Gap Inc., the apparel company behind Old Navy, Gap, Banana Republic, and Athleta, is named in a Salesforce-related leak indexed by leaksear.ch containing 271,049 internal Salesforce User records (leaksear.ch metadata, www.gapinc.com). The dataset carries an October 3, 2025 breach date, the same day public reporting said ShinyHunters and Scattered Lapsus$ Hunters launched a Salesforce data leak site listing Gap among 39 organizations (www.bleepingcomputer.com).
What happened
BleepingComputer reported on October 3, 2025 that an extortion group launched a new leak site for companies affected by a wave of Salesforce breaches, with entries containing samples allegedly stolen from Salesforce instances and a deadline for victims to respond. Gap was included in the list of named organizations (www.bleepingcomputer.com).
Help Net Security separately reported that the Scattered Lapsus$ Hunters site listed 39 companies and described the exposed Salesforce data as apparently stolen through social engineering. Public reporting reviewed for this article does not confirm which access method applied to Gap specifically, so the Gap-specific intrusion path should be treated as unconfirmed (www.helpnetsecurity.com).
The broader campaign context is well documented. The FBI warned in September 2025 that UNC6040 used voice phishing and malicious connected apps to access Salesforce instances, while UNC6395 used compromised OAuth tokens tied to the Salesloft Drift application. Those details explain the Salesforce-focused threat activity, but they do not by themselves prove how the Gap dataset was obtained (www.fbi.gov).
What data was exposed
The leaksear.ch indexed dataset is described as Gap Inc. internal Salesforce User records. Searchable fields include name, username, email address, phone number, address, country, and date of birth (leaksear.ch metadata).
Additional stored fields in the dataset schema include Salesforce account and contact identifiers, aliases, community nicknames, company and department data, division and title fields, manager and role identifiers, employee numbers, brand, market, store and location fields, shipping and mailing address components, registration fields, reward program fields, and activity or login timestamps (leaksear.ch metadata). These fields provide context about the records but are not all direct search pivots on leaksear.ch.
Why this matters
The combination of names, emails, usernames, phone numbers, addresses, dates of birth, and Salesforce context can support targeted phishing, identity verification abuse, and impersonation attempts. Role, department, store, brand, and manager-related fields may also make social engineering against help desks, retail operations, or account support teams more convincing (leaksear.ch metadata, www.fbi.gov). Individuals and organizations concerned about this leak should check whether their data appears in the Gap dataset on leaksear.ch.
Check your exposure
Vetted researchers and incident-response teams can request access or sign in if they already have access to check this dataset. Searchable pivots for this leak include address, country, date of birth, email, name, phone, and username.