ShinyHunters claims to have stolen more than 1.5 billion Salesforce records. According to the group, 760 companies were affected via compromised OAuth tokens from Salesloft Drift.
This was reported by BleepingComputer. The attacks are said to have been going on for a year. The criminals targeted Salesforce customers through social engineering and malicious applications that gained access via OAuth. Once they were able to penetrate a Salesforce environment, data was downloaded. The attackers then used that information to pressure companies and demand ransom. ShinyHunters threatened to make the data public if their demands were not met.
According to the hackers, the data consists of records from the Salesforce tables for accounts, contacts, cases, opportunities, and users. A significant portion comes from the Case tables, which contain information from customer support tickets. For technology companies, this can include sensitive data. Sources confirm that the numbers cited by the hackers are accurate.
A previous breach at Salesloft played an important role in this. In March, the company’s GitHub repository, containing the private source code, was accessed. Using the security tool TruffleHog, the attackers were able to track down OAuth tokens for Drift and Drift Email, which were later used to gain access to Salesforce environments.
Google’s Mandiant research department reports that the ShinyHunters attackers carefully searched the stolen material for login credentials, access tokens, and other secrets that could be used to penetrate additional systems. Among other things, they searched for AWS keys and tokens for Snowflake.
FBI issued a warning
Big names appear to have fallen victim to this campaign. Companies such as Google, Cloudflare, Palo Alto Networks, Proofpoint, and Elastic are mentioned. The scale of the operation led the FBI to issue a warning about the threat actors involved, which Google refers to as UNC6040 and UNC6395.
Although ShinyHunters suggested earlier this year via Telegram that it would cease its activities, reports from ReliaQuest show that the attackers sought new targets in the summer of 2025, including financial institutions. They will likely continue their campaigns.
Salesforce advises customers to keep their security in order. The company emphasizes the importance of multi-factor authentication, the principle of minimal access rights, and careful management of linked applications.