A coalition of cybercriminals calling itself Scattered LAPSUS$ Hunters (LPH) has published extortion demands accusing Salesforce of failing to prevent massive data theft and threatening to release information it says was extracted from more than 700 corporate Salesforce instances. The group posted a notice on a newly created data-leak site and set a public deadline, asserting possession of large volumes of records obtained through abuse of OAuth tokens tied to a third-party marketing integration.
Salesforce acknowledged the extortion attempts and said its findings indicate the claims relate to past or unsubstantiated incidents. The company stated there is no indication the Salesforce platform itself has been compromised and urged customers to remain vigilant while it works with affected organizations and investigators.
“At this time, there is no indication that the Salesforce platform has been compromised, nor is this activity related to any known vulnerability in our technology.”
OAuth Token Abuse via Salesloft Drift Alleged as Initial Access Method
The extortionists claim they leveraged compromised OAuth tokens issued to Salesloft Drift, a marketing automation integration used by many enterprises, to access customer Salesforce environments and export data. When attackers control valid integration tokens, their API requests often appear legitimate to logging systems and can be used to enumerate objects and extract records according to the token’s permissions, complicating detection.
LPH published figures asserting possession of more than a billion records across hundreds of companies, naming high-profile targets including global technology firms, automotive manufacturers, and large retailers. Those numbers have not been independently verified; the leak site provided limited sample material and inconsistent evidentiary proof. Analysts caution that extortion groups commonly inflate claims or repurpose older stolen data to increase pressure on targets.
Security responders have traced prior incidents in which attackers abused third-party integrations or exposed repository credentials to harvest OAuth tokens. In several documented cases, initial access began with credential exposure in a vendor’s code repository or compromised administrative accounts, followed by token reuse to access connected CRM systems. That pattern, combined with the purported scale of LPH’s claims, has prompted rapid scrutiny of token lifecycle management and third-party vendor controls across affected organizations.
“When tokens are abused, activity often blends with legitimate application behavior, so rapid token rotation and anomaly detection are essential,” said an industry incident responder.
Legal and Operational Fallout for Customers and Salesforce
The extortion attempt has already provoked legal actions and heightened regulatory attention. Court records show multiple lawsuits filed in relation to earlier token-related incidents, with plaintiffs alleging insufficient safeguards and seeking damages for unauthorized data exposure. If LPH publishes data at scale, affected companies could face regulatory investigations, class-action suits, and immediate obligations to notify customers and supervisory authorities under applicable data-protection laws.
Companies named on the leak site are expected to begin targeted forensic reviews to determine whether their instances were accessed, which data objects were exported, and whether any credentials remain valid. Incident response priorities include revoking suspect OAuth tokens, rotating integration credentials, auditing API logs for anomalous access patterns, and confirming the age and provenance of any published materials to distinguish recycled leaks from fresh breaches.
Regulatory exposure will depend on the jurisdictions involved and the nature of the data implicated. Where personal data of residents in regulated territories is confirmed to be affected, controllers must evaluate notification thresholds and cooperate with supervisory authorities. Legal teams will also need to coordinate disclosure strategies and manage communications with partners, customers and insurers.
The hackers have threatened to facilitate legal outreach and provide technical evidence to law firms and affected parties unless ransom negotiations proceed. That tactic aims to magnify reputational pressure by turning victims’ suppliers and customers into leverage points during extortion negotiations.
Practical Hardening Steps and Industry Guidance
Security practitioners have issued concrete hardening recommendations for organizations that use Salesloft or similar integrated services. Immediate actions include revoking and rotating all OAuth credentials issued to third-party applications, enforcing least-privilege scopes for tokens, enabling short token lifetimes, and implementing allow-lists for integration IP addresses and endpoints. Organizations should also enable comprehensive API logging, deploy anomaly-detection tooling that flags unusual export volumes or atypical source IPs, and perform automated scanning of code repositories for exposed tokens or secrets.
Vendors and platform operators are advised to offer clearer integration visibility to customers, provide tooling for token inventory and revocation, and require stronger authentication controls for administrative portals. Customers should treat unsolicited communications asserting possession of internal data as potential phishing or extortion ploys and validate claims through out-of-band channels before responding.
Industry incident responders recommend treating any named incident as high risk until proven otherwise. Even when published claims lack immediate proof, the potential for recycled or staggered disclosures means organizations should assume data may be actionable and prioritize containment and monitoring.
What Investigators Are Focused On Now
Investigators from affected companies, vendor teams, and independent incident responders are prioritizing several lines of inquiry: validating whether the posted claims correspond to current exfiltration from customer instances; mapping any confirmed exfiltration to specific accounts or tokens; identifying the initial access vectors that led to token compromise; and determining whether stolen tokens remain valid or were subsequently revoked. Confirming timestamps, log correlations, and token issuance records will be central to distinguishing fresh compromises from older incidents.
The outcome of these investigations will shape regulatory notification obligations, potential remediation steps, and the scope of civil and contractual liabilities. Organizations that find indicators of compromise must promptly coordinate with law enforcement and follow established incident-response playbooks to limit downstream damage.
The extortion attempt highlights a broader strategic risk in interconnected cloud ecosystems: compromised credentials, exposed repository secrets or misconfigured third-party apps can cascade across hundreds of organizations, producing outsized legal, operational and reputational exposure even when the underlying platform is not directly vulnerable.
