A new data leak site hosted on the TOR network has been launched by the “Trinity of Chaos” – a ransomware collective allegedly tied to the Lapsus$, Scattered Spider and ShinyHunters groups.
The site lists 39 major global companies, marking a significant escalation in the group’s cybercriminal operations, according to a report from Resecurity.
A New Phase in Ransomware Tactics
The Trinity of Chaos group has not claimed any fresh attacks but instead published previously undisclosed data from past breaches. Among those listed are Toyota, FedEx, Disney, UPS, Marriott and Google.
The collective has also threatened Salesforce after exploiting vulnerabilities in its environment, claiming to possess massive amounts of corporate data. Salesforce has dismissed the claim, stating no new vulnerabilities exist, though it acknowledged that prior breaches could have compromised customer data.
“It appears the ‘retirement’ of ShinyHunters was short-lived,” said Brian Soby, chief technology officer and co-founder at AppOmni.
“Recent reports indicate the group is not only continuing to extort victims but is now directly threatening Salesforce. Specifically, they claim they will collaborate with plaintiffs in ongoing lawsuits against Salesforce over recent breaches unless Salesforce pays them directly.”
The group said it had attempted to negotiate with Salesforce and warned that if ignored, it would report the breach to regulators, potentially leading to “criminal negligence charges.” Their message mirrors tactics used by other ransomware actors that pressure companies through regulatory threats, particularly under EU GDPR rules.
“This tactic is unusual,” Soby said.
“To our knowledge, it is the first time an attacker has threatened to participate in or leverage existing litigation against the vendor of a compromised platform and its native security tools as part of an extortion campaign.”
Read more on Salesforce cybersecurity risks: Critical Vulnerability in Salesforce AgentForce Exposed
Data Samples and Past Breaches
Resecurity confirmed that leaked samples contain significant personally identifiable information (PII) but few passwords, suggesting that data was likely obtained from Salesforce instances via stolen OAuth tokens and vishing attacks tied to Salesloft’s Drift AI integration. The FBI has since issued a flash alert to help organizations detect similar breaches.
“At the same time, it’s important to note that ShinyHunters gained access through phishing and stole customer user credentials,” Soby added.
“Under the Shared Responsibility model, preventing and detecting such activity falls squarely within the customer’s domain.”
The data leak site lists recent victims, including Stellantis, which reported a North American data breach in September, and Aeroméxico, which suffered an attack in July affecting 39 million records.
Other incidents involve major airlines such as Air France, KLM, Qantas and Vietnam Airlines, the latter compromised for nearly three years.
Global Impact and Escalation
The leaked data also includes files connected to Google AdWords and Cisco. For Google, exposed records appear linked to corporate Salesforce environments, potentially affecting digital advertisers and media partners. Cisco’s data, meanwhile, contains details about employees and customers from agencies like the FBI, DHS, NASA and India’s Ministry of Defense.
“Ultimately, these incidents highlight a broader issue,” Soby said.
“Many SaaS customers have yet to adopt the tools and practices necessary to effectively meet their Shared Responsibility obligations.”
In total, the group claims to possess over 1.5 billion records across 760 companies, including:
October 10 is the negotiation deadline before further data publication is released. Resecurity noted that the leak site itself has faced DDoS attacks, possibly from victims trying to prevent additional leaks.
If the data is released, experts warn that it could fuel large-scale phishing, identity theft and malicious AI-driven data mining.
