‘Our findings indicate these attempts relate to past or unsubstantiated incidents, and we remain engaged with affected customers to provide support,’ according to Salesforce.
A hacker group that says it stole data from Salesforce users has set up a site boasting of about 990 million records stolen with a deadline of Oct. 10 to negotiate ransom before the group leaks the data.
The San Francisco-based enterprise applications vendor said in a statement Thursday that it is aware of the extortion attempts and investigated them in partnership with external experts and authorities.
“Our findings indicate these attempts relate to past or unsubstantiated incidents, and we remain engaged with affected customers to provide support,” according to Salesforce. “At this time, there is no indication that the Salesforce platform has been compromised, nor is this activity related to any known vulnerability in our technology.”
[RELATED: 10 Major Cyberattacks And Data Breaches In 2025 (So Far)]
Salesforce Cyberattacks
Salesforce has about 12,000 partners worldwide.
Multiple media outlets shared screenshots of the hacker group’s data leak site Friday. The group, known as Scattered Lapsus$ Hunters, said that the data comes from 39 companies including Toyota, FedEx, Walgreens and HBO Max.
The threat actors say they are part of other groups, including ShinyHunters, Scattered Spider and Lapsus$, according to BleepingComputer. The group also said that if Salesforce itself pays the ransom, no other companies have to pay.
The group has Salesforce records with personally identifiable information (PII), according to Reuters. The threat actors didn’t hack Salesforce directly, using voice phishing to trick people. In June, Google published a guide on how the threat actors use voice phishing.
“We understand how concerning these situations can be,” the Salesforce statement said. “Protecting customer environments and data remains our top priority, and our security teams are fully engaged to provide guidance and support. As we continue to monitor the situation, we encourage customers to remain vigilant against phishing and social engineering attempts, which remain common tactics for threat actors.”
ShinyHunters has waged data-theft attacks against Salesforce this year through compromising the Salesloft Drift third-party Salesforce application. The Salesloft Drift attacks have hit companies including Palo Alto Networks and Zscaler.
Cybersecurity researcher Kevin Beaumont, who posted screenshots online from the data leak site on Friday, said the data does appear to come from the Salesloft Drift breach.
“I’ve talked to one of the victim orgs – their sample data is indeed from their Salesforce instance,” he wrote. “Gonna be a long weekend for a bunch of orgs.”
Other cyberattacks in recent days include that of Red Hat customer data accessed through a vendor-managed GitLab instance and an extortion campaign targeting Oracle E-Business Suite customers.
