Salesforce Rebuffs ShinyHunters Extortionists’ Ransom Demand

Customer relationship management software giant Salesforce notified customers it won’t pay off with extortion money the cybercriminals who compromised their data.

See Also: Top 10 Technical Predictions for 2025

The ransomware and data-extortion mashup calling itself Scattered Lapsus$ Hunters on Friday launched a darkweb data leak site listing three dozen victims – the partial results of an attack the group says stole 1.5 billion records from 760 companies. The criminals are demanding cryptocurrency, from the victims and from Salesforce, in return for a promise to not leak stolen data. They set a Friday deadline.

“Don’t be the next headline, protect yourself, your customers, make the right decision and reach out to us,” the data-leak site exhorts.

A Salesforce spokesman said it will not be giving into the extortionists’ demands. “I can confirm Salesforce will not engage, negotiate with or pay any extortion demand,” the spokesman told Information Security Media Group.

The company’s statement follows Bloomberg first reporting that Salesforce contacted affected customers on Tuesday, warning them of “credible threat intelligence” that hackers planned to leak data they stole in August from Salesloft Drift artificial intelligence chatbot users who integrated that software with their Salesforce instance.

Of the 760 Salesloft Drift-using victims from which hackers claim to have stolen data, the data-leak site lists 39 victims, which it said account for 1 billion of the 1.5 billion stolen records. Claimed victims include Cisco, Disney, KFC, Ikea, Marriott, McDonald’s, Walgreens, as well as grocery giant Albertsons and retailer Saks Fifth Avenue.

Security experts and law enforcement agencies advise against paying cybercriminal extortion demands. Giving in to extortionists emboldens their hacking, attracts newcomers and gives criminals funds for researching and developing more devastating takedowns.

Under Pressure

As is typical for data extortionists, Scattered Lapsus$ Hunters attempts to apply pressure wherever it can. This has included contacting customers directly, issuing attention-seeking messages on a succession of Telegram channels and demanding payment, while noticeably avoiding stating how much illicit revenue it wants to make before standing down.

It’s threatened to release all 1.5 billion stolen records, data that it stole from “over 100+ other unnamed instances because you do not enforce 2FA or any other type of OAuth Apps security,” as well as to widely sow the data.

“We will be openly complying with the many law firms that are pursuing civil and commercial litigation against you,” including by providing “full lists of affected companies along with the information on the breach and data samples of each affected companies,” the leak site claims.

Whether the attackers possess the data they claim to have stolen, and if any of it involves information of a sensitive nature, remains unclear. Ransomware groups regularly overstate the value of data they stole and otherwise lie.

Salesforce previously warned customers on Oct. 2 that it was aware of “recent extortion attempts by threat actors” against them involving either past or “unsubstantiated” incidents and urged them to beware social engineering and phishing campaigns.

“At this time, there is no indication that the Salesforce platform has been compromised, nor is this activity related to any known vulnerability in our technology,” the company said. “We understand how concerning these situations can be. Protecting customer environments and data remains our top priority, and our security teams are fully engaged to provide guidance and support.”

The FBI in early September said attackers tied to two threat clusters tracked as UNC6040 and UNC6395 used stolen OAuth tokens to integrate the Salesloft Drift Email’s AI chatbot with Salesforce instances to steal data.

Google’s threat intelligence group previously reported that the attacks started as early as Aug. 8 and ran until at least Aug. 18, and that approximately 700 Salesloft customers fell victim, as well as an unknown number of organizations that integrate Salesloft with other apps.

Attackers may have been using intelligence gleaned from the breach as a stepping stone. “After the data was exfiltrated, the actor searched through the data to look for secrets that could be potentially used to compromise victim environments,” Google threat researchers reported. These credentials included “Amazon Web Services (AWS) access keys (AKIA), passwords and Snowflake-related access tokens.”

Salesloft, after hiring Google Cloud’s Mandiant incident response group to probe the breach, on Aug. 20 worked with Salesforce to revoke all access to the Drift OAuth tokens, which will require organizations that integrate Drift with Salesforce to reauthenticate that integration. Salesforce also temporarily removed Drift from its AppExchange cloud marketplace.

Salesforce told Bloomberg that after a pause, it’s now “re-enabled integrations” with SalesLoft technologies, except with the Drift app.

Salesloft didn’t immediately respond to a request for comment about its moves to lock down that technology against further targeting, when it anticipates service will resume, or how may customers fell victim to the ShinyHunters’ attack.