UPS, one of the world's largest package delivery companies, was caught up in a supply chain breach targeting Salesforce customer environments in late 2025. A threat group calling itself "Scattered LAPSUS$ Hunters" exploited OAuth token abuse and social engineering to access CRM (customer relationship management) data across dozens of major organizations. UPS was listed among roughly 39 named victims on the group's dark web leak site. The attackers released a sample of the stolen UPS database on October 3, 2025, and claimed the full dataset, affecting an estimated 29.6 million records, would be released the following week. Salesforce attributed the incidents to past or customer-side security lapses rather than a compromise of its core platform. The exposed data includes full names, email addresses, phone numbers, and mailing addresses, including street, city, state, ZIP code, and country. For some records, precise geolocation coordinates tied to shipping addresses were also present. Internal UPS account details, such as account numbers, customer segments, and business unit information, were found in the sample as well. For a package delivery company, this combination of data is especially dangerous. Home addresses tied to a known delivery relationship make affected individuals vulnerable to package interception fraud, delivery impersonation scams, and targeted phishing attacks that convincingly mimic UPS communications. The same risk pattern was observed in a parallel breach affecting FedEx from the same campaign. UPS has not issued detailed public statements about the scope of its exposure or its specific response. Salesforce has similarly declined to characterize the incidents as a platform-level failure. No regulatory action or class action litigation has been publicly confirmed as of the time of this writing. Affected individuals should treat any delivery-related messages, whether by email, phone, or text, with heightened suspicion. They should verify communications directly through the official UPS website rather than clicking links or calling numbers provided in unsolicited messages.

Transportation and supply-chain networks collect shipper and recipient identity, addresses, phone numbers, shipment history, delivery instructions, and business logistics records.

UPS has been navigating a period of volume and revenue pressure following the pandemic-era delivery surge. The company executed significant workforce reductions in 2023 and 2024 as part of a cost restructuring program, including a major reduction following renegotiated terms with its largest customer Amazon. It reached a new five-year contract with the Teamsters union in 2023 following strike threats. The Scattered LAPSUS$ Hunters Salesforce campaign in late 2025 was the primary data security event of the period.