FBI takes down BreachForums site used to extort Salesforce customers

The FBI last night reportedly completed a takedown of a BreachForums domain used by ShinyHunters as a data leak extortion site for the recent wave of attacks on Salesforce customers.

SC Media reported that Salesforce on Oct. 7 refused to negotiate or pay a ransom in attacks that targeted at least 39 of its customers, many of them high-profile companies such as FedEx, Disney, and Google.

The Oct. 7 news prompted speculation among security experts that a takedown was imminent — and most cyber pros welcomed the news.

“What I'm impressed with is their speed, which is great,” said Lawrence Pingree, vice president at Dispersive Holdings. “Takedowns, like any other law enforcement action, are crucial for stopping escalating attacks. “Essentially, takedowns help remove the possible future use of data.”

Pingree added that the source of data and the quantity of customers impacted make this a much larger industry issue. He said extortions are often quite costly, and in some cases, ransomware and extortionists make promises not to release data, only to do so later, or breach an entity again to get another round of funds extorted.

Amir Khayat, co-founder and CEO of Vorlon, added that what’s most concerning here is that ShinyHunters claims to have stolen over one billion records from household names such as Disney, FedEx, and McDonald's. And, even with BreachForums taken down, Khayat said they're still threatening to leak this data, proving that takedowns are only tactical — they don't fix the strategic vulnerability.

“Until organizations gain continuous, real-time visibility across their SaaS ecosystem and can distinguish legitimate integrations from malicious activity, attackers will continue exploiting these third-party paths again and again,” said Khayat.

Adam Burt, head of research at Vorlon, said this takedown will undoubtedly put road blocks in for the Shiny Hunters group, but it won't deter them from continuing their campaign, nor posting the exfiltrated data.

“After all, if we are driving towards a road that’s closed, we simply find another road to our destination,” he said. “As security practitioners, we shouldn't need to rely on hindsight to prevent further breaches related to tokens and applications. Monitor and take action now, so that we no longer need hindsight."

Anurag Gurtu, chief executive officer at Airrived, said bluntly that domain seizures are speed bumps, not stop signs: they momentarily scatter attackers, but experienced crews quickly rebuild their infrastructure elsewhere. Gurtu said the real impact comes when infrastructure disruption is paired with financial tracing, arrests, or infrastructure-level deterrence.

“Even if no leak is visible, assume exposure,” said Gurtu. “This takedown signals a turning point. We’re moving from cleaning up ransomware damage to dismantling extortion ecosystems before they mature. It’s a smarter, preemptive strategy — hitting the business model, not just the malware.”

Here's some quick advice for security teams from Gurtu: