Red Hot Cyber, The cybersecurity news

Red Hot Cyber

Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Search
Red Hot Cyber Academy
Salesforce refuses to pay ransom for Scattered Lapsus Hunters attacks

Salesforce refuses to pay ransom for Scattered Lapsus Hunters attacks

Redazione RHC : 10 October 2025 10:11

Salesforce representatives have announced that they have no intention of negotiating or paying a ransom to the attackers responsible for a series of large-scale attacks that resulted in the theft of the company’s customer data. Hackers are currently attempting to blackmail 39 companies whose data was stolen from Salesforce.

Last week, Scattered Lapsus$ Hunters (a combination of members of the Scattered Spider, LAPSUS$, and Shiny Hunters hacker groups) launched their own Data Leak Site (DLS) listing 39 organizations affected by Salesforce-related data breaches.

Each post contains examples of data stolen from Salesforce accounts and warns affected companies to contact the hackers by October 10, 2025, to prevent any stolen information from being publicly disclosed.

Lapsus$ hunters are attempting to extort money from a number of well-known brands and organizations, including: FedEx, Disney and Hulu, Home Depot, Marriott, Google, Cisco, Toyota, Gap, McDonald’s, Walgreens, Instacart, Cartier, Adidas, Saks Fifth Avenue, Air France and KLM, Transunion, HBO Max, UPS, Chanel, and IKEA.

“We strongly encourage you to make the right decision. Your organization will be able to prevent a data breach, regain control of the situation, and all operations will remain stable as before. We strongly encourage decision makers to participate in this process, as we present a clear and mutually beneficial solution,” the hackers wrote.

The attackers also posted a separate message on their website, addressed to Salesforce. The hackers demanded a ransom from the company to prevent the data leak of all affected customers (a total of approximately 1 billion records containing personal information).

“If you comply with our demands, we will cancel any active or ongoing negotiations with your customers. If you pay, your customers will no longer be attacked and will not receive ransom demands from us,” the attackers claim, addressing Salesforce.

The extortionists also threaten the company, claiming that once the data is released, they will help law firms file civil and commercial lawsuits against Salesforce. They also warn that the company has failed to protect its customers’ data in accordance with the requirements of the European General Data Protection Regulation (GDPR).

As Bloomberg reported, Salesforce sent letters to its customers this week stating that it would not pay the ransom or negotiate with the hackers. The company also warned that, “according to credible information,” the attackers actually intend to release the stolen data soon.

Recall that the Salesforce data theft occurred as part of two separate campaigns. The first began in late 2024. At that time, attackers used social engineering techniques (usually posing as technical support staff) to convince employees of various companies to connect a malicious OAuth application to their corporate Salesforce instances. Once connected, the attackers used the access they gained to download and steal data, then blackmail the companies.

The second campaign began in August 2025. In this case, hackers used OAuth tokens stolen from SalesLoft Drift to access customers’ CRM systems and extract information.

SalesLoft attacks primarily targeted support tickets, which contain credentials, API tokens, authentication tokens, and other information that could be used to compromise organizations’ internal infrastructure and cloud services.

Redazione
The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.

Lista degli articoli