The ShinyHunters extortion group claims to have stolen over 1.5 billion Salesforce data from 760 corporations utilizing compromised Salesloft Drift OAuth tokens.
For the previous yr, the menace actors have been concentrating on Salesforce clients in knowledge theft assaults utilizing social engineering and malicious OAuth functions to breach Salesforce situations and obtain knowledge. The stolen knowledge is then used to extort corporations into paying a ransom to stop the info from being publicly leaked.
These assaults have been claimed by menace actors stating they’re a part of the ShinyHunters, Scattered Spider, and Lapsus$ extortion teams, now calling themselves “Scattered Lapsus$ Hunters.” Google tracks this exercise as UNC6040 and UNC6395.
In March, one of many menace actors breached Salesloft’s GitHub repository, which contained the personal supply code for the corporate.
ShinyHunters informed BleepingComputer that the menace actors used the TruffleHog safety instrument to scan the supply code for secrets and techniques, which resulted within the discovering of OAuth tokens for the Salesloft Drift and the Drift E mail platforms.
Salesloft Drift is a third-party platform that connects the Drift AI chat agent with a Salesforce occasion, permitting organizations to sync conversations, leads, and help instances into their CRM. Drift E mail is used to handle e mail replies and set up CRM and advertising automation databases.
Utilizing these stolen Drift OAuth tokens, ShinyHunters informed BleepingComputer that the menace actors stole roughly 1.5 billion knowledge data for 760 corporations from the “Account“, “Contact“, “Case“, “Alternative“, and “Consumer” Salesforce object tables.
Of those data, roughly 250 million had been from the Account, 579 million from Contact, 171 million from Alternative, 60 million from Consumer, and about 459 million data from the Case Salesforce tables.
The Case desk was used to retailer info and textual content from help tickets submitted by clients of those corporations, which, for tech corporations, may embrace delicate knowledge.
As proof that they had been behind the assault, the menace actor shared a textual content file itemizing the supply code folders within the breached Salesloft GitHub repository.
BleepingComputer contacted Salesloft with questions on these report counts and the whole variety of corporations impacted, however didn’t obtain a response to our e mail. Nevertheless, a supply confirmed that the numbers are correct.
Google Risk Intelligence (Mandiant) reported that the stolen Case knowledge was analyzed for hidden secrets and techniques, equivalent to credentials, authentication tokens, and entry keys, to allow the attackers to pivot into different environments for additional assaults.
“After the info was exfiltrated, the actor searched by the info to search for secrets and techniques that might be doubtlessly used to compromise sufferer environments,” defined Google.
“GTIG noticed UNC6395 concentrating on delicate credentials equivalent to Amazon Net Providers (AWS) entry keys (AKIA), passwords, and Snowflake-related entry tokens.”
The stolen Drift and Drift E mail tokens had been utilized in large-scale knowledge theft campaigns that hit main corporations, together with Google, Cloudflare, Zscaler, Tenable, CyberArk, Elastic, BeyondTrust, Proofpoint, JFrog, Nutanix, Qualys, Rubrik, Cato Networks, Palo Alto Networks, and many extra.
As a result of sheer quantity of those assaults, the FBI not too long ago launched an advisory warning concerning the UNC6040 and UNC6395 menace actors, sharing IOCs found throughout the assaults.
Final Thursday, the menace actors claiming to be a part of Scattered Spider acknowledged that they deliberate to “go darkish” and cease discussing operations on Telegram.
In a parting put up, the menace actors claimed to have breached Google’s Regulation Enforcement Request system (LERS), which is utilized by legislation enforcement to difficulty knowledge requests, and the FBI eCheck platform, used for conducting background checks.
After contacting Google about these claims, the corporate confirmed that a fraudulent account was added to its LERS platform.
“We’ve got recognized {that a} fraudulent account was created in our system for legislation enforcement requests and have disabled the account,” Google informed BleepingComputer.
“No requests had been made with this fraudulent account, and no knowledge was accessed.”
Whereas the menace actors indicated they’re retiring, researchers from ReliaQuest report that the menace actors started concentrating on monetary establishments in July 2025 and are prone to proceed conducting assaults.
To guard towards these knowledge theft assaults, Salesforce recommends that clients observe safety greatest practices, together with enabling multi-factor authentication (MFA), imposing the precept of least privilege, and punctiliously managing related functions.
46% of environments had passwords cracked, practically doubling from 25% final yr.
Get the Picus Blue Report 2025 now for a complete have a look at extra findings on prevention, detection, and knowledge exfiltration developments.