Engie Resources Leak Exposes 449K Records With PII

A dataset attributed to ENGIE Resources contains 449,645 Salesforce-sourced records, about 450,000 entries, with a listed breach date of July 18, 2025 (leaksear.ch metadata). ENGIE Resources describes itself as a licensed U.S. retail energy provider for industrial and commercial customers, and the indexed data includes contact, identity, network, and account-related fields (leaksear.ch metadata) (www.engieresources.com).

What happened

leaksear.ch metadata says the data was exfiltrated from the company’s Salesforce instance and published on October 10, 2025 by the Scattered LAPSUS$ Hunters/ShinyHunters extortion crew after ransom demands were not met (leaksear.ch metadata). Public reporting in October 2025 placed Engie Resources in the broader Salesforce extortion campaign: Help Net Security reported that the leak site listed 39 companies whose data was apparently stolen by compromising corporate Salesforce instances via social engineering, Resecurity listed Engie Resources among the companies on the site, and DataBreaches.net listed Engie Resources with a July 18, 2025 date and a 3 GB claim while warning that the claims were not confirmed (www.helpnetsecurity.com, www.resecurity.com, databreaches.net).

SecurityWeek reported on October 13, 2025 that Scattered LAPSUS$ Hunters had leaked data allegedly pertaining to Albertsons, Engie Resources, Fujifilm, GAP, Qantas, and Vietnam Airlines after Salesforce said the extortion attempt related to past or unsubstantiated incidents and refused to pay (www.securityweek.com).

The exact initial access vector for the Engie Resources dataset is not established in the public reports reviewed here. The broader Salesforce data-theft activity around the same period involved at least two patterns: UNC6040 vishing and malicious or abused connected apps, and UNC6395 abuse of compromised Salesloft Drift OAuth tokens (cloud.google.com, cloud.google.com, www.fbi.gov).

What data was exposed

leaksear.ch indexes the following fields as searchable in this dataset: address, country, date of birth, email address, IP address, name, phone number, and username (leaksear.ch metadata).

Other stored fields in the record schema include Salesforce and customer operations fields such as account balances, account IDs, account source, annual revenue, billing, shipping, and service addresses, bank account and payment reference fields, IBAN, SWIFT, and taxpayer identification field names, utility account data, user agent data, opt-out and status indicators, job title, department, role, and corporate contact details (leaksear.ch metadata). The metadata for this dataset does not identify password or password-hash fields (leaksear.ch metadata).

Why this matters

Energy-provider CRM data can be useful for targeted phishing because it ties people and businesses to utility relationships, addresses, account context, and billing or payment-related field names (leaksear.ch metadata). Security teams should watch for impersonation of ENGIE Resources, invoice redirection attempts, utility-account pretexts, and follow-on credential phishing against exposed email addresses and usernames. Individuals and business contacts should verify unexpected energy billing or account-update messages through known ENGIE Resources channels rather than replying to an inbound message. Readers who may have interacted with ENGIE Resources should check their exposure in this leak on leaksear.ch.

Check your exposure

Vetted researchers and incident-response teams can request access or sign in if they already have access to check this dataset. Searchable pivots for this leak include address, country, date of birth, email, ip address, name, phone, and username.

Engie Resources Leak Exposes 449K Records With PII

What happened

What data was exposed

Why this matters

Check your exposure

Sources