Salesforce has officially stated it won’t negotiate with or pay a ransom to the threat actors responsible for a widespread data theft campaign that affected many of its customers this year. The company sent an email to its clients warning them that “credible threat intelligence” indicated the hackers planned to leak the stolen data, a statement which was also confirmed to BleepingComputer. This decision comes after a group called “Scattered Lapsus$ Hunters” launched a data leak site on a domain named after the notorious BreachForums hacking site, attempting to extort 39 companies whose data was compromised. These companies included major brands like FedEx, Disney, Google, Cisco, and many others.
The hackers claimed to have stolen nearly one billion data records, threatening to release them publicly unless a ransom was paid by either individual companies or Salesforce on behalf of all impacted customers. The stolen data came from two separate campaigns that occurred in 2025. The first wave of attacks, starting in late 2024, involved social engineering where hackers impersonated IT support staff to trick employees into connecting a malicious application to their company’s Salesforce instance. This allowed them to download and steal databases, which were then used for extortion. This initial campaign impacted companies such as Google, Cisco, and several LVMH subsidiaries.
A second data-theft campaign began in early August 2025, with the hackers using stolen SalesLoft Drift OAuth tokens to access customers’ CRM environments and steal data. The primary goal of these attacks was to steal support ticket data and scan it for sensitive information like credentials and API tokens. One of the hackers, known as ShinyHunters, claimed to have stolen about 1.5 billion records from over 760 companies during this campaign. Many major tech and cybersecurity firms, including Google, Cloudflare, and Palo Alto Networks, confirmed they were impacted by this supply-chain attack.
Initially, the recently launched data leak site was used to extort companies affected by the first social engineering attacks, with the threat actors planning to target those from the SalesLoft attacks after October 10th. However, the website has since been shut down. The domain’s nameservers now point to Cloudflare servers previously used by the FBI for domain seizures. This suggests law enforcement may have intervened, bringing the extortion attempt to an end, at least for now. This incident highlights the growing sophistication of cybercriminals and the difficult decisions companies face when targeted by such attacks.
Reference:
