Salesforce providing support to customers listed on Scattered Spider extortion site

Salesforce said it is engaging with customers who are being extorted by cybercriminals through a recently-created data leak site. 

The Scattered Spider cybercriminal group published a new leak site on Thursday evening with dozens of large companies listed, claiming to have stolen data from the organizations through Salesforce. The group attached a lengthy extortion note threatening Salesforce and offering to rescind the extortion demands if Salesforce itself paid a ransom. 

When reached for comment, a Salesforce spokesperson told Recorded Future News that they are aware of the site and are investigating it with law enforcement and cybersecurity experts. 

“Our findings indicate these attempts relate to past or unsubstantiated incidents, and we remain engaged with affected customers to provide support. At this time, there is no indication that the Salesforce platform has been compromised, nor is this activity related to any known vulnerability in our technology,” the spokesperson said.

“We understand how concerning these situations can be. Protecting customer environments and data remains our top priority, and our security teams are fully engaged to provide guidance and support. As we continue to monitor the situation, we encourage customers to remain vigilant against phishing and social engineering attempts, which remain common tactics for threat actors.”

The company provided a similar message on a status page and directed customers to a blog released in March about protecting against social engineering attacks. 

The spokesperson also directed Recorded Future News to a blog from incident responders at Google that covers a long-running voice phishing campaign launched by cybercriminals attached to the Scattered Spider group. The threat actors have compromised organizations' Salesforce instances “for large-scale data theft and subsequent extortion” by impersonating IT support personnel in phone calls. 

The Salesforce spokesperson highlighted a section of the blog that said the campaign “has proven particularly effective in tricking employees, often within English-speaking branches of multinational corporations, into actions that grant the attackers access or lead to the sharing of sensitive credentials, ultimately facilitating the theft of organization’s Salesforce data.”

“In all observed cases, attackers relied on manipulating end users, not exploiting any vulnerability inherent to Salesforce,” Google experts wrote in August. 

None of the victims listed on the new Scattered Spider leak site responded to requests for comment except for Google, which previously confirmed that in June, one of their corporate Salesforce instances was accessed by members of the group. 

“The instance was used to store contact information and related notes for small and medium businesses. Analysis revealed that data was retrieved by the threat actor during a small window of time before the access was cut off,” Google explained. 

“The data retrieved by the threat actor was confined to basic and largely publicly available business information, such as business names and contact details.”

The data leak site created by Scattered Spider comes after a summer of headline-grabbing attacks on some of the largest companies in the world. The group’s members launched multiple successive campaigns targeting some of the biggest names in the airline, insurance and retail industries. Several of the victims listed on the site were previously identified as victims of Scattered Spider.

In total, the group says it now has more than 1 billion records as a result of their attacks and gave Salesforce a deadline of October 10 to pay a ransom. Salesforce declined to answer questions about whether it would pay. 

Two alleged members of the group appeared in Westminster Magistrates Court last week under accusations that they were responsible for a cyberattack on the Transport for London agency last year. 

A Justice Department complaint unsealed last week said victims paid at least $115 million in ransom payments to members of the group as a result of at least 120 cyberattacks launched between 2022 and 2025. 

The complaint lists several victims who paid exorbitant ransoms — including two incidents where organizations paid him $25 million and $36.2 million respectively.