Salesforce has told customers it will not negotiate with or pay extortion demands from threat actors who claim to have stolen vast quantities of customer data from the company’s customers during two separate campaigns in 2025. The company warned that credible threat intelligence indicated the attackers planned to leak stolen records and confirmed it would not engage with extortion attempts.
The extortion activity followed publication of a data-leak site operated by a group identifying itself as “Scattered Lapsus$ Hunters,” which listed some 39 companies as victims and threatened to publish nearly 1 billion records unless ransoms were paid. The site referenced a range of large brands and organizations, including major logistics, retail, hospitality and technology firms, and asserted that individual companies could be extorted separately or that Salesforce could be asked to pay a single payment to cover all impacted customers.
Salesforce said the company “will not engage, negotiate with, or pay any extortion demand” and alerted customers that threat actors were preparing to release stolen files. The company’s announcement accompanied customer notifications and followed an investigation into two distinct intrusion methods that led to data exfiltration from multiple customer environments.
“I can confirm Salesforce will not engage, negotiate with, or pay any extortion demand,” a Salesforce spokesperson said.
The attacks described by Salesforce and by multiple affected organizations originated in two main phases during late 2024 and 2025. The first campaign, beginning at the end of 2024, relied largely on social-engineering attacks in which operators impersonated IT support personnel to trick staff into approving and connecting malicious OAuth applications to their organizations’ Salesforce instances. Once those applications were authorized, the attackers used the delegated access to download and exfiltrate databases and other stored data.
The second wave, beginning in early August 2025, exploited stolen SalesLoft and Drift OAuth tokens to pivot from third-party vendor environments into customer CRM instances. In those incidents, attackers focused on stealing customer support ticket data and ancillary artifacts that could reveal credentials, API keys, authentication tokens, and other secrets useful for further access to cloud services and corporate infrastructure.
Scope of Theft and Claims by Threat Actors
Threat actors operating under different aliases claimed extremely large harvests of data: one actor asserted that approximately 1.5 billion records were taken from over 760 companies during the SalesLoft-focused campaign. The combined claims — including the data posted or threatened on the extortion site — suggested the potential exposure of hundreds of millions to nearly a billion records spanning multiple corporate customers.
The list of companies named on the leak site and in attack notifications included household names across industries, with public disclosures from some affected firms confirming they were impacted by the SalesLoft supply-chain intrusion. Technology vendors, security providers, and enterprise software customers were among those reporting incidents and initiating internal reviews of their own systems and token usage.
Attackers used exfiltrated support-ticket data as a reconnaissance repository, scanning for reusable credentials and service tokens that would allow lateral movement and cloud-service compromise. That tactic magnifies the impact of initial access, enabling a supply-chain-style amplification where a compromise of a single vendor or user can cascade into dozens or hundreds of downstream targets.
Salesforce’s refusal to pay extortion demands reflects an incident-response position that prioritizes containment and coordinated remediation over negotiation with threat actors. In practice, companies subject to this type of campaign typically pursue immediate revocation of compromised tokens and OAuth applications, rotate service and API credentials, and conduct forensic timelines to identify and close persistence mechanisms.
Several affected organizations have already begun forced credential rotations and increased monitoring for suspicious activity tied to third-party integrations. Security teams are also conducting token sweeps across development and support tooling, reviewing access logs for anomalous API calls, and implementing stricter governance for application approvals and OAuth scopes.
The extortion site used a domain on a forum-associated domain space that has historically hosted illicit marketplaces; the domain’s nameserver records subsequently changed to use Cloudflare-managed nameservers that have, in prior actions, been employed in domain seizures. Authorities have been alerted to the extortion site and related activity, and some domain and hosting artifacts are under review.
Wider Implications for Third-Party Token Security
The campaigns underscore a persistent risk vector: delegated access through OAuth tokens and third-party integrations. Security practitioners warn that social engineering that targets human approval of OAuth consents and lax governance around vendor tokens can enable large-scale data theft with relatively low technical sophistication.
Industry recommendations for mitigating such risks include enforcing least-privilege scopes for OAuth applications, implementing short-lived tokens and automated rotation, requiring approvals through centralized application marketplaces or internal security review, employing anomaly detection on API usage, and restricting export capabilities from production data stores. Organizations that integrate external support tools should treat service tokens and support-ticket exports as high-risk assets subject to the same controls as production credentials.
The incidents also illustrate how attackers combine social engineering and supply-chain pivots to broaden impact. By harvesting support tickets and configuration data, attackers obtain a high-value reconnaissance source that helps them identify additional targets and develop tailored escalation paths into cloud tenants and production environments.
Salesforce has notified customers of the extortion attempts and advised them on steps to secure OAuth authorizations and service tokens. Affected companies are continuing forensic investigations to determine the scope of exfiltration and to identify any downstream misuse of stolen tokens or credentials. Several vendors named among the impacted customers have publicly acknowledged incidents and are coordinating with partners, regulators and law enforcement as investigations proceed.
As investigations continue, security teams are likely to prioritize token invalidation, credential rotation, tightened OAuth consent processes, and enhanced monitoring of support-ticket data flows. The incident highlights the need for enterprises to incorporate supply-chain token hygiene into their broader identity and access management posture and to assume that any external integration may be a potential vector for large-scale data exposure.
