Following a cyberattack, Salesforce has decided not to pay ransom.
Salesforce has confirmed that it will not pay ransom to the cybercriminals behind the recent wave of data thefts that affected dozens of companies worldwide. According to the company, customer data will soon be leaked online by the cybercriminals.
Major Names Affected
The hacker group, calling themselves “Scattered Lapsus$ Hunters,” has launched a website to extort 39 companies. Among the victims are major names including FedEx, Disney/Hulu, Marriott, Google, Cisco, Toyota, McDonald’s, Chanel, IKEA, and Kering.
The criminals claim to have stolen nearly one billion data records from Salesforce environments. They are demanding either a joint payment from Salesforce or separate payments from the affected companies to prevent them from making the data public.
Two Attack Waves in one Year
The first wave began in late 2024, with attackers posing as IT staff. They attempted to deceive employees by connecting a fake OAuth app to their Salesforce environment. This gave them access to customer databases and allowed them to download data. Companies like Google, Adidas, Farmers Insurance, and LVMH were affected. In August 2025, a second attack followed using stolen SalesLoft and Drift tokens, which the attackers used to infiltrate systems and steal sensitive information, such as API and authentication tokens.
Speaking to BleepingComputer, Salesforce confirms: “We will not negotiate, engage in dialogue, or pay any form of extortion.” The company is working with affected customers and authorities but maintains that paying would only encourage further attacks.