Salesforce said it will not submit to extortion demands after a threat group claimed to have a massive trove of data collected in a series of hacking campaigns earlier this year.
The cybercrime group, which claims affiliation with Scattered Spider, Lapsus$ and ShinyHunters, uploaded a leak site last week that claimed to have data linked to 39 major companies across the globe.
“I can confirm Salesforce will not engage, negotiate with or pay for any extortion demand,” a Salesforce spokesperson told Cybersecurity Dive via email on Tuesday.
Salesforce said it has been investigating the claimed attacks with outside forensic experts and law enforcement. The company said the attacks do not involve any vulnerability in the company’s own technology nor has the Salesforce platform been compromised.
Bloomberg reported that Salesforce informed customers it would not pay for the extortion after a demand had been made.
The group claims to have more than 1 billion records that contain personally identifiable information. It is not immediately known the specific types of personal data that is potentially being leaked, for example credit card or other financial information.
The threat group is claiming the stolen data is linked to two separate campaigns, according to researchers from Sophos. Sophos provided copies of screenshots with additional evidence of the extortion claims.
Some of the stolen data is linked to hacks using voice phishing to impersonate IT workers and trick employees into installing a malicious version of the Salesforce Data Loader. This is linked to 39 initial companies listed on a data leak site.
Separately, hackers used stolen OAuth tokens from an integration with Salesloft Drift to gain access to Salesforce customers and hunt for credentials. This campaign involves 760 organizations and will allegedly be posted on a leak site starting Friday, according to the claims.
The FBI in September issued a warning about the campaigns, urging organizations to protect their systems and report any suspicious activity.
Researchers said the hackers are also using some additional psychological tactics.
“Interestingly, as a pressure tactic the group have offered all subscribers of their Telegram channel $10 in BTC if they email senior executives of the listed companies to demand that they pay the ransom,” said Aiden Sinnott, senior threat researcher at Sophos Counter Threat Unit. “We haven’t really seen this kind of crowdsourced pressure tactic used before.
