The ShinyHunters extortion group claims to have stolen over 1.5 billion Salesforce information from 760 firms utilizing compromised Salesloft Drift OAuth tokens.
For the previous 12 months, the menace actors have been concentrating on Salesforce clients in information theft assaults utilizing social engineering and malicious OAuth functions to breach Salesforce cases and obtain information. The stolen information is then used to extort firms into paying a ransom to forestall the info from being publicly leaked.
These assaults have been claimed by menace actors stating they’re a part of the ShinyHunters, Scattered Spider, and Lapsus$ extortion teams, now calling themselves “Scattered Lapsus$ Hunters.” Google tracks this exercise as UNC6040 and UNC6395.
In March, one of many menace actors breached Salesloft’s GitHub repository, which contained the non-public supply code for the corporate.
ShinyHunters instructed BleepingComputer that the menace actors used the TruffleHog safety instrument to scan the supply code for secrets and techniques, which resulted within the discovering of OAuth tokens for the Salesloft Drift and the Drift E mail platforms.
Salesloft Drift is a third-party platform that connects the Drift AI chat agent with a Salesforce occasion, permitting organizations to sync conversations, leads, and assist circumstances into their CRM. Drift E mail is used to handle e mail replies and manage CRM and advertising automation databases.
Utilizing these stolen Drift OAuth tokens, ShinyHunters instructed BleepingComputer that the menace actors stole roughly 1.5 billion information information for 760 firms from the “Account“, “Contact“, “Case“, “Alternative“, and “Consumer” Salesforce object tables.
Of those information, roughly 250 million have been from the Account, 579 million from Contact, 171 million from Alternative, 60 million from Consumer, and about 459 million information from the Case Salesforce tables.
The Case desk was used to retailer data and textual content from assist tickets submitted by clients of those firms, which, for tech firms, might embody delicate information.
As proof that they have been behind the assault, the menace actor shared a textual content file itemizing the supply code folders within the breached Salesloft GitHub repository.
BleepingComputer contacted Salesloft with questions on these file counts and the entire variety of firms impacted, however didn’t obtain a response to our e mail. Nevertheless, a supply confirmed that the numbers are correct.
Google Risk Intelligence (Mandiant) reported that the stolen Case information was analyzed for hidden secrets and techniques, equivalent to credentials, authentication tokens, and entry keys, to allow the attackers to pivot into different environments for additional assaults.
“After the info was exfiltrated, the actor searched by way of the info to search for secrets and techniques that may very well be doubtlessly used to compromise sufferer environments,” defined Google.
“GTIG noticed UNC6395 concentrating on delicate credentials equivalent to Amazon Net Companies (AWS) entry keys (AKIA), passwords, and Snowflake-related entry tokens.”
The stolen Drift and Drift E mail tokens have been utilized in large-scale information theft campaigns that hit main firms, together with Google, Cloudflare, Zscaler, Tenable, CyberArk, Elastic, BeyondTrust, Proofpoint, JFrog, Nutanix, Qualys, Rubrik, Cato Networks, Palo Alto Networks, and many extra.
As a result of sheer quantity of those assaults, the FBI not too long ago launched an advisory warning concerning the UNC6040 and UNC6395 menace actors, sharing IOCs found through the assaults.
Final Thursday, the menace actors claiming to be a part of Scattered Spider acknowledged that they deliberate to “go darkish” and cease discussing operations on Telegram.
In a parting publish, the menace actors claimed to have breached Google’s Regulation Enforcement Request system (LERS), which is utilized by legislation enforcement to concern information requests, and the FBI eCheck platform, used for conducting background checks.
After contacting Google about these claims, the corporate confirmed that a fraudulent account was added to its LERS platform.
“We’ve recognized {that a} fraudulent account was created in our system for legislation enforcement requests and have disabled the account,” Google instructed BleepingComputer.
“No requests have been made with this fraudulent account, and no information was accessed.”
Whereas the menace actors indicated they’re retiring, researchers from ReliaQuest report that the menace actors started concentrating on monetary establishments in July 2025 and are more likely to proceed conducting assaults.
To guard in opposition to these information theft assaults, Salesforce recommends that clients observe safety finest practices, together with enabling multi-factor authentication (MFA), implementing the precept of least privilege, and punctiliously managing linked functions.
46% of environments had passwords cracked, almost doubling from 25% final 12 months.
Get the Picus Blue Report 2025 now for a complete take a look at extra findings on prevention, detection, and information exfiltration developments.
