The ShinyHunters extortion group claims to have stolen over 1.5 billion Salesforce information from 760 firms utilizing compromised Salesloft Drift OAuth tokens.
For the previous yr, the menace actors have been focusing on Salesforce clients in information theft assaults utilizing social engineering and malicious OAuth purposes to breach Salesforce situations and obtain information. The stolen information is then used to extort firms into paying a ransom to forestall the info from being publicly leaked.
These assaults have been claimed by menace actors stating they’re a part of the ShinyHunters, Scattered Spider, and Lapsus$ extortion teams, now calling themselves “Scattered Lapsus$ Hunters.” Google tracks this exercise as UNC6040 and UNC6395.
In March, one of many menace actors breached Salesloft’s GitHub repositorywhich contained the personal supply code for the corporate.
ShinyHunters advised BleepingComputer that the menace actors used the TruffleHog safety software to scan the supply code for secrets and techniques, which resulted within the discovering of OAuth tokens for the Salesloft Drift and the Drift E-mail platforms.
Salesloft Drift is a third-party platform that connects the Drift AI chat agent with a Salesforce occasion, permitting organizations to sync conversations, leads, and help circumstances into their CRM. Drift E-mail is used to handle e mail replies and set up CRM and advertising and marketing automation databases.
Utilizing these stolen Drift OAuth tokens, ShinyHunters advised BleepingComputer that the menace actors stole roughly 1.5 billion information information for 760 firms from the “Account“, “Contact“, “Case“, “Alternative“, and “Person” Salesforce object tables.
Of those information, roughly 250 million have been from the Account, 579 million from Contact, 171 million from Alternative, 60 million from Person, and about 459 million information from the Case Salesforce tables.
The Case desk was used to retailer data and textual content from help tickets submitted by clients of those firms, which, for tech firms, might embrace delicate information.
As proof that they have been behind the assault, the menace actor shared a textual content file itemizing the supply code folders within the breached Salesloft GitHub repository.
BleepingComputer contacted Salesloft with questions on these file counts and the whole variety of firms impacted, however didn’t obtain a response to our e mail. Nevertheless, a supply confirmed that the numbers are correct.
Google Menace Intelligence (Mandiant) reported that the stolen Case information was analyzed for hidden secrets and techniques, comparable to credentials, authentication tokens, and entry keys, to allow the attackers to pivot into different environments for additional assaults.
“After the info was exfiltrated, the actor searched by the info to search for secrets and techniques that could possibly be probably used to compromise sufferer environments,” defined Google.
“GTIG noticed UNC6395 focusing on delicate credentials comparable to Amazon Net Providers (AWS) entry keys (AKIA), passwords, and Snowflake-related entry tokens.”
The stolen Drift and Drift E-mail tokens have been utilized in large-scale information theft campaigns that hit main firms, together with Google, Cloudflare, Zscaler, Tenable, Cyberark, Elastic, BeyondTrust, Proofpoint, JFrog, Nutanix, Qualys, Rubric, Cato Networks, Palo Alto Networksand many extra.
Because of the sheer quantity of those assaults, the FBI not too long ago launched an advisory warning in regards to the UNC6040 and UNC6395 menace actors, sharing IOCs found in the course of the assaults.
Final Thursday, the menace actors claiming to be a part of Scattered Spider said that they deliberate to “go darkish” and cease discussing operations on Telegram.
In a parting publish, the menace actors claimed to have breached Google’s Regulation Enforcement Request system (LERS), which is utilized by regulation enforcement to situation information requests, and the FBI eCheck platform, used for conducting background checks.
After contacting Google about these claims, the corporate confirmed that a fraudulent account was added to its LERS platform.
“We have now recognized {that a} fraudulent account was created in our system for regulation enforcement requests and have disabled the account,” Google advised BleepingComputer.
“No requests have been made with this fraudulent account, and no information was accessed.”
Whereas the menace actors indicated they’re retiring, researchers from Bindiast report that the menace actors started focusing on monetary establishments in July 2025 and are more likely to proceed conducting assaults.
To guard in opposition to these information theft assaults, Salesforce recommends that clients comply with safety finest practices, together with enabling multi-factor authentication (MFA), implementing the precept of least privilege, and thoroughly managing related purposes.
46% of environments had passwords cracked, practically doubling from 25% final yr.
Get the Picus Blue Report 2025 now for a complete have a look at extra findings on prevention, detection, and information exfiltration traits.
