Overview

• Salesforce told customers it will not negotiate or pay, warning that threat actors may begin leaking stolen data as the Friday deadline approaches.
• The Tor-based leak site used to pressure victims has gone offline, with domain changes previously associated with FBI seizures reported, though any law-enforcement takedown remains unconfirmed.
• Qantas confirmed it is named on the site and secured an ongoing NSW Supreme Court injunction to block access or publication of the stolen data while providing 24/7 support and identity protection advice.
• Security researchers link the campaign to vishing, malicious OAuth app connections, and a later pivot using Salesloft/Drift tokens to access CRM data rather than any Salesforce platform vulnerability.
• The attackers tout inconsistent totals for the haul—about 1 billion records for 39 companies versus claims of 1.5 billion across hundreds—while samples reviewed include significant PII but few passwords.