Not sure the LAPSUS$ ransomware portal is really them, given they managed to write sentences that make sense and didn’t include an anime girl pooing on Red Reddington or some such. https://social.circl.lu/@Ransomlook/115310385984277849
The Scattered Lapsus$ Hunters portal has 25 victim orgs posted so far, they're an average of about one every 10 minutes.
I've talked to one of the victim orgs - their sample data is indeed from their Salesforce instance. Gonna be a long weekend for a bunch of orgs. Each org also has sample downloads up too.
For anybody following the LAPSUS$ weekend saga - they're staging data into /samples on their Tor server before posting, there's 39 orgs so far, many aren't announced yet - e.g. Cisco
Just for any confusion, this data appears to be via Salesforce and Salesloft Drift a few months ago. Lots of the victim orgs didn't disclose a breach but, well, probably knew.
This is the data LAPSUS$ claims to have on S&P Global (Standard and Poor's), via their portal.
"- 32,795,309+ emails - 164,892,402+ persons records (minimum containing full name and position) - 936,731,849+ company records - 3,121,823,085+ panjiva shipping records - Latest data is from Feb 2025"
The Scattered Spider Lapsus$ ShinyHunters Crimson Collective Fleetwood Mac APT Teen Supergroup say they plan to dump Salesforce data tomorrow at 11:59 East Coast US time (5am UTC on Saturday).
I'm rooting for Salesforce not paying, as it sends a message this cycle needs to stop.
Although the Scattered Spider Lapsus$ ShinyHunters Crimson Collective Fleetwood Mac APT Teen Supergroup portal has a message up saying they're disbanding for the past few days, I don't think it's law enforcement - it appears to just be the group.
For one thing the downloads are still online on the same server.