Ethical Hacking News
Salesloft, a sales automation platform, has been breached by the notorious threat actor group, ShinyHunters. The breach occurred due to the theft of OAuth tokens used for Salesloft's Drift chat agent integration with Salesforce. This attack is part of a larger wave of Salesforce data breaches linked to the ShinyHunters group. To protect themselves from these types of attacks, organizations must take steps to secure their credentials and educate their employees on the dangers of social engineering.
Salesloft, a sales automation platform, was breached by ShinyHunters due to OAuth token theft for its Drift chat agent integration with Salesforce. The breach allowed threat actors to steal credentials like AWS access keys, passwords, and Snowflake-related access tokens. Customers who didn't use the Drift-Salesforce integration were not impacted, but ongoing investigation revealed exploitation of a linked Salesforce data breach. Threat actors used Tor and hosting providers to hide their infrastructure, with user-Agent strings indicating custom tools like 'Salesforce-Multi-Org-Fetcher' and 'Salesforce-CLI'. Admins are advised to rotate credentials and search for additional stolen secrets in Salesforce objects. The theft is part of a larger wave of Salesforce data breaches linked to the ShinyHunters group, who also claim responsibility for attacks by Scattered Spider. Salesforce has faced numerous social engineering attacks since June, including breaches at Google, Cisco, and other major companies.
Salesloft, a sales automation platform, has been breached by the notorious threat actor group, ShinyHunters. The breach occurred due to the theft of OAuth tokens used for Salesloft's Drift chat agent integration with Salesforce. This attack is part of a larger wave of Salesforce data breaches linked to the ShinyHunters group.
According to Salesloft, threat actors obtained Drift OAuth and refresh tokens used for its Salesforce integration, and used them to conduct a Salesforce data theft campaign between August 8 and August 18, 2025. The primary objective of the actor's actions was to steal credentials, specifically focusing on sensitive information like AWS access keys, passwords, and Snowflake-related access tokens.
In their advisory, Salesloft revealed that customers who do not use their Drift-Salesforce integration were not impacted by this incident. However, ongoing investigation revealed that threat actors exploited a Salesforce data breach linked to the ShinyHunters group to pivot to customer environments and exfiltrate data.
Google's Threat Intelligence team, Mandiant, is tracking the threat actor as UNC6395. They reported that once the attackers gained access to a Salesforce instance, they issued SOQL queries to extract case authentication tokens, passwords, and secrets from support cases. This allowed them to breach further platforms.
The attackers used Tor, as well as hosting providers like AWS and DigitalOcean, to hide their infrastructure. User-Agent strings associated with the data theft attacks include 'python-requests/2.32.4', 'Python/3.11 aiohttp/3.12.15', and for custom tools using 'Salesforce-Multi-Org-Fetcher/1.0' and 'Salesforce-CLI/1.0'.
Admins of affected environments are advised to rotate credentials and then search Salesforce objects for additional secrets that may have been stolen. These include AKIA for long-term AWS access key identifiers, Snowflake or snowflakecomputing.com for Snowflake credentials, passwords, secret, key, strings related to organization-specific login URLs, such as VPN or SSO login pages.
Google is tracking this activity under a new classifier, UNC6395, and the ShinyHunters extortion group claims responsibility for these additional Salesforce attacks. When contacted, a representative from the group told BleepingComputer that "No wonder things suddenly stopped working yesterday."
The theft of Salesloft tokens is part of a larger wave of Salesforce data breaches linked to the ShinyHunters group, who also claim to overlap with threat actors classified as Scattered Spider.
"This is just another example of how easily sensitive credentials can be stolen," said Lawrence Abrams, Editor-in-Chief of BleepingComputer.com. "It's imperative that organizations take steps to protect themselves from these types of attacks and ensure that their employees are educated on the dangers of social engineering."
Since the beginning of the year, the threat actors have been conducting social engineering attacks to breach Salesforce instances and download data. During these attacks, they conduct voice phishing (vishing) to trick employees into linking a malicious OAuth app with their company's Salesforce instances.
Once linked, the threat actors used the connection to download and steal the databases, which were then used to extort the company through email. Since Google first reported the attacks in June, numerous data breaches have been tied to the social engineering attacks, including Google itself, Cisco, Farmers Insurance, Workday, Adidas, Qantas, Allianz Life, and the LVMH subsidiaries Louis Vuitton, Dior, and Tiffany & Co.
With these additional attacks, the threat actors have expanded their tactics to not only extort companies but also use stolen data to breach downstream customers' cloud services and infrastructure.
Related Information:
https://www.ethicalhackingnews.com/articles/Salesloft-Breach-ShinyHunters-OAuth-Token-Heist-Exposes-Salesforce-CRM-Instances-to-Data-Theft-ehn.shtml
https://www.bleepingcomputer.com/news/security/salesloft-breached-to-steal-oauth-tokens-for-salesforce-data-theft-attacks/
https://www.resonance.security/blog-posts/salesforce-data-breach-2025-inside-the-coordinated-attacks-targeting-google-and-other-brands
https://www.salesforceben.com/salesforce-data-theft-roundup-everything-you-need-to-know/
https://cybersecuritynews.com/shinyhunters-breaches/
https://thehackernews.com/2025/08/cybercrime-groups-shinyhunters.html
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
https://en.wikipedia.org/wiki/Scattered_Spider
Published: Tue Aug 26 14:38:15 2025 by llama3.2 3B Q4_K_M
