Salesforce has confirmed that it’ll not negotiate with or pay a ransom to the menace actors behind an enormous wave of information theft assaults that impacted the corporate’s prospects this yr.
As first reported by Bloomberg, Salesforce emailed prospects on Tuesday to say they’d not be paying a ransom and warned that “credible menace intelligence” signifies the menace actors had been planning to leak the stolen information.
“I can affirm Salesforce is not going to have interaction, negotiate with, or pay any extortion demand,” Salesforce additionally confirmed to BleepingComputer.
This assertion follows the launch of an information leak web site by menace actors often known as “Scattered Lapsus$ Hunters,” who’re trying to extort 39 corporations whose information was stolen from Salesforce. The web site was positioned on the breachforums[.]hn area, which is called after the infamous BreachForums web site, a hacking discussion board identified for promoting and leaking stolen information.
The businesses being extorted on the info leak web site included well-known manufacturers and organizations, together with FedEx, Disney/Hulu, Residence Depot, Marriott, Google, Cisco, Toyota, Hole, Kering, McDonald’s, Walgreens, Instacart, Cartier, Adidas, Sake Fifth Avenue, Air France & KLM, Transunion, HBO MAX, UPS, Chanel, and IKEA.
In whole, the menace actors claimed to have stolen almost 1 billion information information, which might be publicly launched if an extortion demand was paid by particular person corporations or as a single fee from Salesforce that will cowl all of the impacted prospects listed on the location.
Supply: BleepingComputer
This information was stolen from Salesforce situations in two separate campaigns that occurred in 2025.
The primary information theft marketing campaign started on the finish of 2024, when menace actors began conducting social engineering assaults impersonating IT assist workers to trick workers into connecting a malicious OAuth software to their firm’s Salesforce occasion.
As soon as linked, the menace actors used the connection to obtain and steal the databases, which had been then used to extort the corporate by way of electronic mail.
These social engineering assaults impacted Google, Cisco, Qantas, Adidas, Allianz Life, Farmers Insurance coverage, Workday, Kering, and LVMH subsidiaries, corresponding to Dior, Louis Vuitton, and Tiffany & Co.
A second Salesforce data-theft marketing campaign started in early August 2025, when the menace actors used stolen SalesLoft Drift OAuth tokens to pivot to prospects’ CRM environments and exfiltrate information.
The Salesloft data-theft assaults primarily targeted on stealing assist ticket information to scan for credentials, API tokens, authentication tokens, and different delicate data that will allow the attackers to breach the corporate’s infrastructure and cloud providers.
One of many menace actors behind the Salesloft assaults, often known as ShinyHunters, instructed BleepingComputer that they stole roughly 1.5 billion information information for over 760 corporations throughout this marketing campaign.
Many corporations have already confirmed they had been impacted by the Salesloft supply-chain assault, together with Google, Cloudflare, Zscaler, Tenable, CyberArk, Elastic, BeyondTrust, Proofpoint, JFrog, Nutanix, Qualys, Rubrik, Cato Networks, Palo Alto Networks, and many extra.
The lately launched information leak web site was used primarily to extort prospects within the unique social engineering assaults, with the menace actors stating they’d start publicly extorting these impacted by the Salesloft assaults after October tenth.
Nonetheless, the info leak web site is now shut down, with the area now utilizing nameservers of surina.ns.cloudflare.com and hans.ns.cloudflare.com, which have each been utilized by the FBI previously when seizing domains.
BleepingComputer contacted the FBI about whether or not they seized the area however has not acquired a response presently.
Be part of the Breach and Assault Simulation Summit and expertise the way forward for safety validation. Hear from prime specialists and see how AI-powered BAS is reworking breach and assault simulation.
Do not miss the occasion that can form the way forward for your safety technique