Full Report
Lawrence Abrams reports: The ShinyHunters extortion group claims to have stolen over 1.5 billion Salesforce records from 760 companies using compromised Salesloft Drift OAuth tokens. For the past year, the threat actors have been targeting Salesforce customers in data theft attacks using social engineering and malicious OAuth applications to breach Salesforce instances and download data. The stolen data... Source
Analysis Summary
# Incident Report: Massive Salesforce Data Exfiltration via Compromised OAuth Tokens
## Executive Summary
The threat actor group ShinyHunters (also associated with Scattered Spider and Lapsus$) claimed the theft of over 1.5 billion Salesforce records belonging to 760 companies. The attack leveraged compromised Salesloft Drift OAuth tokens, likely obtained after a March breach of Salesloft's GitHub repository, leading to significant data exfiltration from multiple Salesforce instances. The motive appears to be extortion, with the group threatening to leak the stolen data.
## Incident Details
- **Discovery Date:** Claims surfaced around September 17, 2025 (based on reporting date).
- **Incident Date:** Attacks ongoing over the past year, specific initiation tied to the March Salesloft breach.
- **Affected Organization:** 760 unnamed Salesforce customers, traced back to compromised sales enablement platforms (Salesloft/Drift).
- **Sector:** Undisclosed (Multiple sectors utilizing Salesforce).
- **Geography:** Undisclosed (Global impact implied by the number of organizations targeted).
## Timeline of Events
### Initial Access
- **Date/Time:** Started sometime before March 2025 (when Salesloft breach occurred) and continued over the past year.
- **Vector:** Compromise of Salesloft's private source code repository on GitHub.
- **Details:** The threat actors scanned the stolen source code using the **TruffleHog** security tool to discover secrets.
### Lateral Movement
- **Details:** Access was gained to Salesforce instances by utilizing the discovered and compromised **Salesloft Drift and Drift Email OAuth tokens**. This provided authorized, but illegitimate, access to customer data within Salesforce.
### Data Exfiltration/Impact
- **Details:** Over **1.5 billion Salesforce records** belonging to 760 companies were exfiltrated. The primary impact is data theft for the purpose of extortion.
### Detection & Response
- **How it was discovered:** The breach was made public through ShinyHunters claiming the data theft and threat of leakage, as reported by Lawrence Abrams. Specific organizational detection methods are not detailed.
- **Response actions taken:** Not detailed in the context provided; the focus is on the actor's claims and methodology.
## Attack Methodology
- **Initial Access:** Exploitation of secrets (OAuth tokens) discovered within a third-party vendor's (Salesloft) GitHub source code repository.
- **Persistence:** (Implied) Maintenance of access via the stolen, valid OAuth tokens granting broad API access to Salesforce environments.
- **Privilege Escalation:** Not explicitly detailed, but the OAuth tokens likely provided permissions equivalent to a connected integration or high-privilege user for data access.
- **Defense Evasion:** Utilizing legitimate-looking OAuth tokens as a primary access method makes detection challenging, as it bypasses traditional perimeter defenses.
- **Credential Access:** Theft of API/OAuth tokens embedded as secrets in source code.
- **Discovery:** Threat actors used **TruffleHog** on the stolen code to identify secrets. Threat actors have been generally targeting Salesforce customers using social engineering as well.
- **Lateral Movement:** Movement *into* the victim Salesforce instances via the trusted Salesloft/Drift integrations.
- **Collection:** Downloading large volumes of Salesforce data (1.5 billion records).
- **Exfiltration:** Not detailed, but involved transferring stolen data off-premises for extortion purposes.
- **Impact:** Extortion attempts against the 760 affected companies.
## Impact Assessment
- **Financial:** Potential costs associated with remediation, regulatory fines, and ransom payments (if made).
- **Data Breach:** Over 1.5 billion Salesforce records (potentially including PII, customer interaction data, and business intelligence) from 760 organizations.
- **Operational:** Potential disruption due to the need to audit and revoke compromised access tokens and relationships with third-party integrations.
- **Reputational:** Significant breach of trust related to the security handling by Salesloft/Drift and the affected organizations.
## Indicators of Compromise
- **Network indicators:** (None explicitly provided, would include external IPs associated with token abuse or data transfer).
- **File indicators:** (None explicitly provided, but activity associated with **TruffleHog** scanning if it occurred on internal systems).
- **Behavioral indicators:** Unusual high-volume data extraction from Salesforce APIs utilizing Salesloft/Drift OAuth tokens.
## Response Actions
- **Containment measures:** (Not detailed, but would require immediate revocation/rotation of all affected Salesloft/Drift OAuth tokens across all 760 affected Salesforce environments).
- **Eradication steps:** (Not detailed, likely involving security audits of integrated third-party applications).
- **Recovery actions:** (Not detailed, likely involving customer notification and internal investigation).
## Lessons Learned
- **Key takeaways:** Secrets management is critical, especially when dealing with integration partners. Compromise of a third-party vendor’s source code repository can directly lead to unauthorized access across numerous downstream customers.
- **What could have been done better:** Proactive secret scanning (like truffleHog or similar native tooling) should be run constantly by source code owners to find and immediately revoke leaked credentials.
## Recommendations
- **Prevention measures for similar incidents:**
1. Implement mandatory, frequent credential rotation for all connected application OAuth tokens/API keys, especially those stored in source code repositories.
2. Integrate source code scanning (SAST/secret scanning) directly into CI/CD pipelines to prevent secrets from ever being committed.
3. Review and strictly apply the principle of least privilege to all third-party application integrations (OAuth scopes) with core business systems like Salesforce.
4. Enhance monitoring on integrations with high data access permissions (like Salesloft/Drift) to detect anomalous data extraction rates.