Salesforce has confirmed that it will not negotiate with or pay a ransom to the hackers behind a series of large-scale data theft attacks that affected several of its customers this year.
According to a report by Bloomberg, Salesforce emailed customers on Tuesday, stating that it had no plans to pay the extortion demand and warned that “credible threat intelligence” suggests the attackers are preparing to leak the stolen data.
The company also confirmed to BleepingComputer that it “will not engage, negotiate with, or pay any extortion demand.”
The hackers, known as Scattered Lapsus$ Hunters, launched a data leak website on the domain breachforums[.]hn in an attempt to extort 39 companies whose data was stolen from Salesforce. The list of victims reportedly includes major brands such as FedEx, Disney, Google, Cisco, Toyota, Marriott, McDonald’s, UPS, Chanel, and IKEA. The threat actors claimed to have stolen nearly one billion data records and demanded payment either from individual companies or a single ransom from Salesforce to prevent public release.
The stolen data came from two separate attack campaigns. The first began in late 2024, when hackers impersonated IT support staff and tricked employees into linking a malicious OAuth app to their company’s Salesforce account. The second wave started in August 2025, using stolen SalesLoft Drift OAuth tokens to access customer CRM systems and exfiltrate data.
Hackers behind these attacks, including the group ShinyHunters, claimed to have stolen 1.5 billion data records from more than 760 companies. The stolen information reportedly includes customer data, API tokens, authentication keys, and other sensitive credentials.
The breachforums[.]hn domain, used by the hackers, has since gone offline and now points to Cloudflare’s nameservers, which were previously associated with FBI domain seizures. Authorities have not yet confirmed whether the site was taken down by law enforcement.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Salesforce’s firm stance against paying ransoms underscores its commitment to cybersecurity best practices, even as some affected companies continue to deal with the fallout from these massive breaches.
