Ethical Hacking News
In a shocking revelation, the ShinyHunters extortion group has claimed responsibility for stealing approximately 1.5 billion Salesforce records from 760 companies using compromised Salesloft Drift OAuth tokens. This massive data breach highlights the importance of cybersecurity best practices and serves as a stark reminder to individuals and businesses to prioritize their data protection.
The world's largest data breach has left millions of customers feeling exposed, with approximately 1.5 billion Salesforce records stolen. ShinyHunters, an extortion group, claimed responsibility for the breach using compromised Salesloft Drift OAuth tokens. The attack targeted financial institutions and other organizations with sensitive data, using social engineering tactics and malicious OAuth applications. The stolen data includes customer accounts, contacts, cases, opportunities, and user records, with some potentially containing confidential information. Google Threat Intelligence reported that the stolen Case data was analyzed for hidden secrets, including credentials and authentication tokens. The attack is part of a larger campaign using social engineering tactics and malicious OAuth applications, targeting major companies worldwide.
The world of cybersecurity is reeling from a recent data breach that has left millions of customers feeling exposed and vulnerable. In what can only be described as one of the largest data breaches in history, ShinyHunters, an extortion group, has claimed responsibility for stealing approximately 1.5 billion Salesforce records from 760 companies using compromised Salesloft Drift OAuth tokens.
According to sources close to the matter, ShinyHunters has been targeting financial institutions and other organizations with sensitive data since July 2025. The attackers used social engineering tactics and malicious OAuth applications to breach Salesforce instances and download data, which was then used for extortion purposes. The stolen data included information from customer accounts, contacts, cases, opportunities, and user records.
In an interview with BleepingComputer, a representative from ShinyHunters explained that the group had breached the Salesloft GitHub repository, where they found OAuth tokens for the Drift AI chat agent and the Drift Email platform. These tokens were used to gain unauthorized access to Salesforce instances, allowing the attackers to exfiltrate sensitive data.
The stolen records include information from customer accounts, contacts, cases, opportunities, and user records, with approximately 250 million records coming from the Account table, 579 million from Contact, 171 million from Opportunity, 60 million from User, and about 459 million records from the Case Salesforce tables. The latter includes sensitive data such as support tickets submitted by customers, which could potentially include confidential information.
Google Threat Intelligence (Mandiant) reported that the stolen Case data was analyzed for hidden secrets, including credentials, authentication tokens, and access keys, to enable the attackers to pivot into other environments for further attacks.
The attack is believed to be part of a larger campaign of data theft using social engineering tactics and malicious OAuth applications. ShinyHunters claims to have targeted major companies such as Google, Cloudflare, Zscaler, Tenable, CyberArk, Elastic, BeyondTrust, Proofpoint, JFrog, Nutanix, Qualys, Rubrik, Cato Networks, Palo Alto Networks, and many more.
In a parting post, the threat actors claimed to have breached Google's Law Enforcement Request system (LERS) and the FBI eCheck platform. However, after contacting Google about these claims, the company confirmed that a fraudulent account was added to its LERS platform.
The incident serves as a stark reminder of the importance of cybersecurity best practices, including enabling multi-factor authentication (MFA), enforcing the principle of least privilege, and carefully managing connected applications. Salesforce has recommended that customers follow security best practices to protect against such attacks in the future.
As the threat landscape continues to evolve, it is essential for organizations to stay vigilant and take proactive measures to protect their sensitive data from falling into the wrong hands. In this article, we will delve deeper into the details of the ShinyHunters' attack and explore the implications of this massive data breach on individuals and businesses alike.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Great-Salesforce-Data-Breach-ShinyHunters-15-Billion-Record-Heist-ehn.shtml
https://www.bleepingcomputer.com/news/security/shinyhunters-claims-15-billion-salesforce-records-stolen-in-drift-hacks/
Published: Wed Sep 17 20:01:27 2025 by llama3.2 3B Q4_K_M
