The so-called retirement of the Scattered Lapsus$ Hunters extortion group didn’t last long.

The threat group – a combination of the high-profile Scattered Spider, Shinyhunters, and Lapsus$ organizations that first formed over the summer – said in a widely reported message on Telegram and on the underground marketplace BreachForums last month that it was shutting down its operations.

The announcement was met with skepticism from many in the cybersecurity world, with Bugcrowd founder Casey Ellis telling Security Boulevard at the time that it was “safest to consider this announcement as more of a PR stunt than a genuine farewell.”

That skepticism was well placed. The cybercriminal group returned this month with a data leak site tied to the widespread attacks on customers of software-as-a-service (SaaS) giant Salesforce, claiming that it had stolen almost 1 billion data files from dozens of well-known companies – such as Cisco, Petco, Ikea, Marriott, and Disney/Hulu – and threatening to release the data if Salesforce doesn’t negotiate with it by October 10.

The list not only includes the names of the companies attacked, but also the date of the compromise and the size of the data files stolen. The threat group says that the stolen data includes such sensitive data as driver’s licenses, dates of birth, and Social Security numbers.

Scattered Lapsus$ Hunters said it was able to take advantage of what it claimed were poor security measures by Salesforce, including poor two-factor authentication (2FA) and OAuth protections.

Salesforce Customers Under Fire

Salesforce customers have been the target of two widespread campaigns reportedly run by the threat groups UNC6040 and UNC6395, both of which have links to the groups that make up Scattered Lapsus$ Hunters. The group also reportedly is part of The Com, which threat intelligence firm SOCRadar wrote is a mainly English-speaking network “made up of teens and young adults, has been described as a cybercrime subculture rather than a single group. Within it, actors share tools, trade access, and collaborate on operations, with alliances shifting as campaigns evolve.”

UNC6040 ran a vishing campaign in which hackers impersonated IT support staff and convinced employees of the targeted companies to authorize a malicious app connected to their organizations’ Salesforce portal.

Google’s Threat Intelligence Group (GTIG) wrote in June that “this application is often a modified version of Salesforce’s Data Loader, not authorized by Salesforce. During a vishing call, the actor guides the victim to visit Salesforce’s connected app setup page to approve a version of the Data Loader app with a name or branding that differs from the legitimate version.”

In Through Salesloft Drift

In another campaign, UNC6395 targeted Salesforce customers’ instances through compromised OAuth tokens associated with Salesloft’s Drift, an app used by sales and marketing units. The bad actors were able to steal credentials like Amazon Web Services (AWS) access keys, passwords, and Snowflake-related access tokens. The compromise gave the attackers the ability to access, query, and exfiltrate sensitive information directly from the compromised Salesforce customer environments.

According to Grip Security researchers, the Drift campaign involved “exploiting the connection and permissions between applications. … That token, once issued, became a master key used to quietly unlock Salesforce data across multiple tenants. No phishing required. Just a compromised integration and an exposed token.”

Salesforce Pushes Back

Salesforce has noted that its platform hadn’t been compromised and there was no vulnerability connected to it. Instead, the attackers used vishing tactics and compromised OAuth tokens associated with third parties. The vendor also noted earlier this year that “cybersecurity is a shared responsibility between a provider and their customers. While Salesforce builds enterprise-grade security into every part of our platform, customers play a vital role in protecting their data — especially amid a recent rise in sophisticated social engineering and phishing attacks targeting Salesforce customers.”

Some customers of the companies compromised, disagree. The SFGate news site reported late last month that Salesforce is facing at least 14 lawsuits from almost two dozen individuals in connection with the data thefts, saying that Salesforce should have had better security around its platform.

SOCRadar, in its repor,t noted that “importantly, no Salesforce vulnerabilities were exploited. Instead, the attackers relied entirely on social engineering.”

Big Targets and Stolen Data

The researchers also wrote that Scattered Lapsu$ Hunters targets high-profile organizations with large volumes of sensitive data or that run critical services, with a focus on such sectors as technology, retail, luxury fashion, aviation, and insurance.

“They take customer records, contact lists, loyalty and payment data, internal business documents, and engineering or source repositories,” they wrote. “Stolen data often fuels extortion, public leaks, or downstream supply-chain attacks. In some cases, attackers used stolen access to disrupt operations, harm reputations, or sell access to other criminals.”

In addition, “target selection follows simple rules. The group prefers organizations with: large customer databases, extensive SaaS integrations, help-desk teams reachable by phone, weak controls around connected apps, and third-party vendors with broad access.”

SOCRader researchers also noted a clear division of labor within the group, with Scattered Spider providing initial access, ShinyHunters focusing on stealing and publishing data, and Lapsus$ acting as “amplifiers and extortionists.”