Gap Breach
Oct 10, 2025
224,000 rows
What happened in the Gap Breach?
DataBreach.com Team Β· October 10th 2025, 8:00 pm EDT
Just before midnight on October 10'th, 2025 (11:59 p.m. ET), the group calling itself Scattered LAPSUS$ Hunters published what it claimed was a Gap Inc. dataset, following days of public ransom countdowns and extortion demands on its leak site. The group alleged that the data was taken from Gapβs Salesforce environment, as part of a broader 2025 campaign exploiting Salesforce-connected systems.
Our independent parse confirmed 256,200 unique email addresses, 152,100 phone numbers, and 146,100 home addresses contained in the leaked dataset. The data structure is consistent with Salesforce PersonAccount exports, featuring customer or contact records, system metadata, and loyalty account fields.
As of publication, Gap Inc. has not confirmed any breach, and the authenticity or origin of the dataset remains unverified.
Breach Unveiled
Early October 2025: Gap Inc. appears on the Scattered LAPSUS$ Hunters leak site alongside other alleged Salesforce clients.
October 10, 2025: The group issues a public ransom deadline, threatening full release if no payment is made.
October 11, 2025 (11:59 p.m. ET): Countdown expires; the group posts the full archive under Gapβs name.
As of this writing, Gap has made no public statement, and no data-breach notifications or regulatory filings appear on state or federal portals.
About the Threat Actor
Scattered LAPSUS$ Hunters emerged in mid-2025, positioning itself as a spiritual successor to LAPSUS$. The group runs a public leak portal featuring ransom countdowns and payment deadlines, and when demands are ignored, it posts full datasets.
Unlike encryption-based ransomware groups, their operations focus on data theft, extortion, and public exposure.
The Bigger Picture
The Gap posting is the latest in a string of Salesforce-linked extortion cases throughout 2025, joining leaks naming Albertsons, Qantas, and others. The recurring structure and metadata across these dumps underscore potential systemic risks within shared CRM and SaaS integrations.
Until Gap Inc. or Salesforce confirm or deny the compromise, the scope, authenticity, and impact of the leaked data remain uncertain.
DataBreach.com has indexed and anonymized the dataset for monitoring and research transparency.
Data found in the breach
π§ Personal Information
- Full name - β Present
- Record type (PersonAccount) - β Present
- Gender - β Empty
- Birthdate / age - β Empty
π§ Contact Information
- Email address - β Present
- Phone number - β Present
- Mailing address (street, city, state, ZIP, country) - β Present
- Shipping address - β Present
- Country - β Present
- Alternate phone or email - β Empty
π³ Account & Loyalty Data
- Customer account ID - β Present
- External customer ID - β Present
- Registration date - β Present
- Rewards and loyalty program information - β Present (includes points balance, tier, and value)
- Reward tier (US/CA) - β Present
- Fraud status - β Present (βBlueβ)
- Reward points fields - β Present (including active, pending, and value in USD)
- Loyalty email - β Empty
π’ Company / System Fields
- Store primary ID - β Present
- Market code - β Present (βUSβ)
- Brand code - β Present (βBRβ)
- Owner profile / agent - β Present
- Ownership flags - β
Present (e.g.,
hasNoOwner__c: true)
βοΈ System Metadata
- Record IDs (AccountId, ContactId) - β Present
- Record creation date - β Present
- Record modification date - β Present
- SystemModstamp - β Present
- Created by / modified by IDs - β Present
- Record type ID - β Present
- Photo URL - β Present
- Sync status and timestamps - β Present
π¬ Marketing & Communication
- Email opt-out flags - β Empty
- Direct marketing / consent fields - β Empty
π Activity & Visit Metrics
- Total visits - β Present (0.0)
- Total time - β Present (0.0)
- Starred flag - β Present (false)
