Republic Services 2025 Data Breach

Republic Services Waste Management Company Breach (Salesforce, 2025): 40.9 Million Customer Contact Records Including Home Address Exposed | ObscureIQ
ObscureIQ Breach Intelligence

Classification Tags

Scattered Lapsus$ HuntersWaste ManagementEmail AddressPhone NumberPhysical Address
Low SeverityWebsite / service breach

Republic Services Waste Management Company Breach (Salesforce, 2025): 40.9 Million Customer Contact Records Including Home Address Exposed

Waste management company.

Verified by ObscureIQ Intelligence
0/100Breach Risk Index
10Data Value

Breach Intelligence Summary

Entity: Republic Services · Actor: Scattered Lapsus$ Hunters · Sources: 2 references
Attack: Unknown
Profile: Company · Waste management and recycling services · Environmental services provider · USA
Timeline: Breach (2025-10-10) · Year (2025)
Exposure: 40.9M records · 3 fields: Email Address, Phone Number, Physical Address
Status: Reported

Executive Summary

Republic Services, one of the largest waste management companies in the United States, was caught up in a 2025 supply chain attack targeting Salesforce cloud environments. A threat group calling itself "Scattered LAPSUS$ Hunters" claimed responsibility and published a sample of stolen data on October 3, 2025, with the full dataset reportedly scheduled for release on October 10. The breach exposed records tied to an estimated 40.9 million customers. The exposed data includes full names, email addresses, phone numbers, and mailing addresses. Because Republic Services provides residential waste collection, home addresses in this dataset carry an added risk: they can be combined with service schedules to build detailed routine-of-life profiles, revealing when residents are likely away from home. The data also included business account details such as company names, billing addresses, employee counts, revenue figures, and internal account identifiers from the Salesforce platform. Republic Services has not made detailed public statements about the incident, and no major regulatory action or litigation specific to this breach has been documented. Affected individuals should be alert to phishing attempts by email or phone, as the combination of verified contact details and service location information makes targeted scams more convincing. Residential customers in particular should be aware that their address data is now likely in broad circulation.

ObscureIQ assessment: Exposure enables phishing, billing fraud, and targeting of businesses or households through service-location data. Operational records may also support infrastructure or route-based targeting.

Breach Impact

The 2025 breach was part of the Scattered LAPSUS$ Hunters campaign targeting Salesforce cloud environments. The group published a sample of Republic Services customer data on October 3, 2025, including home addresses, phone numbers, and email addresses. Republic Services has not made detailed public statements about the incident, consistent with other brands affected by the same Salesforce-linked campaign. No major regulatory action or litigation specific to this breach has been documented in public sources.

About Republic Services

Republic Services is one of the largest waste management and environmental services companies in the United States, providing collection, recycling, transfer, and disposal services to residential, commercial, and municipal customers across dozens of states. The company is publicly traded on the NYSE and headquartered in Phoenix, Arizona. It operates landfills, recycling facilities, and a large fleet of collection vehicles.

Why They Hold Your Data

Waste-management and environmental-service firms collect customer, employee, vendor, route, billing, and service-location records across operational and municipal-service workflows.

Recent Developments

Republic Services has continued investing in sustainability infrastructure and fleet electrification as part of its publicly stated environmental strategy. The company has maintained stable financial performance and is considered one of the more defensively positioned companies in the industrial services sector. No major leadership changes or structural events beyond the breach itself have been prominently reported in the 12-18 months prior to publication.

Data Points Exposed

3 verified field types
Email Address
Phone Number
Physical Address High

Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.

Exploitation & Downstream Threats

Threat Activity:High
Primary downstream threats:
  • SIM swap attacks where phone numbers are present
  • Targeted phishing campaigns using exposed email addresses
  • Doxxing risk from physical address exposure
Threat vectors:
  • Phishing, credential stuffing & account takeover
  • SIM swapping, vishing & SMS phishing
  • Physical stalking, mail fraud & identity verification
  • Home targeting, stalking & physical threat

Threat Actor: Scattered Lapsus$ Hunters

Scattered Lapsus$ Hunters
Unknown

Attribution and method are based on available breach intelligence. Reported attack vector: Unknown.

Recommended Actions

If you believe your information may be included:

Enable MFA Everywhere
Turn on multi-factor authentication on email first, then financial accounts.
Find 2FA settings
Report & Recover
If you spot misuse, start an official recovery plan and report fraud.
IdentityTheft.govReport to FTC

Frequently Asked Questions

What happened in the Republic Services breach?

Republic Services, one of the largest waste management companies in the United States, was caught up in a 2025 supply chain attack targeting Salesforce cloud environments. A threat group calling itself "Scattered LAPSUS$ Hunters" claimed responsibility and published a sample of stolen data on…

What data was exposed?

Verified fields include Email Address, Phone Number, Physical Address.

What should I do if I was affected?

Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.

Sources & References

Every claim on this page is traceable. This breach draws on:

Breach Index
DataBreach.com
Record & field corroboration
ObscureIQ Intelligence
ObscureIQ proprietary analysis
Risk Index scoring & downstream-threat assessment

Protect Yourself

Check If You're Affected

Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.

Get Free Breach Alerts

Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.

High-Risk? Get an Exposure Audit

Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.

Request Consultation