Salesforce Inc told customers on Oct 7 that it won’t pay a ransom demand from a hacker who claimed to have stolen a large amount of client data and threatened to publish it, according to an email seen by Bloomberg News.

The company said in a security notification that it had received "credible threat intelligence” indicating that a hacking group, known as ShinyHunters, was planning to share information stolen during a security incident earlier in the year involving a number of its customers, according to the email.

The incident involved the third-party app SalesLoft Inc, specifically its Drift app, which integrates with Salesforce to automate customer service interactions. The breach of the app resulted in the theft of data earlier this year from a number of organizations that use Salesforce.

Allen Tsai, a Salesforce spokesperson, said the company won’t engage, negotiate with or pay any extortion demand. The company is aware of recent extortion attempts, and it remains in contact with affected customers to provide support, the spokesperson said.

SalesLoft didn’t immediately respond to a request for comment.

In the email, Salesforce said hackers appear to have compiled the records taken from the Drift app in a large dataset, which was put up for sale on a cybercrime forum last week, rather than stealing customer information from a flaw in the core Salesforce platform.

Most of the information stolen from numerous Salesforce clients through the Drift app, which came to light in September, was customer contact information and basic IT support data. But it also included access tokens for user authorization and information about a customer’s IT configuration, in some cases.

SalesLoft advised customers on Aug. 19 to refresh access tokens used to secure the connection between Drift and Salesforce apps to stop outsiders from getting in.

In August, Google Threat Intelligence Group warned businesses about a large data theft campaign targeting Salesforce customer instances through the SalesLoft Drift third-party application between August 8 and August 15. Researchers said the hackers targeted sensitive credentials, passwords and some database access tokens.

The Salesforce spokesperson declined to say how many of the company’s customers had data exposed in the breach. Salesforce has "re-enabled integrations” with SalesLoft technologies after a pause but not the Drift app, which remains disabled, he said. – Bloomberg