A hacker group recently launched a website dedicated to blackmailing victims, threatening to disclose about one billion customer data records it had stolen from the enterprise cloud database-a database operated by Salesforce. This loose group, which once operated under the names Lapsus$, Scattered Spider and ShinyHunters, has now launched an exclusive data leak website called "Scattered LAPSUS$ Hunters" on the dark web.

Security intelligence experts discovered on Friday that the website was trying to demand ransom from victim companies by threatening to release data. "Contact us to restore data governance rights and prevent your data from being published. Don't be the next headline. All communications are subject to rigorous verification and handled with caution," the website's homepage reads.

The ShinyHunters gang is said to have compromised dozens of well-known companies in the past few weeks by attacking cloud databases hosted by Salesforce. Some companies that have confirmed data theft include insurance giant Allianz Life, Google, fashion group Kering, Qantas, car manufacturer Stellantis, credit reporting company TransUnion, and employee management platform Workday.

The hacker leak website also lists other victims, including FedEx, Disney's Hulu and Toyota Motor. As of press time, these companies have not responded. It's unclear whether companies confirmed to have been hacked but not listed on the leaked sites have paid ransoms to the hackers. In response to TechCrunch's inquiry, ShinyHunters stated that "there are many other companies that are not listed" but did not disclose the specific reasons.

At the top of the website, the hacker named Salesforce directly and demanded that the company negotiate a ransom or "all customer data will be leaked." Its statement implies that Salesforce has not yet been in contact with the hacking group.

Salesforce spokesperson Nicole Aranda pointed out that Salesforce "is aware of recent blackmail activities by threat actors." The company statement said: "Our investigation results indicate that these behaviors are related to past or unsubstantiated cases, and we are in contact with affected customers and providing support. As of now, there is no evidence that the Salesforce platform has been compromised, and no known vulnerabilities in related technologies have been found." Aranda declined to comment further.

Security experts have speculated for weeks that the group, which has long kept a low profile online, was preparing to launch a data-exfiltration website for the purpose of extortion. In the past, such websites were mostly run by Russian-speaking ransomware gangs. In recent years, these cybercriminal groups have gradually evolved from simply stealing, encrypting data, and extorting privately to a new model of threatening public data to demand ransom.