Salesforce Refuses to Pay Ransom to Data-Stealing Hackers
None
<p>Salesforce reportedly is refusing to pay a ransom demanded by hackers who claim to have stolen more than 1 billion data files in attacks on customers of the software-as-a-service (SaaS) company.</p><p>According to <a href="https://www.bloomberg.com/news/articles/2025-10-07/salesforce-tells-clients-it-won-t-pay-hackers-for-data-extortion" target="_blank" rel="noopener">Bloomberg</a>, Salesforce this week sent emails to dozens of customers affected by the attacks by the threat group Scattered Lapsus$ Hunters, saying it wouldn’t pay any extortion demands and warning that “credible” threat intelligence indicated that the bad actors intended to publish the data they had stolen.</p><p>The threat group earlier this month listed on a since-shut-down data leak site that it had stolen data – including driver’s licenses, dates of birth, and Social Security numbers – from more than three dozen high-profile companies, including Cisco, Google, Toyota, Home Depot, Marriot and Disney/Hulu, and threatened to publicly release it <a href="https://securityboulevard.com/2025/10/scattered-lapsus-hunters-extorts-victims-demands-salesforce-negotiate/" target="_blank" rel="noopener">unless Salesforce negotiated</a> a ransom payment.</p><div class="code-block code-block-12 ai-track" data-ai="WzEyLCIiLCJCbG9jayAxMiIsIiIsMV0=" style="margin: 8px 0; clear: both;"> <style> .ai-rotate {position: relative;} .ai-rotate-hidden {visibility: hidden;} .ai-rotate-hidden-2 {position: absolute; top: 0; left: 0; width: 100%; height: 100%;} .ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback, .ai-list-block, .ai-list-block-ip, .ai-list-block-filter {visibility: hidden; position: absolute; width: 50%; height: 1px; top: -1000px; z-index: -9999; margin: 0px!important;} .ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback {min-width: 1px;} </style> <div class="ai-rotate ai-unprocessed ai-timed-rotation ai-12-1" data-info="WyIxMi0xIiwxXQ==" style="position: relative;"> <div class="ai-rotate-option" style="visibility: hidden;" data-index="1" data-name="VGVjaHN0cm9uZyBHYW5nIFlvdXR1YmU=" data-time="MTA="> <div class="custom-ad"> <div style="margin: auto; text-align: center;"><a href="https://youtu.be/Fojn5NFwaw8" target="_blank"><img src="https://securityboulevard.com/wp-content/uploads/2024/12/Techstrong-Gang-Youtube-PodcastV2-770.png" alt="Techstrong Gang Youtube"></a></div> <div class="clear-custom-ad"></div> </div></div> </div> </div><p>A Salesforce spokesperson told Bloomberg that it was aware of extortion attempts against the customers and that the enterprise software vendor was offering them support.</p><p>Salesforce customers since late 2024 have been targeted in two campaigns that didn’t compromise Salesforce systems but instead used social engineering and other tactics to gain access to the customers’ data.</p><h3>Social Engineering and Compromised Tokens</h3><p>In one case, bad actors using vishing techniques posed as IT support staff and convinced employees of the targeted companies to unknowingly authorize a malicious connected the organizations’ Salesforce portal. The malicious app was a modified version of Salesforce’s Data Loader, not a legitimate one, Google’s Threat Intelligence Group (GTIG) <a href="https://cloud.google.com/blog/topics/threat-intelligence/voice-phishing-data-extortion" target="_blank" rel="noopener">wrote in June</a>.</p><p>In another campaign that <a href="https://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesforce-instances-via-salesloft-drift" target="_blank" rel="noopener">emerged in August</a>, a threat group targeted Salesforce customers’ instances by compromising OAuth tokens associated with Salesloft’s Drift application, which is used by sales and marketing teams.</p><p>The bad actors were able to steal a range of credentials, such as Amazon Web Services (AWS) access keys, passwords, and Snowflake-related access tokens. With those, the attackers could access, query, and exfiltrate sensitive information directly from the compromised Salesforce customer environments.</p><p>The extortion attempts came a month after the Scattered Lapsus$ Hunters hackers said they were <a href="https://securityboulevard.com/2025/09/threat-group-scattered-lapsus-hunters-says-its-shutting-down/" target="_blank" rel="noopener">shutting down operations</a>, a claim met with skepticism from the cybersecurity community.</p><h3>Salesforce Not Compromised</h3><p>Salesforce officials have stressed that while their customers were targeted in the campaigns, the bad actors did not compromise the SaaS provider’s systems.</p><p>They wrote that “cybersecurity is a <a href="https://www.salesforce.com/blog/shared-responsibility-model/" target="_blank" rel="noopener">shared responsibility</a> between a provider and their customers. While Salesforce builds enterprise-grade security into every part of our platform, customers play a vital role in protecting their data — especially amid a recent rise in sophisticated social engineering and phishing attacks targeting Salesforce customers.”</p><p>GTIG researchers attribute the vishing campaign to the UNC6040 threat group and the Drift attacks to UNC6395, both of which have links to Scattered Lapsus$ Hunters, which itself is a collective formed by the high-profile groups Scattered Spider, Lapsus$, and ShinyHunters.</p><h3>The Scattered Lapsus$ Hunters Threat</h3><p>According to researchers with threat intelligence firm SOCRadar, the attackers claim to have stolen data from 91 organizations in total, though 39 were listed on the data leak site. They <a href="https://socradar.io/dark-web-profile-scattered-lapsus-hunters/" target="_blank" rel="noopener">wrote</a> that the attacks were linked to Scattered Lapsus$ Hunters.</p><p>They added that “these groups, already known for social engineering and extortion, now operate jointly and publicly through a Telegram channel where they leak stolen data, pressure victims, and taunt authorities. Importantly, no Salesforce vulnerabilities were exploited. Instead, the attackers relied entirely on social engineering.”</p><p>In addition, SOCRadar noted a “clear division of labor: Scattered Spider provided initial access, ShinyHunters specialized in data theft and publication, and LAPSUS$ members acted as amplifiers and extortionists.”</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2025/10/salesforce-refuses-to-pay-ransom-to-data-stealing-hackers/" data-a2a-title="Salesforce Refuses to Pay Ransom to Data-Stealing Hackers"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F10%2Fsalesforce-refuses-to-pay-ransom-to-data-stealing-hackers%2F&linkname=Salesforce%20Refuses%20to%20Pay%20Ransom%20to%20Data-Stealing%20Hackers" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F10%2Fsalesforce-refuses-to-pay-ransom-to-data-stealing-hackers%2F&linkname=Salesforce%20Refuses%20to%20Pay%20Ransom%20to%20Data-Stealing%20Hackers" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F10%2Fsalesforce-refuses-to-pay-ransom-to-data-stealing-hackers%2F&linkname=Salesforce%20Refuses%20to%20Pay%20Ransom%20to%20Data-Stealing%20Hackers" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F10%2Fsalesforce-refuses-to-pay-ransom-to-data-stealing-hackers%2F&linkname=Salesforce%20Refuses%20to%20Pay%20Ransom%20to%20Data-Stealing%20Hackers" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F10%2Fsalesforce-refuses-to-pay-ransom-to-data-stealing-hackers%2F&linkname=Salesforce%20Refuses%20to%20Pay%20Ransom%20to%20Data-Stealing%20Hackers" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>