bleepingcomputer.com - Hackers have released stolen data belonging to US insurance giant Allianz Life, exposing 2.8 million records with sensitive information on business partners and customers in ongoing Salesforce data theft attacks.
Last month, Allianz Life disclosed that it suffered a data breach when the personal information for the "majority" of its 1.4 million customers was stolen from a third-party, cloud-based CRM system on July 16th.
While the company did not name the provider, BleepingComputer first reported the incident was part of a wave of Salesforce-targeted thefts carried out by the ShinyHunters extortion group.
Over the weekend, ShinyHunters and other threat actors claiming overlap with "Scattered Spider" and "Lapsus$" created a Telegram channel called "ScatteredLapsuSp1d3rHunters" to taunt cybersecurity researchers, law enforcement, and journalists while taking credit for a string of high-profile breaches.
Many of these attacks had not previously been attributed to any threat actor, including the attacks on Internet Archive, Pearson, and Coinbase.
One of the attacks claimed by the threat actors is Allianz Life, for which they proceeded to leak the complete databases that were stolen from the company's Salesforce instances.
These files consist of the Salesforce "Accounts" and "Contacts" database tables, containing approximately 2.8 million data records for individual customers and business partners, such as wealth management companies, brokers, and financial advisors.
The leaked Salesforce data includes sensitive personal information, such as names, addresses, phone numbers, dates of birth, and Tax Identification Numbers, as well as professional details like licenses, firm affiliations, product approvals, and marketing classifications.
BleepingComputer has been able to confirm with multiple people that their data in the leaked files is accurate, including their phone numbers, email addresses, tax IDs, and other information contained in the database.
BleepingComputer contacted Allianz Life about the leaked database but was told that they could not comment as the investigation is ongoing.
The Salesforce data-theft attacks
The Salesforce data theft attacks are believed to have started at the beginning of the year, with the threat actors conducting social engineering attacks to trick employees into linking a malicious OAuth app with their company's Salesforce instances.
Once linked, the threat actors used the connection to download and steal the databases, which were then used to extort the company through email.
Extortion demands were sent to the companies via email and were signed as coming from ShinyHunters. This notorious extortion group has been linked to many high-profile attacks over the years, including those against AT&T, PowerSchool, and the SnowFlake attacks.
While ShinyHunters is known to target cloud SaaS applications and website databases, they are not known for these types of social engineering attacks, causing many researchers and the media to attribute some of the Salesforce attacks to Scattered Spider.
However, ShinyHunters told BleepingComputer the "ShinyHunters" group and "Scattered Spider" are now one and the same.
"Like we have said repeatedly already, ShinyHunters and Scattered Spider are one and the same," ShinyHunters told BleepingComputer.
"They provide us with initial access and we conduct the dump and exfiltration of the Salesforce CRM instances. Just like we did with Snowflake."
It is also believed that many of the group's members share their roots in another hacking group known as Lapsus$, which was responsible for numerous attacks in 2022-2023, before some of their members were arrested.
Lapsus$ was behind breaches at Rockstar Games, Uber, 2K, Okta, T-Mobile, Microsoft, Ubisoft, and NVIDIA.
Like Scattered Spider, Lapsus$ was also adept at social engineering attacks and SIM swap attacks, allowing them to run over billion and trillion-dollar companies' IT defenses.
Over the past couple of years, there have been many arrests linked to all three collectives, so it's not clear if the current threat actors are old threat actors, new ones who have picked up the mantle, or are simply utilizing these names to plant false flags.
Enfin une bonne nouvelle à propos de Scattered Spider, ce gang de cybercriminels actif depuis le printemps 2022 ? La presse espagnole vient d’annoncer l’arrestation d’un Anglais présenté comme l’un des leaders de ce groupe informel de pirates informatiques. Le jeune homme de 22 ans s'apprêtait à s’envoler vers l’Italie quand il a été arrêté à Palma de Majorque, dans l’archipel des Baléares.
The source code for Grand Theft Auto 5 was reportedly leaked on Christmas Eve, a little over a year after the Lapsus$ threat actors hacked Rockstar games and stole corporate data.
Judge says hacker remains a high risk through his skills and motivation to carry out cyber crime.
International cybercrime, as portrayed by the movies and mass media, is a high-stakes game of shadowy government agencies and state-sponsored hacking groups. Hollywood casting will wheel out a charact...
The 18 year old leaked clips of the unreleased Grand Theft Auto 6 game while on police bail.
Two teenagers, ages 18 and 17, were found guilty of hacking into major corporations. The cases involved Uber, Nvidia and more.
Two UK teenagers were accused of being key members of the notorious hacking group Lapsus$, with prosecutors alleging that the pair were involved in attacks on companies including Nvidia Corp., Rockstar Games Inc., and Uber Technologies Inc.
Specializzati soprattutto in social engineering, i ragazzini di oggi continuano, come un tempo, a essere protagonisti di gravi incidenti informatici. Come è possibile?
Updates on security incident
The actions of the relatively new group have led to an international police hunt.
Apple Inc. and Meta Platforms Inc., the parent company of Facebook, provided customer data to hackers who masqueraded as law enforcement officials, according to three people with knowledge of the matter.
Apple and Meta provided basic subscriber details, such as a customer’s address, phone number and IP address, in mid-2021 in response to the forged “emergency data requests.” Normally, such requests are only provided with a search warrant or subpoena signed by a judge, according to the people. However, the emergency requests don’t require a court order.
Documents shed some light on how Okta and its subprocessor Sitel reacted to a breach, but they don’t explain the apparent lack of urgency.
Police say they've arrested seven teenagers as part of their investigation into a hacking group.
Microsoft and identity management platform Okta both this week disclosed breaches involving LAPSUS$, a relatively new cybercrime group that specializes in stealing data from big companies and threatening to publish it unless a ransom demand is paid. Here’s a closer look at LAPSUS$, and some of the low-tech but high-impact methods the group uses to gain access to targeted organizations.
You may not have missed all the noises recently caused by Lapsus$, a group that seems to specialize in extortion without necessarily leveraging ransomware.
At first glance, Lapsus$ check marks all elements that would make researchers put them in the low priority threats, especially considering their readiness to make dramas and OpSec failures. Except that the group has successfully managed to significantly enrich its victim list with high profile corporations, thus drawing all our attention.
In the following, we will describe the threat actor profile that was drawn by our investigations based either on OSINT, dark web or infrastructure analysis.
La société affirme qu'un "petit pourcentage" de clients, 2,5 %, aurait pu voir ses données consultées ou faire l'objet d'une action de la part des pirates spécialisés dans le ransomware.
This update was posted at 6:31 PM, Pacific Time.
As we shared earlier today, we are conducting a thorough investigation into the recent LAPSUS$ claims and any impact on our valued customers. The Okta service is fully operational, and there are no corrective actions our customers need to take.
The activity we have observed has been attributed to a threat group that Microsoft tracks as DEV-0537, also known as LAPSUS$. DEV-0537 is known for using a pure extortion and destruction model without deploying ransomware payloads.
The Lapsus$ hacking group claims to have leaked the source code for Bing, Cortana, and other projects stolen from Microsoft's internal Azure DevOps server.
