ShinyHunters claims 15 billion Salesforce records stolen in Drift hacks

pSonicWall Firewall configs stolen for all cloud backup customersppNew FileFix attack uses cache smuggling to evade security softwareppHackers claim Discord breach exposed data of 55 million usersppGoogles new AI bug bounty program pays up to 30000 for flawsppHarvard investigating breach linked to Oracle zeroday exploitppThe 380 refurbished Surface Laptop 3 with i7 performance and 16GB RAMppFake Inflation Refund texts target New Yorkers in new scamppGet your first year of Sams Club membership for 15 MSRP 50ppHow to access the Dark Web using the Tor BrowserppHow to enable Kernelmode Hardwareenforced Stack Protection in Windows 11ppHow to use the Windows Registry EditorppHow to backup and restore the Windows RegistryppHow to start Windows in Safe ModeppHow to remove a Trojan Virus Worm or other MalwareppHow to show hidden files in Windows 7ppHow to see hidden files in WindowsppRemove the Theonlinesearchcom Search RedirectppRemove the Smartwebfindercom Search RedirectppHow to remove the PBlock adware browser extensionppRemove the Toksearchesxyz Search RedirectppRemove Security Tool and SecurityTool Uninstall GuideppHow to Remove WinFixer Virtumonde Msevents TrojanvundoppHow to remove Antivirus 2009 Uninstall InstructionsppHow to remove Google Redirects or the TDSS TDL3 or Alureon rootkit using TDSSKillerppLocky Ransomware Information Help Guide and FAQppCryptoLocker Ransomware Information Guide and FAQppCryptorBit and HowDecrypt Information Guide and FAQppCryptoDefense and HowDecrypt Ransomware Information Guide and FAQppQualys BrowserCheckppSTOPDecrypterppAuroraDecrypterppFilesLockerDecrypterppAdwCleanerppComboFixppRKillppJunkware Removal ToolppeLearningppIT Certification CoursesppGear GadgetsppSecurityppBest VPNsppHow to change IP addressppAccess the dark web safelyppBest VPN for YouTubeppppThe ShinyHunters extortion group claims to have stolen over 15 billion Salesforce records from 760 companies using compromised Salesloft Drift OAuth tokensppFor the past year the threat actors have been targeting Salesforce customers in data theft attacks using social engineering and malicious OAuth applications to breach Salesforce instances and download data The stolen data is then used to extort companies into paying a ransom to prevent the data from being publicly leakedppThese attacks have been claimed by threat actors stating they are part of the ShinyHunters Scattered Spider and Lapsus extortion groups now calling themselves Scattered Lapsus Hunters Google tracks this activity as UNC6040 and UNC6395ppIn March one of the threat actors breached Saleslofts GitHub repository which contained the private source code for the companyppShinyHunters told BleepingComputer that the threat actors used the TruffleHog security tool to scan the source code for secrets which resulted in the finding of OAuth tokens for the Salesloft Drift and the Drift Email platformsppSalesloft Drift is a thirdparty platform that connects the Drift AI chat agent with a Salesforce instance allowing organizations to sync conversations leads and support cases into their CRM Drift Email is used to manage email replies and organize CRM and marketing automation databasesppUsing these stolen Drift OAuth tokens ShinyHunters told BleepingComputer that the threat actors stole approximately 15 billion data records for 760 companies from the Account Contact Case Opportunity and User Salesforce object tablesppOf these records approximately 250 million were from the Account 579 million from Contact 171 million from Opportunity 60 million from User and about 459 million records from the Case Salesforce tablesppThe Case table was used to store information and text from support tickets submitted by customers of these companies which for tech companies could include sensitive datappAs proof that they were behind the attack the threat actor shared a text file listing the source code folders in the breached Salesloft GitHub repositoryppBleepingComputer contacted Salesloft with questions about these record counts and the total number of companies impacted but did not receive a response to our email However a source confirmed that the numbers are accurateppGoogle Threat Intelligence Mandiant reported that the stolen Case data was analyzed for hidden secrets such as credentials authentication tokens and access keys to enable the attackers to pivot into other environments for further attacksppAfter the data was exfiltrated the actor searched through the data to look for secrets that could be potentially used to compromise victim environments explained GoogleppGTIG observed UNC6395 targeting sensitive credentials such as Amazon Web Services AWS access keys AKIA passwords and Snowflakerelated access tokensppThe stolen Drift and Drift Email tokens were used in largescale data theft campaigns that hit major companies including Google Cloudflare Zscaler Tenable CyberArk Elastic BeyondTrust Proofpoint JFrog Nutanix Qualys Rubrik Cato Networks Palo Alto Networks and many moreppDue to the sheer volume of these attacks the FBI recently released an advisory warning about the UNC6040 and UNC6395 threat actors sharing IOCs discovered during the attacksppLast Thursday the threat actors claiming to be part of Scattered Spider stated that they planned to go dark and stop discussing operations on TelegramppIn a parting post the threat actors claimed to have breached Googles Law Enforcement Request system LERS which is used by law enforcement to issue data requests and the FBI eCheck platform used for conducting background checksppAfter contacting Google about these claims the company confirmed that a fraudulent account was added to its LERS platformppWe have identified that a fraudulent account was created in our system for law enforcement requests and have disabled the account Google told BleepingComputerppNo requests were made with this fraudulent account and no data was accessedppWhile the threat actors indicated they are retiring researchers from ReliaQuest report that the threat actors began targeting financial institutions in July 2025 and are likely to continue conducting attacksppTo protect against these data theft attacks Salesforce recommends that customers follow security best practices including enabling multifactor authentication MFA enforcing the principle of least privilege and carefully managing connected applicationsppJoin the Breach and Attack Simulation Summit and experience the future of security validation Hear from top experts and see how AIpowered BAS is transforming breach and attack simulationppDont miss the event that will shape the future of your security strategyppFBI warns of UNC6040 UNC6395 hackers stealing Salesforce datappSalesforce refuses to pay ransom over widespread data theft attacksppSalesloft breached to steal OAuth tokens for Salesforce datatheft attacksppFarmers Insurance data breach impacts 11M people after Salesforce attackppMassive Allianz Life data breach impacts 11 million peopleppDidnt that group post that they were ceasing operations ppNot a member yet Register NowppFBI takes down BreachForums portal used for Salesforce extortionppWindows 11 23H2 Home and Pro reach end of support in 30 daysppApple now offers 2 million for zeroclick RCE vulnerabilitiesppJoin Huntress to discuss all things tradecraft in a monthly meeting of the technical mindsppThe role of Artificial Intelligence in todays cybersecurity landscapeppRedefine security validation with Picus AIdriven Breach and Attack SimulationppMake the leapget certified with VMUG Advantage Start your career journey todayppSee how Material secures Gmail Drive with EDRstyle detection and rapid responseppTerms of Use Privacy Policy Ethics Statement Affiliate DisclosureppCopyright 2003 2025 Bleeping Computer LLC All Rights ReservedppNot a member yet Register NowppRead our posting guidelinese to learn what content is prohibitedp