Salesforce Won't Pay After 1B Record Claim

A criminal group calling itself Scattered LAPSUS$ Hunters/Scattered Spider/Lapsus$/ShinyHunters claims to hold roughly 989 million–1 billion records and has listed 39 companies on a leak site. Salesforce says its platform shows no sign of compromise, describes much of the activity as past or unsubstantiated, and has told customers it will not engage with, negotiate with, or pay extortion demands while working with external forensic experts and law enforcement to support affected customers. Researchers and incident reports indicate much of the exposed data stems from earlier intrusions that compromised a Salesloft/Drift integration (stolen OAuth credentials), social‑engineering campaigns including voice‑phishing, and malicious Data Loader installers, exposing contact information, authorization tokens and IT configuration data. The extortionists set an October deadline and reportedly offered small bounties to pressure executives into paying; at times law enforcement has disrupted the group's leak site. The campaign targeted customers via third‑party integrations rather than a direct breach of Salesforce's core systems, highlighting supply‑chain and cloud‑ecosystem risks. Companies named by the group include Google, FedEx, Hulu, Toyota, Cloudflare, Zscaler and Workday.