What we know so far: A hacking collective responsible for leaking personal data on hundreds of federal officials last week has reportedly amassed private records on tens of thousands more, according to new information shared with cybersecurity reporters. The group, which calls itself Scattered LAPSUS$ Hunters, claims to have built the database by sifting through massive troves of stolen Salesforce customer information – data obtained during a series of breaches earlier this year that targeted the platform's corporate users.
404 Media, which first reported on the doxing of officials from the Department of Homeland Security, Immigration and Customs Enforcement, the FBI, and the Department of Justice, has verified portions of the newly obtained material. Records reviewed by the publication included personal details of current and former employees from the National Security Agency, the Defense Intelligence Agency, and the Federal Trade Commission, among others.
The sample data also appeared to contain contact information for officials at the Centers for Disease Control and Prevention, the Food and Drug Administration, and the Bureau of Alcohol, Tobacco, Firearms and Explosives.
A member of the group told 404 Media that its cache now contains information on more than 22,000 government officials. The files, they claimed, were assembled from stolen Salesforce data and supplemented with details drawn from other leaks.
Cybersecurity firm District 4 Labs corroborated portions of the records, confirming that many names, agencies, and phone numbers matched information from known breaches.
The disclosures come amid growing concern about the scale of the Salesforce compromises, which cybersecurity researchers say resulted from a combination of social engineering and phishing techniques. Attackers reportedly tricked employees at major companies into connecting to a malicious app designed to mimic legitimate Salesforce integrations.
Once credentials were captured, the hackers gained access to vast internal databases. According to reports earlier this month, victims included Disney, FedEx, Toyota, and UPS, among others. Scattered LAPSUS$ Hunters publicly claimed that the compromise yielded more than a billion records.
The group's activities have drawn comparisons to several well-known cybercriminal networks. Its name combines elements of previous high-profile hacker collectives – Scattered Spider, LAPSUS$, and ShinyHunters – all of which emerged from loosely organized online communities known collectively as "the Com."
These online spaces, often hosted on Telegram or Discord, blend social interaction with digital crime. Participants trade data, breach targets, and occasionally turn on one another. Attacks originating from these communities have targeted major companies including MGM Resorts and Caesars Entertainment, combining financial extortion with public humiliation tactics such as doxing.
Scattered LAPSUS$ Hunters first gained attention after publishing the personal information of hundreds of Department of Homeland Security, ICE, and Justice Department employees, including residential addresses.
DHS has not responded to multiple requests for comment on the exposure, and Salesforce has declined to comment on the group's claims. Both the FTC and the US Air Force confirmed awareness of the breach reports but did not provide further details.
When the hackers reached out to journalists, they verified their identity using a PGP key associated with a member of ShinyHunters, a longtime participant in international hacking incidents. PGP, or Pretty Good Privacy, is a cryptographic system used to authenticate digital signatures and confirm message provenance, suggesting that the individual contacting reporters was genuinely connected to the broader cybercriminal network.
The group's Telegram channel, which hosted recent leaks and communications, went offline shortly after the mass doxing of Department of Homeland Security personnel and the release of data purportedly tied to an NSA official.
One Scattered LAPSUS$ Hunters representative told reporters that the takedown likely followed the release of that NSA record, speculating that their servers were "taken offline, presumably seized."
While it remains unclear whether federal authorities intervened, the incident illustrates a growing intersection between corporate data breaches and exposure of government personnel. Information stolen from enterprise cloud platforms is increasingly likely to spill over into the targeting of public employees.