Particle.news

Download on the App Store

Salesforce Refuses Ransom as Hacker Collective Lists 39 Victims, Sets Oct. 10 Deadline

Investigations point to social engineering with stolen OAuth tokens against customer environments, not a breach of Salesforce itself.

Overview

  • Salesforce told customers it will not negotiate or pay, warning that threat actors may begin leaking stolen data as the Friday deadline approaches.
  • The Tor-based leak site used to pressure victims has gone offline, with domain changes previously associated with FBI seizures reported, though any law-enforcement takedown remains unconfirmed.
  • Qantas confirmed it is named on the site and secured an ongoing NSW Supreme Court injunction to block access or publication of the stolen data while providing 24/7 support and identity protection advice.
  • Security researchers link the campaign to vishing, malicious OAuth app connections, and a later pivot using Salesloft/Drift tokens to access CRM data rather than any Salesforce platform vulnerability.
  • The attackers tout inconsistent totals for the haul—about 1 billion records for 39 companies versus claims of 1.5 billion across hundreds—while samples reviewed include significant PII but few passwords.