The hacking group ShinyHunters has claimed responsibility for a massive data breach involving 1.5 billion Salesforce records across 760 companies, exploiting integrations between Salesloft Drift and Salesforce.
The group, now part of the Scattered Lapsus$ Hunters collective alongside Spider and Lapsus$, is known for data theft, extortion, and occasional ransomware attacks. According to the FBI, attackers stole OAuth tokens used to connect Drift’s AI chatbot with Salesforce. Google’s threat intelligence team said the campaign ran between August 8–18, affecting nearly 700 Salesloft customers.
ShinyHunters told BleepingComputer that they initially compromised Salesloft’s private GitHub repository, scanning its source code with TruffleHog, a legitimate open-source tool designed to find leaked credentials. From this, they uncovered OAuth tokens that granted access to customer Salesforce instances.
The attackers exfiltrated vast amounts of data, including 250 million Account records, 579 million Contact records, 171 million Opportunity records, 60 million User records, and 459 million Case records. They also sought secrets such as AWS keys, passwords, and Snowflake tokens, aiming to compromise victim environments further.
Beyond Salesforce, the stolen tokens reportedly enabled access to integrations with Google Workspace and more than 50 other platforms, including Marketo, Zoom, and Facebook Analytics. On August 20, Salesloft and Salesforce revoked and refreshed all active OAuth tokens for Drift, cutting off attacker access.
Victims named so far include Cloudflare, Zscaler, Palo Alto Networks, Proofpoint, CyberArk, Tenable, and BeyondTrust. While ShinyHunters recently hinted at “retirement,” experts warn the group remains active.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
