Salesforce has confirmed that it’s going to not negotiate with or pay a ransom to the menace actors behind a large wave of knowledge theft assaults that impacted the corporate’s prospects this yr.
As first reported by Bloomberg, Salesforce emailed prospects on Tuesday to say they might not be paying a ransom and warned that “credible menace intelligence” signifies the menace actors had been planning to leak the stolen information.
“I can affirm Salesforce is not going to have interaction, negotiate with, or pay any extortion demand,” Salesforce additionally confirmed to BleepingComputer.
This assertion follows the launch of a knowledge leak web site by menace actors often known as “Scattered Lapsus$ Hunters,” who’re making an attempt to extort 39 firms whose information was stolen from Salesforce. The web site was positioned on the breachforums[.]hn area, which is known as after the infamous BreachForums web site, a hacking discussion board identified for promoting and leaking stolen information.
The businesses being extorted on the information leak web site included well-known manufacturers and organizations, together with FedEx, Disney/Hulu, House Depot, Marriott, Google, Cisco, Toyota, Hole, Kering, McDonald’s, Walgreens, Instacart, Cartier, Adidas, Sake Fifth Avenue, Air France & KLM, Transunion, HBO MAX, UPS, Chanel, and IKEA.
In complete, the menace actors claimed to have stolen practically 1 billion information information, which might be publicly launched if an extortion demand was paid by particular person firms or as a single fee from Salesforce that might cowl all of the impacted prospects listed on the positioning.
Supply: BleepingComputer
This information was stolen from Salesforce situations in two separate campaigns that occurred in 2025.
The primary information theft marketing campaign started on the finish of 2024, when menace actors began conducting social engineering assaults impersonating IT assist workers to trick staff into connecting a malicious OAuth software to their firm’s Salesforce occasion.
As soon as linked, the menace actors used the connection to obtain and steal the databases, which had been then used to extort the corporate by means of electronic mail.
These social engineering assaults impacted Google, Cisco, Qantas, Adidas, Allianz Life, Farmers Insurance coverage, Workday, Kering, and LVMH subsidiaries, equivalent to Dior, Louis Vuitton, and Tiffany & Co.
A second Salesforce data-theft marketing campaign started in early August 2025, when the menace actors used stolen SalesLoft Drift OAuth tokens to pivot to prospects’ CRM environments and exfiltrate information.
The Salesloft data-theft assaults primarily centered on stealing assist ticket information to scan for credentials, API tokens, authentication tokens, and different delicate data that might allow the attackers to breach the corporate’s infrastructure and cloud companies.
One of many menace actors behind the Salesloft assaults, often known as ShinyHunters, advised BleepingComputer that they stole roughly 1.5 billion information information for over 760 firms throughout this marketing campaign.
Many firms have already confirmed they had been impacted by the Salesloft supply-chain assault, together with Google, Cloudflare, Zscaler, Tenable, CyberArk, Elastic, BeyondTrust, Proofpoint, JFrog, Nutanix, Qualys, Rubrik, Cato Networks, Palo Alto Networks, and many extra.
The just lately launched information leak web site was used primarily to extort prospects within the authentic social engineering assaults, with the menace actors stating they might start publicly extorting these impacted by the Salesloft assaults after October tenth.
Nevertheless, the information leak web site is now shut down, with the area now utilizing nameservers of surina.ns.cloudflare.com and hans.ns.cloudflare.com, which have each been utilized by the FBI prior to now when seizing domains.
BleepingComputer contacted the FBI about whether or not they seized the area however has not obtained a response at the moment.
Be part of the Breach and Assault Simulation Summit and expertise the way forward for safety validation. Hear from prime specialists and see how AI-powered BAS is reworking breach and assault simulation.
Do not miss the occasion that may form the way forward for your safety technique
