Salesforce refuses to pay ransom as hackers claim theft of nearly 1 billion customer records

Salesforce has publicly refused to pay a ransom to cybercriminals who claim to have stolen nearly one billion customer records and are threatening to leak the data online. The incident has drawn global attention to the growing risks of extortion attacks targeting large, data-driven organizations.

“Salesforce will not engage, negotiate with, or pay any extortion demand,” said Allen Tsai, a spokesperson for the San Francisco-based customer relationship management (CRM) software provider, in a statement to The Register. The company has reportedly issued the same message to affected customers, reaffirming its zero-tolerance stance toward ransom demands.

The statement follows reports that a hacking group calling itself Scattered LAPSUS$ Hunters posted a list of 39 companies’ Salesforce environments on a data-leak site and demanded payment to prevent the release of what it claims are 989.45 million stolen records. The group set an October 10 deadline for Salesforce to negotiate, warning that “all your customers’ data will be leaked” if no payment is made.

Salesforce said the extortion attempts “relate to past or unsubstantiated incidents” and added that there is no evidence its platform has been compromised or that any vulnerabilities in its technology were exploited. “We remain engaged with affected customers to provide support,” the company said in its most recent update, published October 2.

According to The Register, the data at the center of the extortion attempt may not stem from a new intrusion. Instead, it appears to involve customer data previously accessed during an earlier breach linked to ShinyHunters (UNC6240), one of the hacking collectives now operating under the Scattered LAPSUS$ Hunters banner. Salesforce reportedly told customers that ShinyHunters had gained access to data through a breach of SalesLoft’s Drift application, an integration tool used to automate customer service interactions within Salesforce.

After compromising Drift, the attackers allegedly stole OAuth tokens, allowing them to access Salesforce instances used by multiple organizations. Both Salesforce and Google, which previously confirmed related attacks, have notified customers believed to be affected and are continuing to investigate the intrusions.

The hacking group also attempted to pressure the company by offering a $10 Bitcoin bounty to anyone willing to harass Salesforce executives online. Such tactics are becoming increasingly common among cyber extortion groups, which combine digital theft with public shaming campaigns to coerce payment.

Law enforcement agencies, including the FBI and Europol, have long cautioned companies against paying ransoms, warning that doing so encourages further attacks and offers no guarantee of data recovery or privacy protection. Salesforce’s refusal to negotiate aligns with that guidance.