Salesforce has notified customers it will not negotiate or pay ransom to the threat actors behind a wave of data exfiltration from customer-run Salesforce instances. According to Bloomberg, the extortion group has warned of imminent data releases and published a list of 39 globally recognized organizations it claims are affected.
Salesforce refuses ransom: timeline and extortion posture
The coalition calling itself Scattered Lapsus$ Hunters—which associates members of Scattered Spider, LAPSUS$, and ShinyHunters—launched a leak site naming alleged victims, posting data samples, and issuing an ultimatum: make contact by October 10, 2025 to forestall full publication.
The group also addressed Salesforce directly, demanding payment to “freeze” the release of customer data it values at roughly one billion personal records, claiming, “If you pay, your customers will no longer receive our ransom demands.” Media reports indicate Salesforce has declined any payout.
Targets named and legal pressure via GDPR
Brands cited on the leak site include FedEx, Disney’s Hulu, Home Depot, Marriott, Google, Cisco, Toyota, Gap, McDonald’s, Walgreens, Instacart, Cartier, Adidas, Saks Fifth Avenue, Air France and KLM, TransUnion, HBO Max, UPS, Chanel, and IKEA. The actors are also attempting to escalate regulatory and litigation risk, alleging GDPR violations and encouraging data-subject claims if disclosures proceed.
Attack vectors: social engineering and OAuth abuse
Wave one (late 2024): malicious OAuth applications
Investigations indicate early compromises hinged on social engineering. Adversaries impersonated IT support to persuade employees to authorize rogue OAuth apps in corporate Salesforce orgs. With excessive scopes granted, attackers exfiltrated customer data and shifted to extortion. Reported victims include Google, Adidas, Qantas, Allianz Life, LVMH brands (Louis Vuitton, Dior, Tiffany & Co.), Cisco.com, Chanel, and Pandora.
Wave two (August 2025): supply-chain access via SalesLoft/Drift
A subsequent campaign leveraged stolen OAuth tokens from SalesLoft and Drift, enabling access to CRM environments and bulk data export. A prime target was support ticket systems, which often contain embedded credentials, API keys, and auth tokens—providing stepping stones into internal networks and cloud services. Organizations reporting exposure include Zscaler, Proofpoint, Palo Alto Networks, Workiva, PagerDuty, Exclaimer, and Cloudflare.
Risk and impact: GDPR exposure and cascading SaaS compromise
Large-scale publication of personal data can trigger GDPR enforcement—with potential penalties up to 4% of global annual turnover—alongside class actions, partner disputes, and sustained reputational harm. Equally concerning is the domino effect when SaaS vendors or integrations are compromised, as leaked tokens and cross-system credentials can multiply downstream impact.
Industry reporting continues to show that the human element—from social engineering to credential misuse—dominates successful intrusions. Verizon’s DBIR has repeatedly found that most breaches involve people-centric vectors and stolen credentials, underscoring why OAuth consent governance and secret hygiene remain critical controls.
Infrastructure status: leak site disruption and open questions
As first noted by BleepingComputer, the extortion site was briefly unreachable, with its domain pointed to nameservers previously seen in FBI seizure operations. No official FBI statement has been issued, leaving the status of the adversary’s infrastructure uncertain.
Actionable defenses for Salesforce and SaaS ecosystems
OAuth governance: Enforce allowlists for third-party apps, apply least-privilege scopes, require short-lived tokens with automated rotation, and continuously monitor/alert on high-risk consent events to rapidly revoke suspicious grants.
Ticket and secret hygiene: Prohibit storage of passwords, keys, and tokens in support tickets; move secrets to hardened managers; integrate DLP to detect and quarantine sensitive data in tickets and attachments.
Social engineering resilience: Train staff to validate support requests via out-of-band channels; mitigate MFA fatigue with phishing-resistant authentication (e.g., FIDO2/WebAuthn); implement strict approval workflows for external app consent.
Detection and response: Correlate login, API, and OAuth events; flag geo-velocity and anomalous API usage; maintain playbooks for mass token revocation and forced logout; prepare legal, regulatory, and customer-notification plans in case of data exposure.
Refusing to pay ransom can be the right strategic choice, but it demands rapid incident response and transparent customer communications. Organizations should harden OAuth consent flows, eliminate secrets from operational processes, and rehearse recovery playbooks. Closing the OAuth abuse pathways and minimizing sensitive data sprawl will materially reduce blast radius in the next wave of supply-chain and social engineering attacks.
