Hackers claim to have stolen over a billion Salesforce records - and are demanding nearly $1 billion not to leak them

News
By published

Scattered Lapsus$ Hunters are urging victims to step forward

Code Skull
(Image credit: Shutterstock)
  • Scattered Lapsus$ Hunters launch data leak site to pressure victims into ransom negotiations
  • Attackers exploited Salesloft’s Drift app to access Salesforce customer data, not Salesforce itself
  • Victims include Cloudflare, Zscaler, Tenable; Salesforce denies platform compromise or active vulnerabilities

Scattered Lapsus$ Hunters, a team-up of infamous hacking groups Scattered Spider, Lapsus$, and Shiny Hunters, has apparently created a standalone data leak and extortion page in order to pressure its victims into paying their ransom demands.

Earlier in 2025, news broke that the attackers managed to breach a third-party app - Salesloft’s Drift integration - and steal OAuth and refresh tokens. Then, they used the tokens to call the app customers’ Salesforce APIs and exfiltrate data such as customer contact records, case objects, and similar. Salesforce itself was not breached, but the data hosted by the clients was nabbed anyway.

The list of attacked organizations is quite extensive and includes a number of heavy hitters such as Cloudflare, Palo Alto Networks, Zscaler, Tenable, and others.

"unsubstantiated incidents"

Now, the threat actors are urging victims to reach out and negotiate a deal: “Contact us to regain control on data governance and prevent public disclosure of your data,” the announcement says. “Do not be the next headline. All communications demand strict verification and will be handled with discretion.”

Researchers fromTechCrunch, who claim to have seen the page late last week, say the list on the site misses a few names known to have been breached, and speculates some of the companies may have already paid the ransom demand.

The hackers, however, did not deny - or confirm - these speculations, telling the publication, “There are numerous other companies that have not been listed."

Salesforce, on the other hand, seems unphased by the new development, with a spokesperson saying, “Our findings indicate these attempts relate to past or unsubstantiated incidents, and we remain engaged with affected customers to provide support.”

“At this time, there is no indication that the Salesforce platform has been compromised, nor is this activity related to any known vulnerability in our technology.”

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.