Salesforce States It Will Not Pay Ransomware Hackers Who Stole 1 Billion Records

Salesforce has confirmed that it will not negotiate or pay a ransom to the hackers responsible for stealing vast amounts of its customer data. The attackers are now attempting to extort 39 companies whose information was allegedly taken from Salesforce systems.

Last week, the Scattered Lapsus$ Hunters group — a coalition of members from Scattered Spider, LAPSUS$, and ShinyHunters — launched a data leak site listing 39 organizations affected by the breach.

Each entry includes samples of data stolen from Salesforce accounts and a warning: the companies must contact the hackers by October 10, 2025, to prevent the public release of all compromised data.

Among the targeted organizations are major global brands such as FedEx, Disney and Hulu, Home Depot, Marriott, Google, Cisco, Toyota, Gap, McDonald’s, Walgreens, Instacart, Cartier, Adidas, Saks Fifth Avenue, Air France–KLM, TransUnion, HBO Max, UPS, Chanel, and IKEA.

“We strongly advise you to make the right decision,” the hackers wrote. “Your organization can prevent the data leak, regain control of the situation, and all operations will remain stable. We recommend that decision-makers participate in this process, as we are presenting a clear and mutually beneficial opportunity to resolve the issue.”

Extortion Demands Aimed Directly at Salesforce

The group also posted a separate message addressed to Salesforce itself, demanding ransom to stop the release of what they claim are about one billion customer records containing personal information.

“If you meet our demands, we will abandon any active and pending negotiations with your customers,” the group said. “If you pay, your customers will no longer be attacked and will not receive ransom demands from us.”

The hackers further threatened to assist law firms in filing lawsuits against Salesforce after publishing the stolen data, alleging that the company violated GDPR (General Data Protection Regulation) obligations to safeguard customer information.

According to Bloomberg, Salesforce has sent letters to its customers stating it will not pay the ransom or engage in negotiations. The company also warned that, based on “credible information,” the attackers plan to publish the stolen data soon.

Two Campaigns Behind the Breach

The data theft stems from two separate attack campaigns.

The first campaign began in late 2024, when attackers used social engineering tactics, often posing as IT support staff, to trick employees into connecting malicious OAuth applications to their corporate Salesforce instances. Once access was granted, the hackers downloaded data and began extorting victims.

This campaign affected major companies including Google, Adidas, Qantas, Allianz Life, LVMH brands (Louis Vuitton, Dior, Tiffany & Co.), Cisco.com, Chanel, and Pandora.

The second campaign, launched in August 2025, involved the use of stolen SalesLoft Drift OAuth tokens to infiltrate customer CRM systems and export sensitive information.

The attackers primarily targeted support ticket data, which often contains credentials, API keys, and authentication tokens that can be used to access internal infrastructure and cloud services.

Organizations affected by this second wave include cybersecurity firms Zscaler, Proofpoint, and Palo Alto Networks, as well as SaaS platforms Workiva, PagerDuty, Exclaimer, and Cloudflare.

Leak Site and Possible FBI Involvement

The data leak site, initially used to host samples from victims of the first campaign, is now offline.
According to BleepingComputer, the site’s domain recently switched to surina.ns.cloudflare.com and hans.ns.cloudflare.com — DNS records previously associated with FBI domain seizures. However, the FBI has not yet commented on the situation.