Between personal data and trade secrets, the courts could take issue.
Under the banner SLSH (Scattered LAPSUS$ ShinyHunters), cybercriminals are currently wielding this argument against Red Hat. The American company does not appear to be in a strong position, having acknowledged the compromise of one of its GitLab instances. It is therefore invited to negotiate; otherwise, they assure, information will be published, giving the justice system plenty to feed on. The ultimatum is set for October 10.
A Series of Incidents Leading to This
Salesforce is faced with a similar situation. Also under the SLSH banner, it has been granted the same window to reach a settlement. Again, with the specter of legal action looming. Or rather, of a “green light” to the proceedings already underway.
The context is indeed different from the Red Hat case. Salesforce is already targeted by numerous lawsuits, primarily in the United States. Among other things, following a major incident disclosed a few weeks ago: the compromise of the integration with a third-party application (the chatbot Salesloft Drift). It served as an entry point into CRM instances. The intrusions occurred between May and July 2025, depending on the victims.
Another campaign unfolded earlier, based on social engineering, notably vishing. Actors associated with ShinyHunters posed as technical support agents and persuaded employees to connect their Salesforce to malicious applications. Initially, these were typically infected versions of the Data Loader tool, intended for bulk data import/export to and from the CRM. Over time, custom applications emerged, but with the same objective of data exfiltration. Other phishing techniques – a false Okta portal, in particular – were exploited in parallel. In some cases, months elapsed before the victim became the target of extortion. In the meantime, the stolen data could accompany lateralization operations. Allianz, Jaguar Land Rover, LVMH, TransUnion and Workday are among the companies that have reported being affected.
The Threat of Legal Action
Several of the cases filed against Salesforce are being handled by Berger Montague. The cybercriminals make it a focal point: they express a willingness to cooperate with the law firm by providing lists of victims; and, for each, samples of data. They go further, explaining that they want to prove to the U.S. judiciary that Salesforce acted with criminal negligence by not remediating the situation when it had the time and the means.
Salesforce is not alone in receiving an ultimatum. The same goes for about forty victims. For three of them, the announced breach dates go back to last year (April 23, 2024 for Kering, May 2 for Adidas, September 8 for IKEA). In this sense, the operation appears to be the culmination of a long series of leaks.
If the dates shown are to be believed, the attacks occurred in waves. Examples:
- Disney, Instacart, Puma and Toyota between May 1 and May 2
- ASICS and Gap on June 17
- Chanel, KFC, McDonald’s and Qantas between June 26 and 28
- Fujifilm and Marriott on August 17
Stellantis and Air France-KLM are noted on the list. One of the samples published for the first case includes 126 CRM fields… and the associated values. For the second, the pirates claim both employee data and client interaction data were leaked.
