The notorious ShinyHunters extortion group claims to have stolen over 1.5 billion Salesforce records from more than 760 companies by exploiting compromised OAuth tokens from Salesloft Drift.
For the past year, attackers have been targeting Salesforce customers using social engineering and malicious OAuth applications to breach CRM instances and exfiltrate sensitive data. According to ShinyHunters, the stolen records were taken from Salesforce’s Account, Contact, Case, Opportunity, and User object tables, later used to extort companies into paying ransoms to prevent public leaks.
The attack allegedly began after a breach of Salesloft’s GitHub repository in March, where threat actors used the TruffleHog security tool to scan for secrets. This search uncovered OAuth tokens for Salesloft Drift and Drift Email, enabling access to Salesforce environments.
ShinyHunters claim the stolen data includes:
- 250 million records from Account tables
- 579 million from Contact tables
- 459 million from Case tables
- 171 million from Opportunity tables
- 60 million from User tables
The Case data is particularly sensitive, as it often contains customer-submitted support tickets, which in the case of tech companies may include credentials, authentication tokens, and access keys. Google’s Mandiant unit confirmed that attackers analyzed exfiltrated Case data to hunt for secrets that could enable further compromises, such as AWS access keys, Snowflake tokens, and passwords.
Major companies reportedly affected include Google, Cloudflare, Zscaler, Tenable, CyberArk, Elastic, BeyondTrust, Proofpoint, JFrog, Nutanix, Qualys, Rubrik, Cato Networks, Palo Alto Networks, and others.
The FBI has since issued an advisory warning about ongoing campaigns by threat clusters UNC6040 and UNC6395, the groups Google tracks behind these attacks. Despite claims that members of “Scattered Lapsus$ Hunters” (a blend of ShinyHunters, Scattered Spider, and Lapsus$) were planning to “go dark,” researchers say the group has recently pivoted to targeting financial institutions.
Salesforce has urged customers to follow security best practices, including:
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
- Enabling multi-factor authentication (MFA)
- Enforcing least-privilege access
- Monitoring and managing connected applications
As of now, Salesloft has not issued a public response regarding the reported breach.
