One billion customer records may have been stolen from Salesforce users, according to a hacker group that has claimed responsibility for a string of high-profile attacks in the UK. The group, calling themselves “Scattered LAPSUS$ Hunters”, said they accessed personal information from companies using Salesforce’s cloud software, although the company insists its systems are secure.
The news sent shockwaves through the tech industry, raising questions about how secure cloud-based business platforms really are and how vulnerable companies are when their employees are the entry point for hackers.
Salesforce says its systems are secure
Salesforce has denied the hacker's claims, saying there is no evidence that their core platform was breached. A company spokesperson said none of their systems showed signs of unauthorized access, and the activity described by the hackers was not related to any known Salesforce vulnerability.
The group behind the alleged theft told Reuters they didn’t breach Salesforce but instead targeted Salesforce customers through a technique called “vishing” or voice phishing. This is where they call IT helpdesks and pretend to be employees, tricking staff into giving up credentials or access. As we all know, even with the best security software, the human is often the weakest link in security.
Links to previous attacks raise red flags
Scattered LAPSUS$ Hunters have already made headlines this year, claiming responsibility for attacks on major UK retailers, including Marks & Spencer, Co-o,p and Jaguar Land Rover. Security experts say this is part of a larger campaign targeting companies that rely heavily on cloud infrastructure.
Researchers at Google’s Threat Intelligence Group who track the hackers under the label “UNC6040” say the group has become skilled at tricking employees into downloading tampered versions of legitimate software, such as Salesforce’s Data Loader. This is a tool companies use to import data in bulk. The hackers’ infrastructure is also similar to “The Com,” a loose collective of cybercriminals.
While Salesforce has said its systems weren’t breached, cybersecurity experts say such incidents can still damage the company’s reputation and customer trust. For businesses using cloud platforms, the incident highlights the need for stronger verification processes and staff training to prevent social engineering attacks.
A cloud era problem
The breach, whether or not it’s true, is a growing headache for modern businesses. As more companies move critical operations to cloud services, the attack surface gets bigger. Hackers are increasingly targeting third-party users rather than the tech providers themselves, exploiting the trust relationship between vendors and customers.
UK law enforcement has already been investigating related incidents. Earlier this year, four individuals under 21 were arrested in connection with cyber attacks on several retail chains. They are now looking into whether those cases are linked to the Scattered LAPSUS$ Hunters group’s wider activity.
For Salesforce users, this is a wake-up call. Even if the infrastructure is still intact, attackers are finding ways to exploit the human element. As one cybersecurity researcher said, “don’t dismiss this just because the platform wasn’t hacked, rather it’s about how easily trust can be manipulated.”
In summary, the alleged theft of Salesforce records, whether true or not, is another reminder of the modern digital world. As the cloud grows, so does the need for vigilance not just in tech, but in training, awareness, and accountability.
