leaksear.ch has indexed a Gap Inc. Salesforce customer dataset containing 223,110 records, with October 3, 2025 listed as the leak date (leaksear.ch metadata). Gap Inc. is a U.S. specialty apparel company whose brands include Old Navy, Gap, Banana Republic, and Athleta, and the indexed fields include names, emails, phone numbers, addresses, dates of birth, loyalty data, and internal Salesforce identifiers (leaksear.ch metadata) (www.gapinc.com).
What happened
On October 3, 2025, BleepingComputer reported that an extortion group had launched a data leak site for 39 companies affected by Salesforce breaches, naming Gap among the listed companies and showing samples of allegedly stolen data (www.bleepingcomputer.com). The actors claimed affiliation with ShinyHunters, Scattered Spider, and Lapsus$ and used the Scattered Lapsus$ Hunters name (www.bleepingcomputer.com).
Help Net Security also reported that the site listed GAP and that entries included breach dates, data types, data amounts, and sample links. It described the broader victim set as mostly involving personal and contact information, with some listings containing account IDs, dates of birth, passport numbers, Social Security numbers, purchases, live chat transcripts, and other data (www.helpnetsecurity.com).
The Gap-specific leak-source metadata attributes this dataset to a Salesloft Drift OAuth-token compromise of Gap's Salesforce environment (leaksear.ch metadata). Public threat intelligence supports the broader mechanism: Google Threat Intelligence reported UNC6395 targeted Salesforce customer instances from August 8 through at least August 18, 2025 using compromised OAuth tokens associated with the Salesloft Drift app, while the FBI later warned that UNC6395 used compromised Salesloft Drift OAuth tokens to compromise Salesforce instances and exfiltrate data (cloud.google.com, www.fbi.gov). Google said Salesloft and Salesforce revoked active Drift access and refresh tokens on August 20, 2025, and that the issue did not stem from a vulnerability in the core Salesforce platform (cloud.google.com). Public sources cited here confirm the broader Salesforce extortion campaign and that Gap was named on the extortion site; the exact Gap record count and field list are from leaksear.ch metadata (leaksear.ch metadata).
What data was exposed
leaksear.ch indexing metadata lists the primary searchable personal fields as address, country, date of birth, email, name, and phone (leaksear.ch metadata).
The record schema also includes billing, shipping, and mailing address fields; customer and external customer IDs; brand and cardholder fields; registration and loyalty/rewards fields; phone and email delivery status fields; and Salesforce system identifiers such as account and contact-style IDs, owner IDs, record type IDs, sync timestamps, creation dates, and modification dates (leaksear.ch metadata).
The supplied metadata does not list passwords, password hashes, Social Security numbers, passport numbers, bank account numbers, or payment card numbers as fields in this Gap dataset (leaksear.ch metadata).
Why this matters
Because the data links identity, contact channels, home or shipping addresses, date of birth, and loyalty context, the main risk is targeted phishing by email, SMS, phone, and mail. Attackers can reference rewards, refunds, shipping addresses, or account updates to make impersonation attempts look credible (leaksear.ch metadata).
The FBI warning shows these Salesforce campaigns have paired bulk data theft with extortion and social engineering, which makes follow-on lures a realistic risk rather than a generic concern (www.fbi.gov). Security teams should watch for Gap- or loyalty-themed lures, unexpected password-reset or address-change messages, and support calls that use personal details to bypass identity checks. If you are a Gap customer or are triaging exposure for an organization, check leaksear.ch for matches using email, phone, name, address, country, or date of birth.
Check your exposure
Vetted researchers and incident-response teams can request access or sign in if they already have access to check this dataset. Searchable pivots for this leak include address, country, date of birth, email, name, and phone.
Sources
- BleepingComputer: ShinyHunters launches Salesforce data leak site to extort 39 victims
- Help Net Security: Hackers launch data leak site to extort 39 victims, or Salesforce
- Google Cloud Blog: Widespread Data Theft Targets Salesforce Instances via Salesloft Drift
- FBI: Cyber Criminal Groups UNC6040 and UNC6395 Compromising Salesforce Instances for Data Theft and Extortion
- Gap Inc.: About