ShinyHunters, operating within a coalition of extortion groups that also include Scattered Spider and Lapsus$, claims it has exfiltrated roughly 1.5 billion Salesforce records from 760 companies using compromised Salesloft Drift OAuth tokens. The campaign — tracked by Google Threat Intelligence as UNC6040 and UNC6395 — relied on stolen OAuth credentials to access Salesforce objects, harvest data, and search for secrets that enable further intrusion.
Attack Timeline and Methodology
Researchers and reporting indicate the breach chain began with a March compromise of Salesloft’s GitHub repository. Actors used automated secret-scanning tools (reported as TruffleHog) to locate OAuth tokens for Drift and Drift Email integrations inside the source tree. Salesloft’s Drift connectors link a company’s Salesforce instance to the Drift chat and email agents, allowing case, lead, and conversation data to be synchronized into CRM.
With valid Drift OAuth tokens in hand, the attackers programmatically accessed Salesforce instances and performed mass exfiltration. The malicious activity targeted standard Salesforce object tables used by enterprises: Account, Contact, Case, Opportunity, and User. The tokens allowed large-scale reads without requiring direct compromise of customer admin accounts.
Scope and Record Breakdown
ShinyHunters published a breakdown of the claimed haul. The totals provided by the actors (and reflected in investigative reporting) are:
- Account records: ~250 million
- Contact records: ~579 million
- Opportunity records: ~171 million
- User records: ~60 million
- Case records: ~459 million
The Case table is especially sensitive because it often contains free-text support tickets, customer debug logs, and pasted credentials or configuration details. For technology and service providers, case data can include API keys, authentication tokens, and other secrets that enable lateral movement.
Data Mining for Secrets and Pivoting
After exfiltrating bulk records, investigators say the actors searched the stolen Case and support data for embedded secrets. Google Threat Intelligence (Mandiant) reported that UNC6395 operators systematically hunted for high-value credentials — including AWS access keys (AKIA), passwords, and Snowflake access tokens — which could be used to pivot into other cloud environments or escalate access inside victim networks.
This post-exfiltration search for credentials is a key escalation technique: once cloud keys or admin tokens are found, attackers can expand their reach far beyond the Salesforce instance initially abused.
Notable Victims and Industry Impact
Companies named in reporting as impacted by the Drift token theft campaign include large cloud and security vendors such as Google, Cloudflare, Zscaler, Tenable, CyberArk, Elastic, BeyondTrust, Proofpoint, JFrog, Nutanix, Qualys, Rubrik, Cato Networks, and Palo Alto Networks, among many others. Because the campaign targeted CRM data, the files exposed represented both customer contact data and operational support artifacts.
The sheer scale — billions of rows across hundreds of firms — prompted an FBI FLASH advisory that published indicators of compromise (IOCs) and urged defenders to hunt for related activity. The FBI and industry responders emphasized OAuth risk, credential hygiene, and detection of anomalous API activity.
Evidence and Claims From Threat Actors
As partial proof, the actors shared a text file listing folders from the breached Salesloft GitHub repository. While public proof is limited to samples and claims, multiple independent sources have confirmed tokens and exfiltration activity consistent with the published numbers. The group calling itself “Scattered Lapsus$ Hunters” said it would “go dark” in a final post; that message also included claims of access to law enforcement systems such as Google’s Law Enforcement Request System (LERS) and the FBI eCheck platform. Google confirmed a fraudulent LERS account was created and promptly disabled it, saying no data was accessed via that account.
Researchers further reported activity continued into mid-2025, with the actors widening targets to include financial institutions. ReliaQuest noted the group’s shift in July 2025 and warned defenders to expect continued attempts at token-based and OAuth-enabled exfiltration.
Law Enforcement and Industry Response
The FBI’s advisory released IOCs for defenders, and Google’s threat teams published analysis of UNC6395 techniques. Salesforce has reiterated its standard guidance for connected apps and OAuth usage: require multi-factor authentication (MFA) for administrators, enforce least privilege for connected applications, rotate and restrict tokens, and maintain strict controls over third-party integrations. Enterprise security teams and cloud owners are advised to monitor OAuth grants, audit third-party connectors, and check for unusual bulk exports or API reads from support-case-related endpoints.
Multiple affected vendors have been forced into emergency incident response cycles to scan logs for token misuse, rotate credentials, and identify any downstream compromise resulting from exposed secrets.
What Enterprises Should Watch For
The incident underscores several persistent enterprise risks: exposed tokens in code repositories, the power of OAuth-capable third-party connectors, and the value of support-case data as a source of secrets. The campaign demonstrates a consistent pattern:
- Token discovery in public or internal code repositories can yield high-impact access.
- OAuth-based integrations that sync CRM and support data are attractive targets because they provide broad read access to customer records.
- Post-exfiltration credential harvesting turns CRM compromise into a gateway for cloud and infrastructure intrusion.
Salesforce and security vendors continue to publish mitigation guidance and IOCs. Defenders should treat OAuth tokens and connected app grants as first-class credentials and ensure token rotation and revocation processes are in place.
