Engie Resources, a U.S. retail energy provider serving industrial and commercial customers, is tied to a Salesforce data leak indexed by leaksear.ch at 261,531 records, with a listed breach date of July 18, 2025 (leaksear.ch metadata, engieresources.com). The indexed data includes names, addresses, phone numbers, email addresses, usernames, countries, and Salesforce account and contact metadata (leaksear.ch metadata).
What happened
Public reporting in October 2025 placed Engie Resources among organizations whose data allegedly appeared in the Scattered LAPSUS$ Hunters / ShinyHunters Salesforce extortion wave. SecurityWeek reported on October 13, 2025 that the group had leaked millions of records allegedly stolen from Salesforce customers, and that the published data allegedly pertained to Albertsons, Engie Resources, Fujifilm, GAP, Qantas, and Vietnam Airlines (securityweek.com). Resecurity also listed Engie Resources among 39 companies posted to the group’s data leak site on October 3, 2025 (resecurity.com).
The exact initial access path for Engie Resources is not publicly confirmed in the reviewed sources. The broader 2025 Salesforce-targeting activity included separate clusters: Google described UNC6040 voice-phishing attacks that manipulated users into authorizing malicious connected apps, while another Google advisory described UNC6395 data theft through compromised Salesloft Drift OAuth tokens. The FBI also warned in September 2025 that UNC6040 and UNC6395 were targeting Salesforce platforms for data theft and extortion (cloud.google.com, cloud.google.com, fbi.gov).
Salesforce has disputed that the activity reflected a compromise of the core Salesforce platform. SecurityWeek reported that Salesforce said the extortion attempts related to past or unsubstantiated incidents and not platform vulnerabilities, while BleepingComputer separately reported Salesforce’s position that the platform itself had not been compromised and that customer-side social engineering remained a key risk (securityweek.com, bleepingcomputer.com).
What data was exposed
leaksear.ch indexes 261,531 Engie Resources records from this leak (leaksear.ch metadata). The searchable fields are address, country, email, name, phone, and username (leaksear.ch metadata).
Other stored fields include Salesforce account and source metadata, billing, shipping, service and corporate address fields, account balance and invoice-related fields, company profile details, and FinancialForce CODA banking, tax, payment, receivables, and payables metadata (leaksear.ch metadata). The field list includes columns for bank account, IBAN, SWIFT, sort code, taxpayer identification, and payment-method information, but the metadata does not state how often those columns were populated (leaksear.ch metadata).
Why this matters
For affected customers and business contacts, names combined with email addresses, phone numbers, postal addresses, and account context can support credible phishing, vendor impersonation, and billing-themed social engineering. For security teams, Salesforce account metadata can help attackers tailor messages around energy services, invoices, account balances, facilities, or payment workflows where those fields are present. Organizations with potential exposure should review Salesforce, identity, and connected-app logs around the July 18, 2025 breach date where available, and individuals or businesses that interacted with Engie Resources should use the exposure check below to see whether their data appears in this leak (leaksear.ch metadata).
Check your exposure
Vetted researchers and incident-response teams can request access or sign in if they already have access to check this dataset. Searchable pivots for this leak include address, country, email, name, phone, and username.
Sources
- ENGIE Resources: About Us
- SecurityWeek: Extortion Group Leaks Millions of Records From Salesforce Hacks
- Resecurity: ShinyHunters Launches Data Leak Site: Trinity of Chaos Announces New Ransomware Victims
- Google Cloud: The Cost of a Call: From Voice Phishing to Data Extortion
- Google Cloud: Widespread Data Theft Targets Salesforce Instances via Salesloft Drift
- FBI: Cyber Criminal Groups UNC6040 and UNC6395 Compromising Salesforce Instances for Data Theft and Extortion
- SecurityWeek: Hackers Extorting Salesforce After Stealing Data From Dozens of Customers
- BleepingComputer: ShinyHunters behind Salesforce data theft attacks at Qantas, Allianz Life, and LVMH