The ShinyHunters extortion group claims to have stolen over 1.5 billion Salesforce records from 760 companies using compromised Salesloft Drift OAuth tokens.
For the past year, the threat actors have been targeting Salesforce customers in data theft attacks using social engineering and malicious OAuth applications to breach Salesforce instances and download data. The stolen data is then used to extort companies into paying a ransom to prevent the data from being publicly leaked.
These attacks have been claimed by threat actors stating they are part of the ShinyHunters, Scattered Spider, and Lapsus$ extortion groups, now calling themselves “Scattered Lapsus$ Hunters.” Google tracks this activity as UNC6040 and UNC6395.
In March, one of the threat actors breached Salesloft’s GitHub repository, which contained the private source code for the company.
ShinyHunters told BleepingComputer that the threat actors used the TruffleHog security tool to scan the source code for secrets, which resulted in the finding of OAuth tokens for the Salesloft Drift and the Drift Email platforms.
Salesloft Drift is a third-party platform that connects the Drift AI chat agent with a Salesforce instance, allowing organizations to sync conversations, leads, and support cases into their CRM. Drift Email is used to manage email replies and organize CRM and marketing automation databases.
Using these stolen Drift OAuth tokens, ShinyHunters told BleepingComputer that the threat actors stole approximately 1.5 billion data records for 760 companies from the “Account”, “Contact”, “Case”, “Opportunity”, and “User” Salesforce object tables.
Of these records, approximately 250 million were from the Account, 579 million from Contact, 171 million from Opportunity, 60 million from User, and about 459 million records from the Case Salesforce tables.
The Case table was used to store information and text from support tickets submitted by customers of these companies, which, for tech companies, could include sensitive data.
As proof that they were behind the attack, the threat actor shared a text file listing the source code folders in the breached Salesloft GitHub repository.
BleepingComputer contacted Salesloft with questions about these record counts and the total number of companies impacted, but did not receive a response to our email. However, a source confirmed that the numbers are accurate.
Google Threat Intelligence (Mandiant) reported that the stolen Case data was analyzed for hidden secrets, such as credentials, authentication tokens, and access keys, to enable the attackers to pivot into other environments for further attacks.
“After the data was exfiltrated, the actor searched through the data to look for secrets that could be potentially used to compromise victim environments,” explained Google.
“GTIG observed UNC6395 targeting sensitive credentials such as Amazon Web Services (AWS) access keys (AKIA), passwords, and Snowflake-related access tokens.”
The stolen Drift and Drift Email tokens were used in large-scale data theft campaigns that hit major companies, including Google, Cloudflare, Zscaler, Tenable, CyberArk, Elastic, BeyondTrust, Proofpoint, JFrog, Nutanix, Qualys, Rubrik, Cato Networks, Palo Alto Networks, and many more.
Due to the sheer volume of these attacks, the FBI recently released an advisory warning about the UNC6040 and UNC6395 threat actors, sharing IOCs discovered during the attacks.
Last Thursday, the threat actors claiming to be part of Scattered Spider stated that they planned to “go dark” and stop discussing operations on Telegram.
In a parting post, the threat actors claimed to have breached Google’s Law Enforcement Request system (LERS), which is used by law enforcement to issue data requests, and the FBI eCheck platform, used for conducting background checks.
After contacting Google about these claims, the company confirmed that a fraudulent account was added to its LERS platform.
“We have identified that a fraudulent account was created in our system for law enforcement requests and have disabled the account,” Google told BleepingComputer.
“No requests were made with this fraudulent account, and no data was accessed.”
While the threat actors indicated they are retiring, researchers from ReliaQuest report that the threat actors began targeting financial institutions in July 2025 and are likely to continue conducting attacks.
To protect against these data theft attacks, Salesforce recommends that customers follow security best practices, including enabling multi-factor authentication (MFA), enforcing the principle of least privilege, and carefully managing connected applications.
46% of environments had passwords cracked, nearly doubling from 25% last year.
Get the Picus Blue Report 2025 now for a comprehensive look at more findings on prevention, detection, and data exfiltration trends.
Source link
