Just before midnight on October 10’th 2025 (11:59 p.m. ET) , the group calling itself Scattered LAPSUS$ Hunters published what it claimed was a Gap Inc. dataset , following days of public ransom countdowns and extortion demands on its leak site. The group alleged that the data was taken from Gap’s Salesforce environment , as part of a broader 2025 campaign exploiting Salesforce-connected systems. Our independent parse confirmed 256 200 unique email addresses , 152 100 phone numbers and 146 100 home addresses contained in the leaked dataset. The data structure is consistent with Salesforce PersonAccount exports featuring customer or contact records system metadata and loyalty account fields. As of publication , Gap Inc. has not confirmed any breach and the authenticity or origin of the dataset remains unverified, .

Breach Unveiled Early October 2025: Gap Inc. appears on the Scattered LAPSUS$ Hunters leak site alongside other alleged Salesforce clients. October 10 2025: The group issues a public ransom deadline threatening full release if no payment is made. October 11 2025 (11:59 p.m. ET): Countdown expires; the group posts the full archive under Gap’s name. As of this writing , Gap has made no public statement and no data-breach notifications or regulatory filings, appear on state or federal portals.

About the Threat Actor Scattered LAPSUS$ Hunters emerged in mid-2025 positioning itself as a spiritual successor to LAPSUS$ . The group runs a public leak portal featuring ransom countdowns and payment deadlines , and when demands are ignored it posts full datasets. Unlike encryption-based ransomware groups their operations focus on data theft extortion and public exposure .

The Bigger Picture The Gap posting is the latest in a string of Salesforce-linked extortion cases throughout 2025 joining leaks naming Albertsons Qantas and others. The recurring structure and metadata across these dumps underscore potential systemic risks within shared CRM and SaaS integrations . Until Gap Inc. or Salesforce confirm or deny the compromise the scope authenticity and impact of the leaked data remain uncertain. DataBreach.com has indexed and anonymized the dataset, for monitoring and research transparency.

Data found in the breach 🧍 Personal Information

Full name – ✅ Present Record type (PersonAccount) – ✅ Present Gender – ⛔ Empty, Birthdate / age – ⛔ Empty

📧 , Contact Information

Email address – ✅ Present Phone number – ✅ Present Mailing address (street city state ZIP country) – ✅ Present Shipping address – ✅ Present Country – ✅ Present, Alternate phone or email – ⛔ Empty

💳 , Account & Loyalty Data

Customer account ID – ✅ Present External customer ID – ✅ Present Registration date – ✅ Present Rewards and loyalty program information – ✅ Present (includes points balance tier and value) Reward tier (US/CA) – ✅ Present Fraud status – ✅ Present (“Blue”) Reward points fields – ✅ Present (including active pending and value in USD), Loyalty email – ⛔ Empty

🏢 , Company / System Fields

Store primary ID – ✅ Present Market code – ✅ Present (“US”) Brand code – ✅ Present (“BR”) Owner profile / agent – ✅ Present Ownership flags – ✅ Present (e.g. , hasNoOwner__c: true )

Record IDs (AccountId ContactId) – ✅ Present Record creation date – ✅ Present Record modification date – ✅ Present SystemModstamp – ✅ Present Created by / modified by IDs – ✅ Present Record type ID – ✅ Present Photo URL – ✅ Present Sync status and timestamps – ✅ Present

💬 , Marketing & Communication

Email opt-out flags – ⛔ Empty, Direct marketing / consent fields – ⛔ Empty

📊 , Activity & Visit Metrics

Total visits – ✅ Present (0.0) Total time – ✅ Present (0.0) Starred flag – ✅ Present (false)