The Shinyhunters Effertertion Group has claimed that more than 1.5 billion salesfors records have been stolen from 760 companies, which use salesloft drifted ooutes tokens.
For the previous year, danger actor salesforce are targeting salesforce customers in data theft attacks using social engineering and malicious Oauth applications to dissolve and download data. The stolen data is then used to extract companies in ransom to pay ransom to prevent data from publicly leaking.
These attacks have been claimed by the danger actors, stating that they are part of bright, scattered spider and lapsus $ forcibly recovery groups, now calling themselves “scattered lapsus $ hunter”. Google tracks this activity as UnC6040 and UnC6395.
In March, one of the danger actors broke the Githb Repository of the salesloft, including a private source code for the company.
Shinyhunters told Bleepingcomputer that danger actors used Trpholhog Safety tools to scan the source code for secrets, resulting in the discovery of oauth tokens for salesloft drifts and drift email platforms.
Slesloft Drift is a third-party platform that combines the Drift AI chat agent with a salesforce example, allowing organizations to sink conversations, lead and support cases into their CRM. Drift email is used to manage email answers and to organize the CRM and marketing automation database.
Using these stolen drifts OATH tokens, Shinohetors told BlappingCopper that the danger actors stole nearly 1.5 billion data records for 760 companies “” “” “” “” “” “” “” “” “” “” “for 760 companies for 760 companies stole nearly 1.5 billion data records for 760 companies for 760 companies.Account,Contact,Case,opportunity“, And “User“Salesforce object tables.
Of these records, about 250 million account, 579 million from contact, 171 million from opportunity, 60 million from user and about 459 million from case salesforce table.
Case tables were used to collect information and text from the support tickets presented by the customers of these companies, which, for technical companies, can include sensitive data.
As a proof of the fact that they were behind the attack, the danger actor shared a text file, which lists the source code folders in the breted salesloft githib repository.
Bleepingcomputer contacted Salesloft with questions about these record counts and total number of total companies, but did not receive our email response. However, a source confirmed that the numbers are accurate.
Google Threat Intelligence (Mandient) reported that the stolen case data was analyzed for hidden mysteries, such as credentials, authentication tokens and access keys, to make the attackers capable of pilling other environments for further attacks.
“After finishing the data, the actor discovered through data to search for mysteries, which can be used to compromise the potentially suffering environment,” Explained to google,
“GTIG saw UnC6395 targeting sensitive credentials such as Amazon Web Services (AWS) Access Keys (AKIA), password and snowflake-related access tokens.”
Stolen drifts and flow email tokens were used in large -scale data theft campaign, which hits major companies including Google, Cloudflare, Zscler, Worthy, Cyberk, Elastic, Beyond, Proof point, Jfrog, Neutanix, Qualis, Rubric, Cato networkPalo Alto Network, and Too much,
Due to the sheer volume of these attacks, the FBI recently issued an advisory warning about the UNC6040 and UNC6395 threat actors, shared the IOC discovered during the attacks.
Last Thursday, the danger actors claiming to be a part of the scattered Spider, said they planned “dark” and stopped discussing operations on Telegram.
In a farewell post, danger actors claim to violate Google’s law enforcement system (Lers), which is used by law enforcement to issue data requests, and FBI Echeck platform, which is used to check background.
After contacting Google about these claims, the company confirmed that a fraud account was added to its Lers platform.
Google told Bleepingcomputer, “We have identified that a fraud account was created in our system for law enforcement requests and disabled the account.”
“No requests were made with this fraud account, and no data was accessed.”
While the danger actors indicated that they are retiring, from researchers Reconsideration Report that the danger actors started targeting financial institutions in July 2025 and the attacks are likely to continue.
To protect these data theft attacks, Salesforce recommends Customers follow the best practices, including enabling multi-factor authentication (MFA), implementing the principle of at least privileges and carefully managing connected applications.
The passwords broke in 46% of the atmosphere, almost doubled by 25% last year.
Picus Blue Report 2025 Now get a wider look at more conclusions on prevention, detection and data exfIs.
