Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label ShinyHunters Salesforce data breach. Show all posts
ShinyHunters Salesforce data breach
Cyber Security Drift OAuth token hack Salesforce security incident ShinyHunters ransomware ShinyHunters Salesforce data breach

ShinyHunters Claims Theft of 1.5 Billion Salesforce Records Using Compromised Drift OAuth Tokens

 




The ShinyHunters extortion group has allegedly stolen more than 1.5 billion Salesforce records from 760 companies after exploiting compromised Salesloft Drift OAuth tokens.

Over the past year, cybercriminals have been targeting Salesforce customers through social engineering tactics and malicious OAuth apps, enabling unauthorized access to Salesforce environments and mass data downloads. The stolen information is later used to pressure organizations into paying ransoms to prevent public leaks.

These campaigns have been linked to members of ShinyHunters, Scattered Spider, and Lapsus$, who are now referring to themselves as "Scattered Lapsus$ Hunters." Google tracks these operations under the names UNC6040 and UNC6395.

In March, one of the attackers infiltrated Salesloft’s GitHub repository, which stored private source code. ShinyHunters told BleepingComputer that they leveraged the TruffleHog security tool to uncover OAuth tokens hidden in the code. These tokens gave them access to both the Salesloft Drift platform—used to sync Drift AI chat agents with Salesforce—and Drift Email, which manages CRM email communications and marketing automation.

Using the stolen OAuth tokens, attackers exfiltrated around 1.5 billion records from key Salesforce object tables: Account, Contact, Case, Opportunity, and User. The stolen datasets included:

  • 250 million Account records

  • 579 million Contact records

  • 171 million Opportunity records

  • 60 million User records

  • 459 million Case records

The Case table, in particular, contained sensitive customer support ticket details, potentially exposing confidential information from tech company clients.

As proof, attackers shared a file listing Salesloft’s breached GitHub source code folders. While Salesloft did not respond to inquiries, a source confirmed the figures are accurate.

According to Google Threat Intelligence (Mandiant), attackers searched the stolen Case data for credentials, authentication tokens, and access keys to pivot into additional environments.
"After the data was exfiltrated, the actor searched through the data to look for secrets that could be potentially used to compromise victim environments," Google explained.
"GTIG observed UNC6395 targeting sensitive credentials such as Amazon Web Services (AWS) access keys (AKIA), passwords, and Snowflake-related access tokens."

The massive breach impacted numerous companies, including Google, Cloudflare, Zscaler, Tenable, CyberArk, Elastic, BeyondTrust, Proofpoint, JFrog, Nutanix, Qualys, Rubrik, Cato Networks, and Palo Alto Networks.

The FBI has since issued an advisory warning about the UNC6040 and UNC6395 groups, sharing indicators of compromise (IOCs) to help organizations defend against similar attacks.

Despite announcing they would “go dark” on Telegram, the attackers later claimed to have accessed Google’s Law Enforcement Request System (LERS) and the FBI eCheck platform. Google later confirmed, "We have identified that a fraudulent account was created in our system for law enforcement requests and have disabled the account. No requests were made with this fraudulent account, and no data was accessed."

Although the group suggested they were retiring, ReliaQuest researchers noted that in July 2025, they shifted focus toward financial institutions, making it likely these campaigns will continue.

To defend against such threats, Salesforce urges customers to enforce strong security measures, including multi-factor authentication (MFA), applying the principle of least privilege, and carefully vetting connected applications.

Read more »
Subscribe to: Posts (Atom)