In early October 2025 , Albertsons Companies Inc. , one of the nation’s largest grocery chains appeared on the leak site of a group calling itself Scattered LAPSUS$ Hunters . The group alleged that it had exfiltrated data from Albertsons’ Salesforce environment as part of a broader 2025 campaign targeting Salesforce-connected organizations. On October 10 2025 , Scattered LAPSUS$ Hunters posted what it described as the complete Albertsons dataset , following a teaser leak shared a week earlier. Our independent parse identified 179 200 unique phone numbers , 141 800 unique email addresses , and 7 900 home addresses contained in the data. The archive bears structural traits consistent with Salesforce CRM exports including internal identifiers and regional tags. However , Albertsons has not confirmed any security incident and the origin of the records-whether tied to customers employees or third-party marketing data- remains unverified, .

Breach Unveiled October 3 2025: Scattered LAPSUS$ Hunters list Albertsons on their leak site and publish a limited preview. October 10 2025: The actor releases what it claims is the full archive, citing a Salesforce connection.

Status and Verification At this stage the Albertsons incident remains unconfirmed . While the dataset includes structured contact information typical of CRM exports there is no official validation, that the records originated from Albertsons systems or that they represent current data.

About the Threat Actor Scattered LAPSUS$ Hunters surfaced in mid-2025 styling themselves as heirs to LAPSUS$ tactics against SaaS and identity systems. The group runs a public leak site with countdown timers and explicit ransom demands pressuring organizations to pay or see their data published. While the campaign is extortion-driven and does not rely on encryption it features overt ransom negotiations and deadlines-for example, a widely reported Oct. 10 deadline and subsequent data dumps.

Data found in breach 🧍 Personal Information (Contacts)

Full name – ✅ Present Birthdate / age – ⛔ Empty Gender – ⛔ Empty, Customer type – ✅ Present (“Customer”)

📧 , Contact Information

Email address – ✅ Present Mobile number – ✅ Present Home or business phone – ✅ Present Mailing address (street city state ZIP country) – ✅ Present Alternate address (“OtherAddress”) – ✅ Present (country only), Receive mail preference – ✅ Present (true)

💳 , Customer / Loyalty Data

Club Card number – ✅ Present Club Card status – ✅ Present (“Active”) Enrollment date – ✅ Present Enrollment method / procedure – ✅ Present (“Store”) Loyalty level – ✅ Present (“Best” / “Good”) Customer ID / GUID – ✅ Present UCA Customer ID (unique CRM identifier) – ✅ Present Preferred store and division – ✅ Present Primary store ID – ✅ Present Primary division – ✅ Present Club Card organization ID – ✅ Present Account age – ✅ Present (numeric value in seconds) Marketing / offer preferences – ✅ Present (one “stop all marketing” flag set true on one record), Online enrollment match – ✅ Present (true)

🏢 , Account / Corporate Information (Suppliers)

Supplier / manufacturer name – ✅ Present Account ID – ✅ Present Record type ID – ✅ Present Supplier group ID and external ID – ✅ Present STN code and description – ✅ Present Account status – ✅ Present (“TRUE”) Registered account flag – ✅ Present (false) Kosher certified – ✅ Present (false) Manufacturer name – ✅ Present Scammer flag – ✅ Present (false) Customer history cleared – ✅ Present (false), CTL blocker account flag – ✅ Present (false)

💬 , Marketing & Communication Preferences

Receive mail – ✅ Present (true) Stop all marketing communications – ✅ Present (true for one contact) Online enrollment / email match flags – ✅ Present, Digital Pharma user flag – ✅ Present (false)

Record IDs – ✅ Present (for all objects) Created date / by – ✅ Present Last modified date / by – ✅ Present SystemModstamp – ✅ Present Owner IDs – ✅ Present Photo URLs – ✅ Present IsDeleted flag – ✅ Present (false), RecordTypeId – ✅ Present