities arrested four individuals under the age of 21 in connection with ransomware operations targeting retailers. It remains unclear whether those arrests are directly linked to the Scattered LAPSUS$ Hunters group.

Meanwhile, cybersecurity firms tracking the network have identified connections between the group’s infrastructure and “The Com,” a loosely organised online criminal ecosystem. This network is notorious for smaller hacker cells that engage in both digital and real-world criminal activity.

What This Means for the Future of Enterprise Security

This breach underscores the growing risk of human-driven cyberattacks targeting cloud-based services. Even the most secure platforms can become vulnerable if customer-side employees fall victim to social engineering. Experts emphasise that the rise of generative AI and deepfake technologies will only make vishing and impersonation attacks more convincing and dangerous.

For enterprises relying on third-party cloud providers, the takeaway is clear: strong internal cybersecurity hygiene is as critical as robust infrastructure. Regular employee training, authentication verification, and cautious handling of software tools remain essential defences.

The alleged Salesforce-linked breach serves as a wake-up call for global businesses navigating an increasingly complex digital landscape where human error can override even the strongest security architecture.

For more breaking updates on cybercrime, data privacy, and digital security trends, follow Tech Moves on Instagram and Facebook — your destination for stories shaping the future of technology and online safety.