The ShinyHunters extortion group claims to have stolen over 1.5 billion Salesforce information from 760 firms utilizing compromised Salesloft Drift OAuth tokens.
For the previous yr, the menace actors have been focusing on Salesforce prospects in knowledge theft assaults utilizing social engineering and malicious OAuth purposes to breach Salesforce cases and obtain knowledge. The stolen knowledge is then used to extort firms into paying a ransom to stop the info from being publicly leaked.
These assaults have been claimed by menace actors stating they’re a part of the ShinyHunters, Scattered Spider, and Lapsus$ extortion teams, now calling themselves “Scattered Lapsus$ Hunters.” Google tracks this exercise as UNC6040 and UNC6395.
In March, one of many menace actors breached Salesloft’s GitHub repository, which contained the personal supply code for the corporate.
ShinyHunters advised BleepingComputer that the menace actors used the TruffleHog safety software to scan the supply code for secrets and techniques, which resulted within the discovering of OAuth tokens for the Salesloft Drift and the Drift E-mail platforms.
Salesloft Drift is a third-party platform that connects the Drift AI chat agent with a Salesforce occasion, permitting organizations to sync conversations, leads, and assist instances into their CRM. Drift E-mail is used to handle electronic mail replies and manage CRM and advertising and marketing automation databases.
Utilizing these stolen Drift OAuth tokens, ShinyHunters advised BleepingComputer that the menace actors stole roughly 1.5 billion knowledge information for 760 firms from the “Account“, “Contact“, “Case“, “Alternative“, and “Consumer” Salesforce object tables.
Of those information, roughly 250 million have been from the Account, 579 million from Contact, 171 million from Alternative, 60 million from Consumer, and about 459 million information from the Case Salesforce tables.
The Case desk was used to retailer data and textual content from assist tickets submitted by prospects of those firms, which, for tech firms, might embody delicate knowledge.
As proof that they have been behind the assault, the menace actor shared a textual content file itemizing the supply code folders within the breached Salesloft GitHub repository.
BleepingComputer contacted Salesloft with questions on these report counts and the whole variety of firms impacted, however didn’t obtain a response to our electronic mail. Nevertheless, a supply confirmed that the numbers are correct.
Google Menace Intelligence (Mandiant) reported that the stolen Case knowledge was analyzed for hidden secrets and techniques, resembling credentials, authentication tokens, and entry keys, to allow the attackers to pivot into different environments for additional assaults.
“After the info was exfiltrated, the actor searched by way of the info to search for secrets and techniques that could possibly be doubtlessly used to compromise sufferer environments,” defined Google.
“GTIG noticed UNC6395 focusing on delicate credentials resembling Amazon Internet Companies (AWS) entry keys (AKIA), passwords, and Snowflake-related entry tokens.”
The stolen Drift and Drift E-mail tokens have been utilized in large-scale knowledge theft campaigns that hit main firms, together with Google, Cloudflare, Zscaler, Tenable, CyberArk, Elastic, BeyondTrust, Proofpoint, JFrog, Nutanix, Qualys, Rubrik, Cato Networks, Palo Alto Networks, and many extra.
As a result of sheer quantity of those assaults, the FBI lately launched an advisory warning concerning the UNC6040 and UNC6395 menace actors, sharing IOCs found in the course of the assaults.
Final Thursday, the menace actors claiming to be a part of Scattered Spider acknowledged that they deliberate to “go darkish” and cease discussing operations on Telegram.
In a parting submit, the menace actors claimed to have breached Google’s Regulation Enforcement Request system (LERS), which is utilized by legislation enforcement to problem knowledge requests, and the FBI eCheck platform, used for conducting background checks.
After contacting Google about these claims, the corporate confirmed that a fraudulent account was added to its LERS platform.
“We now have recognized {that a} fraudulent account was created in our system for legislation enforcement requests and have disabled the account,” Google advised BleepingComputer.
“No requests have been made with this fraudulent account, and no knowledge was accessed.”
Whereas the menace actors indicated they’re retiring, researchers from ReliaQuest report that the menace actors started focusing on monetary establishments in July 2025 and are prone to proceed conducting assaults.
To guard towards these knowledge theft assaults, Salesforce recommends that prospects comply with safety finest practices, together with enabling multi-factor authentication (MFA), imposing the precept of least privilege, and thoroughly managing linked purposes.
46% of environments had passwords cracked, practically doubling from 25% final yr.
Get the Picus Blue Report 2025 now for a complete have a look at extra findings on prevention, detection, and knowledge exfiltration developments.
