Salesforce Rejects Ransomware Demands

Salesforce has refused to comply with a ransom demand from criminals claiming to have stolen nearly 1 billion customer records. These criminals have threatened to leak the data if the CRM giant does not pay.

Allen Tsai, a Salesforce spokesperson, stated that the company will not engage in negotiations or pay any extortion demands. This stance has reportedly been communicated to customers as well.

The SaaS giant declined to provide further comments, referring to its official statements on the security incident. The latest update from October 2 indicates that Salesforce is aware of recent extortion attempts and is investigating with external experts and authorities.

These ransom demands are related to past or unverified incidents, and Salesforce is working with affected customers to provide support. Currently, there is no evidence that the Salesforce platform has been compromised, nor is there any connection to known vulnerabilities in their technology.

On October 3, a group named Scattered LAPSUS$ Hunters listed 39 companies' Salesforce environments on a new data-leak site, demanding a ransom to prevent the release of 989.45 million records.

The group also offered $10 in Bitcoin to anyone willing to harass executives to pressure the victims into paying. Before the site went live, Google and Salesforce notified organizations believed to be affected.

The criminals have set an October 10 deadline for Salesforce to negotiate, warning that all customer data will be leaked otherwise. The files threatened to be leaked are primarily Salesforce customer data accessed from previous intrusions, not new breaches.

Salesforce reportedly informed customers via email that ShinyHunters (UNC6240) stole the information earlier this year when it breached SalesLoft's Drift application. This app integrates with Salesforce to automate customer service interactions, and after compromising it, the data thieves stole OAuth tokens, granting access to numerous companies' Salesforce instances.