Leading cloud-based customer relationship management (CRM) company Salesforce has taken a strong stand against hackers who have allegedly stolen vast quantities of customer data in recent cyberattacks. Unless Salesforce or its impacted customers paid a ransom, the hacker gang, which was purportedly connected to Scattered Spider, Lapsus$, and ShinyHunters, threatened to release up to one billion records. Even when hackers listed scores of large corporations, including FedEx, Disney, Google, and Marriott, on leak sites as part of their pressure tactics, Salesforce replied by sending out emails to its clients and publicly declaring that it would not discuss, participate with, or pay any extortion demands.
How the Attack Was Executed:
Hackers targeted a well-known third-party integration, the Drift app from SalesLoft, which is used by many Salesforce clients to automate support and marketing, rather than directly exploiting Salesforce’s primary infrastructure. Cybercriminals used advanced social engineering techniques, such as phishing emails and phone impersonation (also known as “vishing”), to fool employees into installing dangerous software or linking rogue OAuth apps to Salesforce accounts. After gaining access, the attackers stole confidential data from the Drift app and Salesforce environments, including customer contact information, IT support data, configuration data, and authorization tokens. They subsequently assembled these records for either sale or public publication on cybercrime forums.
Salesforce’s Stance and Customer Implications:
Salesforce’s refusal to pay the ransom is seen as a move to discourage future extortion attempts. Cybersecurity experts support the decision, noting that payment would only embolden criminal groups and encourage repeated attacks. However, this stance places additional pressure on the affected companies, which must now prepare for possible data leaks and strengthen their own incident response protocols. Salesforce is collaborating with law enforcement and external cybersecurity specialists to investigate the incident and guide clients through mitigation and notification processes. The company also promptly disabled connections between its platform and SalesLoft products to halt further breaches.
Salesforce Strengthens Security Measures Amid Rising Cyberattacks:
In response to escalating cyber threats targeting its customer ecosystem, Salesforce has doubled down on its security protocols in 2025. The company continues to emphasize multi-factor authentication, role-based access control, and encryption to safeguard sensitive client data. With attackers increasingly exploiting social engineering and third-party integrations, Salesforce urges clients to audit connected apps rigorously and adopt zero-trust models for identity and access management. Additionally, Salesforce offers advanced tools like event monitoring and AI-powered threat detection to provide real-time alerts and rapid incident response. The company collaborates with cybersecurity experts and law enforcement agencies to stay ahead of evolving attack techniques. By investing heavily in comprehensive security practices and user education, Salesforce aims to maintain its reputation as a trusted platform for enterprises worldwide, setting a high bar for SaaS providers navigating the complex cybersecurity landscape of 2025.
Lessons for SaaS Providers:
The case highlights the growing vulnerability of SaaS providers to supply chain threats and the necessity for strong third-party risk management. Cybersecurity professionals recommend regular audits of integrations, systematic staff training to recognize phishing attempts, and comprehensive incident response plans for data leaks originating from vendors’ ecosystems. As hackers increasingly target high-value data through social engineering and exploit trusted business applications, organizations are urged to bolster security not just within their own infrastructure, but across their entire chain of dependencies. Salesforce’s public position underscores an industry-wide shift toward proactive risk management and transparency in the face of rising cyber extortion threats.
