Quick Take

• Threat Group: ShinyHunters (aka Scattered Lapsus$ Hunters), linked to UNC6040 and UNC6395.

• Impact: Compromise of 1.5 billion Salesforce records across 760 companies, including major global enterprises.

• Attack Vector: OAuth tokens stolen from Drift and Drift Email integrations following a GitHub repository breach.

• Data Stolen: Salesforce objects — Accounts, Contacts, Opportunities, Cases, and Users.

• Fallout: Risk of credential harvesting, data extortion, and secondary intrusions leveraging secrets found within stolen datasets.

The Incident

In one of the largest CRM-related breaches to date, threat group ShinyHunters has claimed responsibility for the theft of 1.5 billion Salesforce records spanning hundreds of global companies.

The breach originated from a Salesloft GitHub repository compromise. Attackers used TruffleHog to search the codebase for exposed secrets, uncovering OAuth tokens tied to Drift and Drift Email — tools widely integrated with Salesforce for customer engagement and automated communications.

These tokens granted attackers direct access to Salesforce instances, where they systematically exfiltrated entire object tables.

Scope of Exposure

According to leaked data samples, the following Salesforce objects were compromised:

• ~250 million Account records

• ~579 million Contact records

• ~459 million Case records (including sensitive support-ticket content)

• ~171 million Opportunity records

• ~60 million User records

A wide range of high-profile companies were reportedly affected, including Google, Cloudflare, Zscaler, Tenable, Palo Alto Networks, Proofpoint, CyberArk, Qualys, Nutanix, BeyondTrust, Elastic, and Rubrik.

The attackers did not simply steal data — they also scanned the exfiltrated content for additional secrets, such as credentials and tokens, creating opportunities for follow-on intrusions and extortion campaigns.

Why It Matters

1. OAuth as a Weak Link
   This incident underscores how token-based authentication, while convenient, can bypass traditional security controls when mishandled or exposed.

2. Supply Chain Risk
   A compromise within one vendor’s development environment cascaded into hundreds of Salesforce customer environments — highlighting the systemic risk of third-party integrations.

3. Data Sensitivity
   Case records, containing unstructured support data, may reveal internal communications, technical configurations, or personally identifiable information (PII).

4. Extortion at Scale
   ShinyHunters is leveraging the breach not only for data sales but also for corporate extortion, demanding payments to prevent public leaks.

Defensive Guidance

Organizations using Salesforce or Drift integrations should take immediate steps to mitigate risk:

• Revoke and Rotate Tokens: Audit all OAuth connections, revoke unused or suspicious tokens, and enforce token rotation policies.

• Apply Least Privilege: Limit connected applications to only the data objects and scopes they require.

• Mandate MFA Everywhere: Extend multi-factor authentication requirements to all Salesforce and integrated app accounts.

• Secure Development Environments: Enforce secret-scanning tools in CI/CD pipelines to prevent credential leaks in repositories.

• Enhance Monitoring: Deploy behavioral analytics to flag unusual Salesforce queries or bulk data extraction.

Looking Ahead

This breach reinforces the growing convergence of supply chain compromise, token abuse, and large-scale data extortion. With customer trust, regulatory compliance, and competitive intelligence at stake, enterprises must reassess the security posture of every connected application in their SaaS ecosystem.

The ShinyHunters operation demonstrates the fragility of token-based integrations — and serves as a reminder that in cloud-first environments, the weakest credential can open the largest doors.

Disclaimer: ClearPhish maintains a strict policy of not participating in the theft, distribution, or handling of stolen data or files. The platform does not engage in exfiltration, downloading, hosting, or reposting any illegally obtained information. Any responsibility or legal inquiries regarding the data should be directed solely at the responsible cybercriminals or attackers, as ClearPhish is not involved in these activities. We encourage parties affected by any breach to seek resolution through legal channels directly with the attackers responsible for such incidents.