Salesforce refuses to pay ransomware crims’ extortion demand • The Register
Salesforce won’t pay a ransom demand to criminals who claim to have stolen nearly 1 billion customer records and are threatening to leak the data if the CRM giant doesn’t pony up some cash.
“Salesforce will not engage, negotiate with, or pay any extortion demand,” Allen Tsai, a Salesforce spokesperson, told The Register. It has reportedly told customers the same thing.
The SaaS giant declined to answer any additional questions and directed us to the company’s official statements about the security incident. The most recent update, from October 2, says Salesforce is “aware of recent extortion attempts by threat actors, which we have investigated in partnership with external experts and authorities.”
These attempts to extort ransom payments “relate to past or unsubstantiated incidents, and we remain engaged with affected customers to provide support,” it continues. “At this time, there is no indication that the Salesforce platform has been compromised, nor is this activity related to any known vulnerability in our technology.”
The following day, October 3, a crew now calling itself Scattered LAPSUS$ Hunters listed 39 companies’ Salesforce environments on its new data-leak site and demanded a ransom payment to prevent what it claims is 989.45 million stolen records from being published online.
The gang also offered $10 in Bitcoin to anyone willing to “endlessly harass these executives” in an attempt to pressure the purported victims into paying ransoms.
Prior to the leak site going live, Google – which previously confirmed the attacks and is investigating the intrusions – and Salesforce notified organizations believed to be affected.
The criminals set an October 10 deadline for Salesforce to negotiate a payment, “or all your customers’ data will be leaked.”
The Register has learned that the stolen files Scattered LAPSUS$ Hunters are threatening to make public are primarily Salesforce customer data accessed from previous intrusions – not new breaches.
In an email it reportedly sent customers, Salesforce indicated ShinyHunters (UNC6240) stole the information earlier this year when it breached SalesLoft’s Drift application.
The app integrates with Salesforce to automate customer service interactions, and, after compromising it, the data thieves stole OAuth tokens, which allowed them access to numerous companies’ Salesforce instances. ®
