Salesforce is facing one of the most significant cybersecurity incidents of the year after a massive data breach exposed nearly 1 billion customer records. The company has confirmed it will not pay the ransom demanded by the threat group responsible, choosing instead to stand firm against the extortion attempt.
The cybercrime group, calling itself Scattered LAPSUS$ Hunters, has claimed responsibility for the Salesforce data breach. The attackers published a website naming 39 companies whose customer information was allegedly stolen, including major global brands such as Toyota, FedEx, Disney/Hulu, Home Depot, Google, Cisco, Marriott, and Adidas. According to the group, a total of “989.45m/~1B+” records were stolen, making this one of the largest data thefts involving a cloud service provider.
Salesforce Refuses Ransom Payment
In an email to customers, Salesforce confirmed it would not negotiate with the attackers, stating clearly: “Salesforce will not engage, negotiate with, or pay any extortion demand.” The company also warned clients of “credible threat intelligence” suggesting the attackers intended to publish stolen data if their demands were not met.
BotCrawl contacted the FBI for comment regarding potential law enforcement involvement and whether they may have been behind the takedown of the attackers’ data leak website. However, no response has been received as of this publication. The leak site has since gone offline, and its domain is now pointing to nameservers previously linked to FBI domain seizures.
How the Salesforce Data Breach Happened
The Salesforce data breach unfolded in two major waves across 2024 and 2025. The first began in late 2024 when attackers launched a social engineering campaign by impersonating IT support staff. Employees were tricked into connecting malicious OAuth applications to their Salesforce instances, which gave attackers access to sensitive databases. Once inside, the criminals downloaded customer records and used them to extort organizations through email threats.
The second wave emerged in August 2025, this time exploiting stolen Salesloft Drift OAuth tokens. Using these credentials, the attackers gained access to Salesforce CRM environments, where they stole large volumes of customer support data, credentials, API tokens, and other sensitive records. These attacks reportedly impacted over 760 companies, with hackers claiming to have stolen 1.5 billion data records during this phase alone.
Who Is Behind the Attack?
The group responsible for the Salesforce data breach calls itself Scattered LAPSUS$ Hunters, a hybrid name referencing three prolific hacking collectives: Scattered Spider, LAPSUS$, and ShinyHunters. Cybersecurity firm Mandiant has tracked the group under the designation UNC6040 but has not confirmed the identities of the individuals behind the operation. According to Rapid7 and other security researchers, the group operates like a ransomware-as-a-service syndicate, leveraging stolen credentials, social engineering, and cloud misconfigurations to carry out its campaigns.
The threat actors have also been tied to previous high-profile incidents. Some of the companies affected in earlier campaigns include Qantas, Cisco, Adidas, Workday, and subsidiaries of LVMH such as Louis Vuitton and Dior. Their tactics show a growing trend of attackers bypassing traditional malware payloads by abusing trusted cloud tools and services directly.
Global Fallout and Industry Impact
The Salesforce data breach has had far-reaching effects across industries, highlighting the growing risks of supply-chain and third-party cloud compromises. Many of the impacted companies rely heavily on Salesforce to manage sensitive customer information, sales data, and corporate communications. The breach raises questions about how organizations can safeguard against sophisticated social engineering and token hijacking attacks in SaaS environments.
Security researchers warn that the attackers’ decision to demand a lump-sum ransom from Salesforce on behalf of all affected companies signals a new evolution in extortion tactics. Instead of targeting individual victims, the criminals tried to pressure a single vendor to pay, leveraging its responsibility over a wide customer base.
According to Bloomberg, global ransomware payments reached $813 million last year, a sharp decrease from $1.1 billion in 2023. However, experts warn that refusing to pay ransoms, while important for deterring cybercriminals, can result in large-scale exposure of sensitive data when attackers follow through on their threats.
Calls for Stronger Security
The Salesforce data breach underscores the urgent need for organizations to implement strict access controls and continuous monitoring across cloud environments. Experts advise using short-term, least-privileged credentials, restricting OAuth token permissions, and enforcing stronger employee training programs to counteract social engineering.
Independent researcher Kevin Beaumont, speaking about the rising trend of corporate ransom payments, criticized organizations for indirectly funding organized cybercrime. “Corporations shouldn’t be directly funding organized crime with the support of the National Crime Agency and their insurance. Break the cycle,” he said in a recent statement. While law enforcement agencies publicly discourage paying ransoms, insiders suggest some companies still negotiate with attackers behind closed doors, perpetuating the issue.
What Happens Next?
The Salesforce data breach continues to unfold as investigators assess the scale of the stolen information. The extortion group had initially set a deadline for Salesforce to pay by Friday or risk mass publication of the stolen records. With Salesforce refusing to comply, the situation could escalate if attackers leak the data across underground forums and marketplaces.
For now, customers of Salesforce are being urged to review their security policies, monitor for suspicious activity, and prepare for potential fallout if the data appears online. The company maintains that it will not pay the ransom, emphasizing its commitment to security and refusal to incentivize further criminal activity.
This case highlights a critical turning point in how corporations handle large-scale extortion attempts. It is uncertain whether Salesforce’s refusal will deter future attacks or instead result in massive data exposure.
Leave a Comment