Feds Shutter ShinyHunters Salesforce Extortion Site
Summary
The FBI, working with French law enforcement, seized the BreachForums domain that had been repurposed as an extortion portal by the group calling itself “Scattered Lapsus$ Hunters” — an apparent fusion of Scattered Spider, Lapsus$, and ShinyHunters. Authorities reportedly confiscated site backups, escrow databases and back-end servers. The cybercriminals claim they still control a Tor leak site and continue to threaten Salesforce customers, asserting possession of roughly 1 billion records and listing 39 victim organisations (sampled names include Chanel, Disney, Hulu, Marriott, Google, Toyota and FedEx).
Salesforce has acknowledged the extortion attempts but says there is no indication its platform was directly compromised. The criminal group announced the “era of forums” may be over and warned of impending law-enforcement crackdowns, while also stating no members have yet been arrested.
Key Points
- The FBI and French authorities seized the BreachForums domain used for extortion tied to recent Salesforce data thefts.
- Scattered Lapsus$ Hunters — combining elements of multiple criminal groups — claim continued access to stolen data and an active Tor leak site.
- The group alleges about 1 billion records and 39 victim organisations, naming high-profile companies as samples.
- Salesforce says its platform does not show evidence of compromise but confirms customers are being extorted.
- Law enforcement reportedly took backups and servers; the criminals warned of further arrests and advised improved operational security for peers.
Why should I read this?
Short and blunt: this takedown is a win on the surface, but the mess isn’t cleared up. If you use Salesforce or hold customer data, this directly affects you — check exposures, rotate credentials, watch Tor/leak channels and follow Salesforce advisories. We’ve skimmed the detail so you can act fast.