Salesforce has made it clear, it won’t bow to cybercriminals. The cloud computing giant announced on Tuesday, October 7, 2025, that it will not pay ransom to hackers responsible for a massive data breach exposing close to one billion customer records from dozens of major corporations.
The attack, carried out by a hacker collective known as Scattered Lapsus$ Hunters, has shaken the enterprise software world. The group has threatened to release stolen data from 39 companies if Salesforce doesn’t comply with its demands before the October 10 deadline.
A Sophisticated Supply Chain Attack
Security experts say the breach is among the most significant supply chain attacks in years. Interestingly, Salesforce’s own systems were not directly compromised. Instead, the hackers exploited third-party integrations using OAuth tokens, particularly through Salesloft’s Drift AI chatbot, to infiltrate Salesforce environments.
According to a recent FBI flash alert, the attackers employed vishing (voice phishing) techniques, pretending to be IT personnel to trick employees into granting access to malicious applications inside company portals. The FBI warned that this method “bypasses many traditional defenses such as MFA, password resets, and login monitoring.”
Between August 8 and 18, 2025, Google’s Threat Intelligence Group reported that hackers leveraged compromised OAuth tokens to extract sensitive information, including AWS keys, Snowflake tokens, and user passwords, from Salesforce databases. Although they attempted to erase traces of their activity, audit logs captured key evidence for investigators.
Major Global Brands Affected
A dark web leak site launched on October 3 lists big names among the victims: Toyota, Disney, FedEx, Cisco, Google, Workday, and luxury brands such as Dior and Chanel. Cybersecurity firms like Cloudflare, Zscaler, and Palo Alto Networks have also confirmed being affected.
Hackers claim to hold more than 1.5 billion records spanning 760 companies, including 254 million accounts and 579 million contacts. Reports suggest that firms like TransUnion, Workday, and Google have already acknowledged breaches linked to Salesforce integrations this year.
Experts fear the exposed data could lead to targeted phishing campaigns, identity theft, and AI-driven attacks in the coming weeks.
Also read: Salesforce Data Breach 2025: What You Need to Know to Protect Your Business
Hackers Target Salesforce Directly
What makes this case even more alarming is the hackers’ unusual strategy; they’re demanding Salesforce itself pay to safeguard its customers’ data. Their message on the extortion site reads, “Contact us to regain control of data governance and prevent public disclosure.”
Brian Soby, CTO of AppOmni, called the move “the first known instance where hackers threaten to use existing litigation against a software vendor as leverage.” The group claims it will assist law firms pursuing GDPR lawsuits against Salesforce if its demands are ignored.
Salesforce, however, remains resolute. The company stated that there is “no evidence” its core platform was compromised and described the ransom demand as tied to “past or unsubstantiated incidents.” Salesforce continues to assist affected customers while working closely with cybersecurity agencies worldwide.
With the ransom deadline looming, experts warn that the coming days could determine the scale of the fallout, and whether Salesforce’s refusal marks a defining moment in corporate resilience against cyber extortion.
