- 835
- 224
Salesforce representatives announced that they have no intention of negotiating or paying ransom to the attackers behind a series of large-scale attacks involving the theft of the company's customer data. Hackers are currently attempting to extort 39 companies whose data was stolen from Salesforce.
Last week, the Scattered Lapsus$ Hunters group (a coalition of members of the Scattered Spider, LAPSUS$, and Shiny Hunters hacker groups) launched a data dump website listing the 39 organizations affected by Salesforce-related data breaches.
Each post contains examples of data stolen from Salesforce accounts and warns the affected companies to contact the hackers by October 10, 2025, to prevent the public disclosure of all the stolen information. Scattered Lapsus$ Hunters are attempting to extort numerous well-known brands and organizations, including FedEx, Disney and Hulu, Home Depot, Marriott, Google, Cisco, Toyota, Gap, McDonald's, Walgreens, Instacart, Cartier, Adidas, Saks Fifth Avenue, Air France and KLM, Transunion, HBO Max, UPS, Chanel, and IKEA. "We strongly encourage you to make the right decision. Your organization will be able to prevent a data breach, regain control of the situation, and all operations will remain as stable as before. We strongly encourage decision makers to participate in this process, as we present a clear and mutually beneficial opportunity to resolve the issue," the hackers write. The attackers also posted a separate message on their website addressed to Salesforce. The hackers demanded a ransom from the company to prevent the leak of all data of affected customers (a total of approximately 1 billion records containing personal information). "If you comply with our demands, we will abandon any active and pending negotiations with your customers. If you pay, your customers will no longer be attacked and will not receive ransom demands from us," the attackers state, addressing Salesforce. Furthermore, the extortionists threaten the company, claiming that after publishing the data, they will help law firms file civil and commercial lawsuits against Salesforce, and also warn that the company has failed to protect its customers' data in accordance with the requirements of the European General Data Protection Regulation (GDPR). As Bloomberg now reports , Salesforce sent letters to its customers this week stating that it does not intend to pay the ransom or negotiate with the hackers. The company also warned that "according to reliable information," the attackers do indeed plan to publish the stolen data soon.
As a reminder, the Salesforce data theft occurred as part of two separate campaigns. The first began in late 2024. Attackers used social engineering (typically posing as tech support staff) to convince employees at various companies to connect a malicious OAuth application to corporate Salesforce instances. After successfully connecting, the attackers used this access to download and steal data, then blackmailed the companies.
These attacks and similar breaches affected Google , Adidas , Qantas , Allianz Life, several LVMH brands ( Louis Vuitton , Dior , and Tiffany & Co ), Cisco.com , Chanel , and Danish jewelry company Pandora , among others.
The second campaign began in August 2025. In this case, hackers used OAuth tokens stolen from SalesLoft Drift to access clients' CRM systems and download information.
The SalesLoft attacks primarily targeted support tickets, which contain credentials, API tokens, authentication tokens, and other information that could be used to breach organizations' internal infrastructure and cloud services.
Numerous large companies reported that this supply chain attack impacted their systems. Victims included security companies Zscaler , Proofpoint , and Palo Alto Networks ; SaaS platforms Workiva , PagerDuty , and Exclaimer ; Cloudflare , among others.
The data dump site, launched by the hackers, primarily hosted data from victims of the initial social engineering campaign. As Bleeping Computer
notes , the ransomware site is currently unavailable—the domain has been redirected to surina.ns.cloudflare.com and hans.ns.cloudflare.com, which were previously used by the FBI to seize domains. However, the FBI has not yet commented on the situation.
Last week, the Scattered Lapsus$ Hunters group (a coalition of members of the Scattered Spider, LAPSUS$, and Shiny Hunters hacker groups) launched a data dump website listing the 39 organizations affected by Salesforce-related data breaches.
Each post contains examples of data stolen from Salesforce accounts and warns the affected companies to contact the hackers by October 10, 2025, to prevent the public disclosure of all the stolen information. Scattered Lapsus$ Hunters are attempting to extort numerous well-known brands and organizations, including FedEx, Disney and Hulu, Home Depot, Marriott, Google, Cisco, Toyota, Gap, McDonald's, Walgreens, Instacart, Cartier, Adidas, Saks Fifth Avenue, Air France and KLM, Transunion, HBO Max, UPS, Chanel, and IKEA. "We strongly encourage you to make the right decision. Your organization will be able to prevent a data breach, regain control of the situation, and all operations will remain as stable as before. We strongly encourage decision makers to participate in this process, as we present a clear and mutually beneficial opportunity to resolve the issue," the hackers write. The attackers also posted a separate message on their website addressed to Salesforce. The hackers demanded a ransom from the company to prevent the leak of all data of affected customers (a total of approximately 1 billion records containing personal information). "If you comply with our demands, we will abandon any active and pending negotiations with your customers. If you pay, your customers will no longer be attacked and will not receive ransom demands from us," the attackers state, addressing Salesforce. Furthermore, the extortionists threaten the company, claiming that after publishing the data, they will help law firms file civil and commercial lawsuits against Salesforce, and also warn that the company has failed to protect its customers' data in accordance with the requirements of the European General Data Protection Regulation (GDPR). As Bloomberg now reports , Salesforce sent letters to its customers this week stating that it does not intend to pay the ransom or negotiate with the hackers. The company also warned that "according to reliable information," the attackers do indeed plan to publish the stolen data soon.
As a reminder, the Salesforce data theft occurred as part of two separate campaigns. The first began in late 2024. Attackers used social engineering (typically posing as tech support staff) to convince employees at various companies to connect a malicious OAuth application to corporate Salesforce instances. After successfully connecting, the attackers used this access to download and steal data, then blackmailed the companies.
These attacks and similar breaches affected Google , Adidas , Qantas , Allianz Life, several LVMH brands ( Louis Vuitton , Dior , and Tiffany & Co ), Cisco.com , Chanel , and Danish jewelry company Pandora , among others.
The second campaign began in August 2025. In this case, hackers used OAuth tokens stolen from SalesLoft Drift to access clients' CRM systems and download information.
The SalesLoft attacks primarily targeted support tickets, which contain credentials, API tokens, authentication tokens, and other information that could be used to breach organizations' internal infrastructure and cloud services.
Numerous large companies reported that this supply chain attack impacted their systems. Victims included security companies Zscaler , Proofpoint , and Palo Alto Networks ; SaaS platforms Workiva , PagerDuty , and Exclaimer ; Cloudflare , among others.
The data dump site, launched by the hackers, primarily hosted data from victims of the initial social engineering campaign. As Bleeping Computer
notes , the ransomware site is currently unavailable—the domain has been redirected to surina.ns.cloudflare.com and hans.ns.cloudflare.com, which were previously used by the FBI to seize domains. However, the FBI has not yet commented on the situation.