Overview
- Salesforce told customers it will not negotiate or pay, warning that threat actors may begin leaking stolen data as the Friday deadline approaches.
- The Tor-based leak site used to pressure victims has gone offline, with domain changes previously associated with FBI seizures reported, though any law-enforcement takedown remains unconfirmed.
- Qantas confirmed it is named on the site and secured an ongoing NSW Supreme Court injunction to block access or publication of the stolen data while providing 24/7 support and identity protection advice.
- Security researchers link the campaign to vishing, malicious OAuth app connections, and a later pivot using Salesloft/Drift tokens to access CRM data rather than any Salesforce platform vulnerability.
- The attackers tout inconsistent totals for the haul—about 1 billion records for 39 companies versus claims of 1.5 billion across hundreds—while samples reviewed include significant PII but few passwords.