Salesforce says it is refusing to pay the demands of a crime syndicate that claims it stole nearly 1 billion records from dozens of Salesforce customers.
The threat group making the demands began their campaign in May when they made voice calls to organizations storing data on Google-owned Salesforce platform Mandiant. said in June. English-speaking callers created a pretext that required the victim to connect an attacker-controlled application to their Salesforce portal. Surprisingly (but unsurprisingly) many of those called complied.
It's getting real messy
The threat group behind the campaign calls itself Scattered LAPSUS$ Hunters and is a mixture of three active data extortion participants: Scattered Spider, LAPSuS$ and ShinyHunters. Meanwhile, Mandiant is tracking the group as UNC6040, as researchers have so far been unable to pinpoint the connections.
Earlier this month, the group created a website that named Toyota, FedEx and 37 other Salesforce customers whose data was stolen in the campaign. In total, the number of records recovered, according to Scattered LAPSUS$ Hunters, was “989.45 million/~1 billion+.” The site called on Salesforce to begin negotiations on the ransom amount, “or all your customers [sic] the data will be lost.” The site went on to say, “No one else will have to pay us if you pay Salesforce, Inc.” The website states that the payment deadline is Friday.
In an email Wednesday, a Salesforce spokesperson said the company was rejecting the demand.
