ShinyHunters Claim Massive Salesforce Breach Affecting 760 Companies

A notorious cyber extortion group known as ShinyHunters has claimed it stole over 1.5 billion Salesforce records from 760 companies by exploiting compromised OAuth tokens tied to the Salesloft Drift and Drift Email platforms. The group says it spent the past year quietly siphoning sensitive data from Salesforce instances and is now extorting companies to stop public leaks.

Social Engineering Fueled the Breaches

Security investigators say the threat actors used a mix of social engineering and malicious OAuth applications to gain access to targeted Salesforce environments. OAuth is a widely used system that allows third-party services to access user data without sharing login credentials. Once the attackers tricked users into authorizing their malicious apps, they gained access to valuable corporate data.

Google’s Threat Intelligence Group, also known as Mandiant, tracks these campaigns as UNC6040 and UNC6395, and confirmed that they involved stealing Salesforce data at scale. The attackers call themselves “Scattered Lapsus$ Hunters,” claiming links to the ShinyHunters, Scattered Spider, and Lapsus$ groups. All three groups are known for high-profile data thefts and extortion campaigns.

These breaches targeted Salesforce tables like Account, Contact, Case, Opportunity, and User, which store customer profiles, sales leads, support tickets, and employee records.

Stolen Tokens Unlocked Access to Corporate CRMs

In March, one of the attackers allegedly broke into Salesloft’s private GitHub repository and used a tool called TruffleHog to scan its source code for hidden secrets. This search uncovered OAuth tokens tied to Salesloft Drift and Drift Email, two services designed to integrate Salesforce with chat and email platforms.

Armed with these tokens, the attackers could connect to Salesforce instances without triggering normal login security checks. According to data shared by the hackers, they pulled:

• 250 million records from Account tables

• 579 million records from Contact tables

• 171 million records from Opportunity tables

• 60 million records from User tables

• 459 million records from Case tables

The Case tables often contained text from customer support tickets, which for tech firms can include confidential system logs, credentials, and architecture details.

Data Exploited to Launch Further Attacks

Google confirmed that its analysts found the stolen Case data had been scanned for hidden credentials, access keys, and authentication tokens that could allow attackers to move deeper into company systems. This included searching for:

• Amazon Web Services (AWS) keys labeled with “AKIA”

• Passwords embedded in support notes

• Snowflake database access tokens

By doing so, the attackers could potentially pivot into cloud storage, databases, and internal networks, making the impact far broader than just customer data loss.

High-Profile Firms Among the Victims

The scale of the campaign was staggering. The stolen Drift tokens were reportedly used to hit major global companies including Google, Cloudflare, Zscaler, Tenable, CyberArk, Elastic, BeyondTrust, Proofpoint, JFrog, Nutanix, Qualys, Rubrik, Cato Networks, and Palo Alto Networks.

A source familiar with the investigation confirmed that the record counts claimed by ShinyHunters are accurate, although many companies have not yet publicly acknowledged the breaches. The attackers are now using the stolen data to pressure companies into paying ransoms to avoid public leaks.

Because of the wide-ranging impact, the FBI issued an advisory warning about these attacks, sharing indicators of compromise (IOCs) and urging organizations to review connected app permissions and token usage.

Group Claims Retirement but Attacks Continue

Last week, the threat actors announced on Telegram that they planned to “go dark” and stop discussing operations. In a parting message, they claimed to have breached Google’s Law Enforcement Request System (LERS) and the FBI’s eCheck platform. Google confirmed that a fraudulent account was created in its LERS platform but did not access any data.

Despite the supposed retirement, cybersecurity firm ReliaQuest reported that the same actors resurfaced in July 2025 to target financial institutions, suggesting they are far from finished.

How Companies Can Defend Against Future Breaches

Salesforce has urged its customers to reinforce their defenses against these kinds of attacks. The company recommends:

• Enabling multi-factor authentication (MFA) to protect logins

• Applying the principle of least privilege to limit user access

• Monitoring and managing connected applications to catch suspicious OAuth tokens early

Security teams are also advised to audit third-party integrations regularly, rotate API keys and tokens, and educate employees about phishing and consent-based attacks.

Experts warn that stolen OAuth tokens can silently bypass normal security checks, making them one of the most dangerous tools in modern data breaches.

The scale and stealth of the ShinyHunters campaign highlight how quickly stolen developer credentials can be weaponized into industrial-scale data theft. With sensitive Salesforce data from hundreds of companies now potentially in criminal hands, the fallout from these attacks could last for years. What do you think about this massive breach? Share your thoughts and spread this article with your friends on social media.