Salesforce has confirmed that it will not negotiate with or pay a ransom to the threat actors behind a massive wave of data theft attacks that impacted the company's customers this year.
As first reported by Bloomberg, Salesforce emailed customers on Tuesday to say they would not be paying a ransom and warned that "credible threat intelligence" indicates the threat actors were planning to leak the stolen data.
"I can confirm Salesforce will not engage, negotiate with, or pay any extortion demand," Salesforce also confirmed to BleepingComputer.
This statement follows the launch of a data leak site by threat actors known as "Scattered Lapsus$ Hunters," who are attempting to extort 39 companies whose data was stolen from Salesforce. The website was located on the breachforums[.]hn domain, which is named after the notorious BreachForums website, a hacking forum known for selling and leaking stolen data.
The companies being extorted on the data leak site included well-known brands and organizations, including FedEx, Disney/Hulu, Home Depot, Marriott, Google, Cisco, Toyota, Gap, Kering, McDonald's, Walgreens, Instacart, Cartier, Adidas, Sake Fifth Avenue, Air France & KLM, Transunion, HBO MAX, UPS, Chanel, and IKEA.
In total, the threat actors claimed to have stolen nearly 1 billion data records, which would be publicly released if an extortion demand was paid by individual companies or as a single payment from Salesforce that would cover all the impacted customers listed on the site.
ShinyHunters Salesforce data leak site
Source: BleepingComputer
This data was stolen from Salesforce instances in two separate campaigns that occurred in 2025.
The first data theft campaign began at the end of 2024, when threat actors started conducting social engineering attacks impersonating IT support staff to trick employees into connecting a malicious OAuth application to their company's Salesforce instance.
... continue reading