The Encore No One Wanted — ShinyHunters relaunch "BreachForums" as an extortion hub after Salesforce megabreach
They swore they were done.
Weeks after claiming to have stolen a billion Salesforce-customer records, the hackers calling themselves ShinyHunters said they were “going dark.”
They didn’t.
A new domain - breachforums.hn - just went live, carrying their logo and a chilling message: “Scattered LAPSUS$ Hunters | DLS.”
It’s not a forum. It’s a scoreboard of extortion.
Dozens of household-name companies now appear there - Disney, Marriott, FedEx, UPS, Home Depot, and scores of others - all given the same ultimatum: pay before October 10 or get dumped.
A Familiar Name, a Darker Purpose
The BreachForums brand has been through arrests, takedowns, and FBI seizures. But the name still sells fear. By reviving it, ShinyHunters give themselves instant credibility - and a bigger stage for their latest campaign.
The site surfaced just as investigators were unpacking the Salesforce fallout, where attackers used convincing social-engineering calls and fake support prompts to trick employees into granting access to customer environments.
Salesforce itself shut down a vulnerable integration tied to Drift earlier this year, but the current leak-site victims appear to stem from a separate set of social-engineering compromises, not that integration.
That distinction matters - though the two waves blur together in public perception, we still can’t be certain whether some overlap exists.
Victims Claimed on BreachForums.hn
According to the leak site, these are among the companies listed and the number of records the attackers claim to hold:
- FedEx - 166,293,145
- Toyota - 110,295,014
- Petco - 94,403,424
- Hulu - 94,151,500
- Kering - 56,407,951
- Cartier - 45,351,972
- Republic Services - 40,903,239
- Instacart - 39,262,001
- UPS - 29,618,000
- Vietnam Airlines - 23,129,780
- Aeromexico - 20,570,299
- Adidas - 20,241,212
- Ikea - 14,761,683
- TransUnion - 13,107,653
- AFKL (Air France-KLM) - 12,305,429
- McDonald’s - 12,179,869
- Triplea - 11,193,616
- Home Depot - 10,549,381
- Stellantis - 9,429,250
- Pandora - 8,904,824
- HBO Max - 7,750,156
- Puma - 6,861,349
- Qantas - 5,969,578
- HMH (Houghton Mifflin Harcourt) - 5,300,000
- Asics - 4,700,000
- Google - 2,550,800
- Instructure - 2,310,689
- Cisco - 1,440,000
- Walgreens - 1,345,250
- Saks Fifth Avenue - 1,168,531
- KFC - 1,117,000
- Marriott - 1,113,818
- Chanel - 1,106,976
- Albertsons - 672,000
- Engie - 537,000
- Carmax - 451,994
- Fujifilm - 224,868
- Gap - 224,000
Whether these numbers represent actual stolen records or inflated extortion claims remains to be seen. But the roster alone - spanning airlines, retail, food, finance, and tech - underscores the campaign’s reach.
What’s Really Happening
This isn’t about data trading - it’s about leverage.
The group is recycling stolen Salesforce data to pressure companies directly, demanding ransom to keep it private. Countdown clocks mark the days left before release.
It’s the same tactic we’ve seen from ransomware crews - only without the encryption. The data itself becomes the weapon.
The Human Fallout
For the companies caught in the middle, the numbers tell part of the story - but the real damage is trust. Customer records, contact details, and internal notes are the lifeblood of any CRM. Losing control of them doesn’t just create privacy exposure; it erodes the customer relationships those systems were built to protect.
Several listed firms are still investigating whether their inclusion is legitimate or a bluff. Either way, the reputational risk is real - and growing by the day.
What Comes Next
If the pattern holds, these leaks will roll out in waves: partial dumps to prove authenticity, public shaming for those who stay silent, and new victims added to keep the pressure high.
For now, every Salesforce customer should assume the campaign isn’t over. Rotate access tokens. Re-check connected apps. And don’t assume silence means safety - ShinyHunters already proved that going “dark” doesn’t mean gone.
