[thb_gap height=”50″]
Published: September 29, 2025 | Updated: October 8, 2025
The Original Breach
A well-known hacking group has launched an extortion campaign targeting Salesforce customers, claiming to have stolen one billion records from corporate cloud databases.
The attackers, previously linked to groups known as Lapsus$, Scattered Spider, and ShinyHunters, recently unveiled a dark web site called Scattered LAPSUS$ Hunters. The site is designed to pressure companies into paying for the safe return of their data.
“Contact us to regain control of your data and prevent public disclosure,” the site reads. Security researchers discovered the site late last week, noting that it listed dozens of high-profile corporate victims.
The hackers claim to have breached customer databases belonging to Allianz Life, Google, Kering, Qantas, Stellantis, TransUnion, and Workday. Other alleged victims include FedEx, Hulu, and Toyota, though those companies have not confirmed any compromise.
Salesforce spokesperson Nicole Aranda said the company is aware of the extortion campaign and continues to investigate. “Our findings indicate these attempts relate to past or unverified incidents,” Aranda said. “There is no evidence that Salesforce systems have been compromised.”
The incident highlights how ransomware tactics have evolved. Rather than encrypting company data privately, attackers now publish public threats, using humiliation as leverage. The rise of these data-leak sites reflects a shift toward psychological pressure and public spectacle.
Update: October 8, 2025 – Salesforce Refuses to Pay
Salesforce has officially confirmed it will not pay the ransom demanded by the group calling itself Scattered LAPSUS$ Hunters. The decision came after the hackers claimed responsibility for stealing nearly one billion records tied to Salesforce customer portals.
The syndicate had given Salesforce until Friday to pay or risk having the data released online. The site hosting the threats listed 39 affected companies, including Toyota and FedEx, and claimed to hold exactly “989.45 million” records.
In an email to reporters, a Salesforce representative stated, “Salesforce will not engage, negotiate with, or pay any extortion demand.” The company had earlier notified customers of the situation, warning of a credible threat that stolen data could be published.
The extortion effort began in May when the hackers made phone calls to organizations hosting data on Salesforce. Pretending to be legitimate partners, they convinced several employees to connect an attacker-controlled app to their systems. Investigators say that this form of “voice phishing” is one of the most successful social engineering tactics used against corporate employees.
Security experts at Mandiant, which tracks the group as UNC6040, said the campaign demonstrates how social manipulation now complements technical intrusion. Instead of breaking through firewalls, attackers increasingly target the trust and speed of the human response.
Global ransomware payments remain enormous, though slightly reduced from the previous year. Deepstrike estimates that organizations paid more than 800 million dollars in 2024 to stop or contain such attacks. Some individual payouts, such as the 75 million dollar payment made after the Cencora breach, have only encouraged copycat operations.
Cybersecurity researcher Kevin Beaumont has criticized companies that quietly pay ransom under the guidance of law enforcement observers. “Corporations should not be directly funding organized crime,” he wrote on Mastodon. “It only keeps the cycle alive.”
As Salesforce holds its ground, the wider question is whether refusing payment will actually deter future attacks or simply drive them toward more vulnerable targets.
For the employees caught in the middle, the reality is stark. Many now serve as the last line of defense against manipulation designed to exploit human urgency and trust. As digital infrastructure grows more interconnected, the security breach is no longer just a technical event. It is a mirror showing how deeply human behavior has become part of the attack surface itself.