Article illustration 1

In one of the largest coordinated data theft operations targeting enterprise cloud ecosystems, the ShinyHunters extortion group claims to have exfiltrated 1.5 billion records from Salesforce instances belonging to 760 organizations. The attack exploited compromised OAuth tokens for Salesloft's Drift platform—a popular AI-powered chat and email integration for Salesforce CRM systems.

Anatomy of a Supply Chain Attack

The breach originated in March 2025 when threat actors—identifying as "Scattered Lapsus$ Hunters" (tracked by Google as UNC6040/UNC6395)—infiltrated Salesloft's GitHub repository. According to ShinyHunters' communications with BleepingComputer, they used the TruffleHog secret-scanning tool to extract valid OAuth tokens for Drift and Drift Email services. These tokens provided direct API access to connected Salesforce instances.

"We have identified that a fraudulent account was created in our system for law enforcement requests and have disabled the account. No requests were made with this fraudulent account, and no data was accessed," Google confirmed regarding attackers' claims of breaching its Law Enforcement Request System (LERS).

Data Harvesting at Industrial Scale

The stolen dataset includes:
- 579 million Contact records
- 459 million Case records (containing sensitive support ticket details)
- 250 million Account records
- 171 million Opportunity records
- 60 million User records

Security researchers at Google Threat Intelligence confirmed attackers systematically mined Case records for embedded credentials, AWS keys, and Snowflake tokens to enable lateral movement. This represents a critical escalation where stolen support data becomes a weapon for follow-on attacks.

Enterprise Impact and Response

The victim list reads like a who's-who of cybersecurity and cloud infrastructure providers—including Zscaler, Tenable, CyberArk, Elastic, Proofpoint, JFrog, and Palo Alto Networks. The FBI recently issued a formal advisory detailing indicators of compromise (IoCs) for UNC6040/UNC6395 operations.

Despite threat actors announcing plans to "go dark" on Telegram channels, ReliaQuest researchers warn they've shifted focus to financial institutions since July 2025. Salesforce recommends immediate countermeasures:
1. Enforce MFA universally
2. Implement strict least-privilege access controls
3. Audit all OAuth-connected applications

The Third-Party Integration Dilemma

This breach underscores systemic risks in SaaS ecosystems where:
- Compromised development repositories (like Salesloft's GitHub) create supply chain vulnerabilities
- Overprivileged service accounts enable mass data extraction
- Support ticket data becomes an unexpected credential goldmine

As OAuth integrations proliferate, organizations must treat third-party connectors as Tier-0 assets—applying equivalent security rigor as core identity systems. The 1.5 billion record heist demonstrates how one compromised token can fracture trust across hundreds of enterprises simultaneously.

Source: BleepingComputer