Salesforce Extortion Accelerates With New Leak Site | UpGuard

This report documents a coordinated extortion campaign by the Scattered Lapsus$ Hunters: attackers used voice-phishing to install malicious Salesforce integrations and compromised Salesloft’s GitHub/AWS environment to obtain OAuth tokens, enabling large-scale exfiltration of Salesforce customer data from multiple organizations and publication of an extortion portal demanding payment for data deletion.