Salesforce has confirmed that it will not negotiate with or pay a ransom to the threat actors behind a massive wave of data theft attacks that impacted the company's customers this year.
As first reported by Bloomberg, Salesforce emailed customers on Tuesday to say they would not be paying a ransom and warned that "credible threat intelligence" indicates the threat actors were planning to leak the stolen data.
"I can confirm Salesforce will not engage, negotiate with, or pay any extortion demand," Salesforce also confirmed to BleepingComputer.
This statement follows the launch of a data leak site by threat actors known as "Scattered Lapsus$ Hunters," who are attempting to extort 39 companies whose data was stolen from Salesforce. The website was located on the breachforums[.]hn domain, which is named after the notorious BreachForums website, a hacking forum known for selling and leaking stolen data.
The companies being extorted on the data leak site included well-known brands and organizations, including FedEx, Disney/Hulu, Home Depot, Marriott, Google, Cisco, Toyota, Gap, Kering, McDonald's, Walgreens, Instacart, Cartier, Adidas, Sake Fifth Avenue, Air France & KLM, Transunion, HBO MAX, UPS, Chanel, and IKEA.
In total, the threat actors claimed to have stolen nearly 1 billion data records, which would be publicly released if an extortion demand was paid by individual companies or as a single payment from Salesforce that would cover all the impacted customers listed on the site.
ShinyHunters Salesforce data leak site
Source: BleepingComputer
This data was stolen from Salesforce instances in two separate campaigns that occurred in 2025.
The first data theft campaign began at the end of 2024, when threat actors started conducting social engineering attacks impersonating IT support staff to trick employees into connecting a malicious OAuth application to their company's Salesforce instance.
Once linked, the threat actors used the connection to download and steal the databases, which were then used to extort the company through email.
These social engineering attacks impacted Google, Cisco, Qantas, Adidas, Allianz Life, Farmers Insurance, Workday, Kering, and LVMH subsidiaries, such as Dior, Louis Vuitton, and Tiffany & Co.
A second Salesforce data-theft campaign began in early August 2025, when the threat actors used stolen SalesLoft Drift OAuth tokens to pivot to customers' CRM environments and exfiltrate data.
The Salesloft data-theft attacks primarily focused on stealing support ticket data to scan for credentials, API tokens, authentication tokens, and other sensitive information that would enable the attackers to breach the company's infrastructure and cloud services.
One of the threat actors behind the Salesloft attacks, known as ShinyHunters, told BleepingComputer that they stole approximately 1.5 billion data records for over 760 companies during this campaign.
Many companies have already confirmed they were impacted by the Salesloft supply-chain attack, including Google, Cloudflare, Zscaler, Tenable, CyberArk, Elastic, BeyondTrust, Proofpoint, JFrog, Nutanix, Qualys, Rubrik, Cato Networks, Palo Alto Networks, and many more.
The recently launched data leak site was used primarily to extort customers in the original social engineering attacks, with the threat actors stating they would begin publicly extorting those impacted by the Salesloft attacks after October 10th.
However, the data leak site is now shut down, with the domain now using nameservers of surina.ns.cloudflare.com and hans.ns.cloudflare.com, which have both been used by the FBI in the past when seizing domains.
BleepingComputer contacted the FBI about whether they seized the domain but has not received a response at this time.