Salesforce Confirms It Won’t ‘Engage, Negotiate With, Or Pay’ Threat Actors

‘Salesforce will not engage, negotiate with, or pay any extortion demand,’ a spokesperson with the San Francisco-based enterprise applications vendor said in an email Wednesday.

Cyberattack and internet crime, hacking and malware concepts. Digital binary code data numbers and secure lock icons on hacker' hands working with keyboard computer on dark blue tone background.

Salesforce has confirmed to CRN that it will not pay a hacker group’s ransom after the group set up a site boasting of about 990 million records stolen from users by exploiting a third-party application.

“Salesforce will not engage, negotiate with, or pay any extortion demand,” a spokesperson with the San Francisco-based enterprise applications vendor said in an email Wednesday.

The company still has until Friday to negotiate with the group, known as Scattered Lapsus$ Hunters and allegedly made up of members of other threat actors including ShinyHunters, Scattered Spider and Lapsus$.

[RELATED: 10 Major Cyberattacks And Data Breaches In 2025 (So Far)]

Salesforce Ransom

Salesforce has about 12,000 partners worldwide.

The vendor also told customers in an email Tuesday that it won’t pay the ransom, according to Bloomberg. Salesforce told customers the hacker group’s data–mostly customer contact information and basic IT support data, but also including authorization access tokens and IT configuration data–comes from the breach earlier this year of Salesloft’s Drift application.

The data leak site appears to have been shut down by the FBI, according to BleepingComputer. Companies affected by the Salesloft supply-chain attack include Google, Cloudflare, Zscaler and Palo Alto Networks.

Salesforce has long maintained that group did not get the data by exploiting a flaw in Salesforce products.

CRN has reached out to Atlanta-based Salesloft for comment. On Aug. 26, the company posted an update to its website saying that between Aug. 8 and Aug. 18 a threat actor used OAuth credentials to exfiltrate data from customers’ Salesforce instances.

“Initial findings have shown that the actor’s primary objective was to steal credentials, specifically focusing on sensitive information like AWS access keys, passwords, and Snowflake-related access tokens,” according to Salesloft. “We have determined that this incident did not impact customers who do not use our Drift-Salesforce integration. Based on our ongoing investigation, we do not see evidence of ongoing malicious activity related to this incident.”