The **ShinyHunters** extortion group exploited compromised **Drift OAuth tokens** linked to **Salesloft** to steal over **1.5 billion Salesforce records** from **760 companies**. Attackers used **social engineering and malicious OAuth apps** to infiltrate Salesforce environments, exfiltrating massive CRM data—including **250M Account records, 579M Contact records, 171M Opportunity records, 60M User records, and 459M Case records**. The breach originated from a **GitHub repository compromise** at Salesloft, where attackers used **TruffleHog** to extract secrets, including OAuth tokens for Drift and Drift Email, enabling unauthorized access to Salesforce-integrated systems.The stolen **Case data** was further mined for **AWS keys, Snowflake tokens, and other credentials**, facilitating deeper intrusions into victim networks. High-profile targets allegedly include **Google, Cloudflare, Palo Alto Networks, Zscaler, Tenable, CyberArk, and others**. The attackers demanded **ransom payments** to prevent data leaks, while also **searching for additional secrets** to expand their campaign. The FBI issued an advisory on the threat actors (**UNC6040/6395**), warning of ongoing risks. Salesforce advised customers to enforce **MFA, least-privilege access, and stricter OAuth app management** to mitigate exposure.
Source: https://cybersafe.news/shinyhunters-steal-1-5b-salesforce-records-via-drift-oauth-breach/
TPRM report: https://www.rankiteo.com/company/salesforce
"id": "sal5732257091825",
"linkid": "salesforce",
"type": "Cyber Attack",
"date": "9/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '760 companies',
'industry': 'Technology/Software',
'location': 'Global (HQ: San Francisco, USA)',
'name': 'Salesforce',
'size': 'Enterprise',
'type': 'Cloud CRM Provider'},
{'industry': 'Technology/Software',
'location': 'USA (HQ: Atlanta, Georgia)',
'name': 'Salesloft',
'size': 'Mid-to-Large Enterprise',
'type': 'Sales Engagement Platform'},
{'industry': 'Technology/Software',
'location': 'USA (HQ: Boston, Massachusetts)',
'name': 'Drift',
'size': 'Mid-to-Large Enterprise',
'type': 'Conversational Marketing Platform'},
{'industry': 'Technology/Internet Services',
'location': 'Global (HQ: Mountain View, USA)',
'name': 'Google',
'size': 'Mega-Enterprise',
'type': 'Technology Conglomerate'},
{'industry': 'Technology/Cybersecurity',
'location': 'Global (HQ: San Francisco, USA)',
'name': 'Cloudflare',
'size': 'Enterprise',
'type': 'Web Infrastructure & Security'},
{'industry': 'Technology/Cybersecurity',
'location': 'Global (HQ: Santa Clara, USA)',
'name': 'Palo Alto Networks',
'size': 'Enterprise',
'type': 'Cybersecurity'},
{'industry': 'Technology/Cybersecurity',
'location': 'Global (HQ: San Jose, USA)',
'name': 'Zscaler',
'size': 'Enterprise',
'type': 'Cloud Security'},
{'industry': 'Technology/Cybersecurity',
'location': 'Global (HQ: Columbia, USA)',
'name': 'Tenable',
'size': 'Enterprise',
'type': 'Vulnerability Management'},
{'industry': 'Technology/Cybersecurity',
'location': 'Global (HQ: Petah Tikva, Israel)',
'name': 'CyberArk',
'size': 'Enterprise',
'type': 'Privileged Access Management'},
{'industry': 'Technology/Software',
'location': 'Global (HQ: Mountain View, USA)',
'name': 'Elastic',
'size': 'Enterprise',
'type': 'Search & Analytics'},
{'industry': 'Technology/Cybersecurity',
'location': 'Global (HQ: Foster City, USA)',
'name': 'Qualys',
'size': 'Enterprise',
'type': 'IT Security & Compliance'},
{'industry': 'Technology/Software',
'location': 'Global (HQ: San Jose, USA)',
'name': 'Nutanix',
'size': 'Enterprise',
'type': 'Cloud Computing'},
{'industry': 'Technology/Cybersecurity',
'location': 'Global (HQ: Sunnyvale, USA)',
'name': 'Proofpoint',
'size': 'Enterprise',
'type': 'Cybersecurity (Email Security)'},
{'industry': 'Technology/Cybersecurity',
'location': 'Global (HQ: Phoenix, USA)',
'name': 'BeyondTrust',
'size': 'Enterprise',
'type': 'Privileged Access Management'},
{'industry': 'Technology/Cybersecurity',
'location': 'Global (HQ: Palo Alto, USA)',
'name': 'Rubrik',
'size': 'Enterprise',
'type': 'Data Management & Security'},
{'industry': 'Technology/Cybersecurity',
'location': 'Global (HQ: Tel Aviv, Israel)',
'name': 'Cato Networks',
'size': 'Mid-to-Large Enterprise',
'type': 'Network Security'}],
'attack_vector': ['Social Engineering',
'Malicious OAuth Applications',
'Compromised GitHub Repository',
'Exploited OAuth Tokens (Drift/Salesloft)',
'Secrets Exposure (TruffleHog)'],
'customer_advisories': ['Salesforce Recommendations for Customers to Secure '
'Environments'],
'data_breach': {'data_exfiltration': ['Confirmed (Massive Scale)',
'Evidence: Shared File Listing '
'Salesloft’s Breached Source Code '
'Folders'],
'file_types_exposed': ['Salesforce Database Records',
'Source Code (Salesloft GitHub)',
'Configuration Files',
'API Keys/Secrets'],
'number_of_records_exposed': '1.5 billion',
'personally_identifiable_information': ['Contact Records '
'(Names, Email '
'Addresses, Phone '
'Numbers, etc.)',
'User Records '
'(Employee/Client '
'Data)'],
'sensitivity_of_data': ['High (PII, Business-Critical CRM '
'Data, Credentials)'],
'type_of_data_compromised': ['CRM Data (Salesforce Objects)',
'Account Records',
'Contact Records (PII)',
'Opportunity Records',
'User Records',
'Case Records (Support Tickets)',
'AWS Keys',
'Snowflake Tokens',
'Other Credentials']},
'description': 'The ShinyHunters extortion group claims to have stolen over '
'1.5 billion Salesforce records from 760 companies by '
'exploiting compromised Drift OAuth tokens linked to '
'Salesloft. Attackers used social engineering and malicious '
'OAuth apps to infiltrate Salesforce environments, '
'exfiltrating data and extorting victims with ransom demands. '
'The campaigns are tied to groups operating under the names '
'ShinyHunters, Scattered Spider, and Lapsus$ (now calling '
"themselves 'Scattered Lapsus$ Hunters'). In March, an actor "
'breached Salesloft’s GitHub repository, locating '
'secrets—including OAuth tokens for Drift and Drift '
'Email—using the TruffleHog tool. The stolen data spans '
'Salesforce objects including Account, Contact, Opportunity, '
'User, and Case tables. Attackers also searched Case data for '
'secrets like AWS keys and Snowflake tokens to enable further '
'intrusions. Victims allegedly include Google, Cloudflare, '
'Palo Alto Networks, Zscaler, and others. The FBI issued an '
'advisory on UNC6040/6395, warning of ongoing campaigns.',
'impact': {'brand_reputation_impact': ['High (Public Disclosure of Breach)',
'Loss of Customer Trust',
'Potential Regulatory Scrutiny'],
'data_compromised': {'Salesforce_Account': '250 million records',
'Salesforce_Case': '459 million records',
'Salesforce_Contact': '579 million records',
'Salesforce_Opportunity': '171 million '
'records',
'Salesforce_User': '60 million records',
'Total': '1.5 billion records'},
'identity_theft_risk': ['High (PII in Contact/Account Records)',
'Credential Stuffing Risk'],
'operational_impact': ['Unauthorized Data Access',
'Extortion Threats',
'Potential Further Intrusions via Stolen '
'Credentials',
'Reputation Damage for Affected Companies'],
'systems_affected': ['Salesforce CRM',
'Drift AI Chat/Email Services',
'Salesloft Platform',
'GitHub Repository (Salesloft)',
'Connected Applications (AWS, Snowflake, '
'etc.)']},
'initial_access_broker': {'data_sold_on_dark_web': ['Likely (ShinyHunters '
'Modus Operandi)'],
'entry_point': ['Compromised Salesloft GitHub '
'Repository (Secrets Exposure)',
'Malicious OAuth Applications '
'(Drift/Salesforce Integration)'],
'high_value_targets': ['Salesforce CRM Data',
'AWS/Snowflake Credentials '
'in Case Records',
'Source Code Repositories'],
'reconnaissance_period': ['At Least 1 Year (Ongoing '
'Campaigns)']},
'investigation_status': 'Ongoing (FBI and Private Sector Investigations)',
'lessons_learned': ['OAuth tokens and connected applications are high-value '
'targets for attackers.',
'Social engineering and malicious OAuth apps can bypass '
'traditional security controls.',
'Exposed secrets in repositories (e.g., GitHub) enable '
'supply chain attacks.',
'Extortion groups increasingly target CRM data for its '
'sensitivity and leverage in negotiations.',
'Multi-factor authentication (MFA) and least privilege '
'principles are critical for mitigating such breaches.'],
'motivation': ['Financial Gain (Extortion)',
'Data Theft for Resale',
'Reputation Damage',
'Further Intrusion (Credential Harvesting)'],
'post_incident_analysis': {'corrective_actions': ['Salesforce: Enforced MFA '
'and Least Privilege '
'Guidelines for Customers',
'Drift/Salesloft: Revoked '
'Compromised OAuth Tokens '
'and Audited Integrations',
'Affected Companies: '
'Initiated Credential '
'Rotation and Access '
'Reviews',
'FBI: Shared Indicators of '
'Compromise (IOCs) for '
'Detection'],
'root_causes': ['Weak OAuth Token Management in '
'Drift/Salesloft Integrations',
'Lack of MFA for High-Risk '
'Accounts/Applications',
'Excessive Privileges Granted to '
'Connected Apps',
'Exposed Secrets in Public/Private '
'Repositories (GitHub)',
'Inadequate Monitoring for '
'Anomalous OAuth App Activity']},
'ransomware': {'data_exfiltration': ['Yes (Extortion-Based)'],
'ransom_demanded': ['Extortion Threats (No Specific Ransom '
'Amount Disclosed)']},
'recommendations': ['Enforce MFA for all user and service accounts, '
'especially those with access to sensitive data.',
'Audit and monitor OAuth applications and connected apps '
'for suspicious activity.',
'Implement the principle of least privilege to limit '
'access to CRM data and APIs.',
'Regularly scan repositories (e.g., GitHub) for exposed '
'secrets using tools like TruffleHog.',
'Monitor for unusual data access patterns, especially in '
'Salesforce environments.',
'Educate employees on social engineering tactics, '
'particularly phishing and malicious OAuth app requests.',
'Isolate high-value systems (e.g., CRM) from less secure '
'environments to limit lateral movement.',
'Develop and test incident response plans for extortion '
'and data breach scenarios.'],
'references': [{'source': 'Google Mandiant Threat Intelligence Report on '
'UNC6040/UNC6395'},
{'source': 'FBI Advisory on ShinyHunters/Scattered Spider '
'Campaigns'},
{'source': 'Salesforce Customer Advisory on Mitigation '
'Measures'},
{'source': 'ShinyHunters Telegram/Leak Site (Evidence of '
'Breach)'},
{'source': 'Media Reports on Breach (e.g., BleepingComputer, '
'KrebsOnSecurity)'}],
'response': {'communication_strategy': ['Salesforce Customer Advisories',
'FBI Public Advisory on UNC6040/6395'],
'law_enforcement_notified': ['FBI'],
'remediation_measures': ['Salesforce Recommendations: Enforce '
'Multi-Factor Authentication (MFA)',
'Apply Principle of Least Privilege',
'Closely Manage Connected Applications'],
'third_party_assistance': ['Google Mandiant (Threat '
'Intelligence)',
'FBI (Advisory & Investigation)']},
'stakeholder_advisories': ['Salesforce Urgent Security Advisory',
'FBI Private Industry Notification (PIN)'],
'threat_actor': ['ShinyHunters',
'Scattered Spider',
'Lapsus$',
'UNC6040 (Google Mandiant)',
'UNC6395 (Google Mandiant)',
'Scattered Lapsus$ Hunters'],
'title': 'ShinyHunters Exploits Compromised Drift OAuth Tokens to Steal 1.5B '
'Salesforce Records',
'type': ['Data Breach',
'Extortion',
'Unauthorized Access',
'Credential Theft'],
'vulnerability_exploited': ['Weak OAuth Token Management',
'Lack of Multi-Factor Authentication (MFA)',
'Excessive Privileges in Connected Applications',
'Exposed Secrets in GitHub Repository']}