Full Report
The ShinyHunters extortion group claims to have stolen over 1.5 billion Salesforce records from 760 companies using compromised Salesloft Drift OAuth tokens. [...]
Analysis Summary
# Incident Report: Massive Salesforce Data Theft via Salesloft/Drift OAuth Compromise
## Executive Summary
The extortion group ShinyHunters (part of the collective known as "Scattered Lapsus$ Hunters" or tracked as UNC6040/UNC6395) claimed to have stolen 1.5 billion records from 760 different companies via compromised Salesloft Drift OAuth tokens. The initial breach stemmed from threat actors gaining access to Salesloft's GitHub repository, where they harvested hardcoded OAuth tokens allowing them to breach associated Salesforce instances and exfiltrate vast amounts of customer, case, and user data. The stolen data was subsequently analyzed by attackers for secrets (like AWS keys and Snowflake tokens) to pivot into other environments, leading to widespread impact across numerous high-profile technology firms.
## Incident Details
- **Discovery Date:** The article references ongoing activity tracked over the past year, with the specific Salesloft GitHub breach occurring in March (of the reporting year). The claim describing the 1.5 billion record theft was reported on September 17, 2025.
- **Incident Date:** Attack activity spanned at least the year prior to September 2025, with the core data extraction occurring after the March Salesloft GitHub compromise.
- **Affected Organization:** Salesloft (as the source of compromised tokens); 760 unnamed client companies using Salesforce instances connected via Drift/Salesloft.
- **Sector:** Technology/Software (impacted customers span this and other sectors).
- **Geography:** Not specified, but impact is global across Salesforce users.
## Timeline of Events
### Initial Access
- **Date/Time:** March (Year of report).
- **Vector:** Breach of Salesloft's GitHub repository.
- **Details:** Threat actors scanned the source code using the TruffleHog tool, leading to the discovery of hardcoded OAuth tokens for the **Salesloft Drift** and **Drift Email** platforms.
### Lateral Movement
- **Date/Time:** Following token compromise.
- **Details:** Using the stolen Drift OAuth tokens, threat actors accessed the Salesforce instances of 760 client companies, querying sensitive object tables including Account, Contact, Case, Opportunity, and User. Security researchers (Google Mandiant) noted that the attackers pivoted further by analyzing the exfiltrated Case data for sensitive secrets, such as AWS access keys (AKIA), passwords, and Snowflake tokens, to move into secondary environments.
### Data Exfiltration/Impact
- **Date/Time:** Following lateral movement.
- **Details:** Approximately 1.5 billion records were exfiltrated across 760 companies, extracted specifically from Salesforce objects. Attackers used this data for extortion and to find further access credentials.
### Detection & Response
- **Date/Time:** Ongoing tracking and subsequent public claims.
- **Details:** The activity was tracked by Google Threat Intelligence (UNC6040/UNC6395) and later publicized by the threat actors claiming association with ShinyHunters. Response required affected organizations (like Google, Cloudflare, Zscaler, etc.) to investigate their connected applications and potentially revoke tokens/remediate access. Google also confirmed a fraudulent account was briefly created on its Law Enforcement Request System (LERS), though no data was accessed via that vector.
## Attack Methodology
- **Initial Access:** Compromise of third-party (Salesloft) source code repository (GitHub) leading to credential/token harvesting.
- **Persistence:** Implicitly maintained by leveraging valid OAuth tokens granting API access to Salesforce.
- **Privilege Escalation:** Not explicitly detailed beyond the initial access, but pivoting via harvested secrets (AWS keys, etc.) found *within* the exfiltrated data suggests post-exfiltration privilege escalation attempts targeting secondary infrastructure.
- **Defense Evasion:** Utilizing valid, authorized OAuth tokens provided by a trusted third-party integration (Drift/Salesloft).
- **Credential Access:** Harvesting hardcoded OAuth tokens from GitHub source code using TruffleHog.
- **Discovery:** Reconnaissance executed within the Salesforce environment after access was gained (querying standard objects).
- **Lateral Movement:** Pivoting from Salesforce data exfiltrate to secondary systems using credentials/keys found within the data files.
- **Collection:** Data gathered from Salesforce objects: Account, Contact, Case (459M records), Opportunity, and User.
- **Exfiltration:** Data exfiltration via the established connection authenticated by the stolen OAuth tokens.
- **Impact:** Data extortion levied against the 760 victims; potential compromise of secondary environments through found secrets.
## Impact Assessment
- **Financial:** Not specified, but significant due to required remediation across 760 companies and potential ransom payouts.
- **Data Breach:** ~1.5 billion records from 760 companies. Data types include customer account records, contact information, support cases (some containing sensitive text), and user identifiers.
- **Operational:** Significant security incidents confirmed at major corporations including Google, Cloudflare, Zscaler, Tenable, and Elastic, requiring immediate investigation and access revocation.
- **Reputational:** Significant damage, especially to Salesloft and Drift as the supply chain vector, leading to FBI advisories against the affiliated threat actor groups.
## Indicators of Compromise
- *(Note: IOCs were not specifically defanged in the source material, so listing behavioral patterns based on the description)*
- **Network indicators:** Large API connections originating from authenticated Salesloft/Drift service accounts accessing Salesforce data outside normal patterns.
- **File indicators:** Evidence of TruffleHog execution within the Salesloft environment searching for secrets.
- **Behavioral indicators:** Threat actors querying high volumes of sensitive Salesforce objects (Account, Contact, Case) rapidly, followed by searches on exfiltrated text data for pattern matches like `AKIA` (AWS keys).
## Response Actions
- **Containment Measures:** Affected organizations needed to review connected applications, specifically those integrating Drift/Salesloft, and immediately revoke or refresh all potentially compromised OAuth tokens/API keys.
- **Eradication Steps:** Google confirmed identifying and disabling a fraudulent account created on its LERS platform.
- **Recovery Actions:** Affected companies (Google, Cloudflare, etc.) confirmed taking action to investigate the scope and remediate access potentially leveraged using secrets found in the stolen data.
## Lessons Learned
- **Source Code Security is Critical:** Hardcoded secrets (like OAuth tokens) in source code repositories (even third-party ones like GitHub) provide a direct, high-privilege attack vector.
- **Supply Chain Risk is High:** Compromise of a single vendor (Salesloft) resulted in a massive, multi-customer breach spanning months.
- **Data Exfiltration Follow-up:** Threat actors search exfiltrated data for secondary access tokens, meaning the initial data theft is often a precursor to deeper network compromise.
## Recommendations
- **Mandatory MFA:** Salesforce strongly recommends customers enable Multi-Factor Authentication (MFA).
- **Principle of Least Privilege (PoLP):** Ensure service accounts (like those used by integrations) only have the minimum necessary permissions for operation.
- **Secrets Management:** Strictly enforce policies against hardcoding credentials, tokens, or keys within source code files; utilize dedicated secrets management vaults.
- **Connected Application Auditing:** Regularly review and audit all connected third-party applications authorized via OAuth to access core CRMs like Salesforce.