Salesforce Data Heist: ShinyHunters Strike with 1.5 Billion Record Swipe!

The ShinyHunters extortion group reportedly stole 1.5 billion Salesforce records using compromised OAuth tokens from Salesloft Drift. They targeted 760 companies, including Google and Cloudflare, to extort ransom payments. Despite claiming retirement, the threat actors may continue attacks. Salesforce advises using multi-factor authentication and managing app connections to mitigate risks.

3P
Published: September 17, 2025 9:15 pmAdded: September 18, 2025 at 10:55 amAssembled by: The Editor
Pro Dashboard

Hot Take:

Looks like Salesforce is in for a ‘sales-storm’ thanks to the ShinyHunters! Who knew that a group named after a Pokémon reference could cause such a data disaster? It seems like they’re catching more than just Pikachu—these cyber bandits are going for the whole CRM zoo! Maybe next time they should consider using a more secure Poké Ball for their data.

Key Points:

  • ShinyHunters extortion group claims to have stolen 1.5 billion Salesforce records using compromised OAuth tokens.
  • Salesloft’s GitHub repository breach led to discovery of OAuth tokens via TruffleHog.
  • The stolen data includes sensitive information from Salesforce object tables like “Account,” “Contact,” and “Case.”
  • Google Threat Intelligence reported that stolen data was analyzed for secrets to facilitate further attacks.
  • FBI issued an advisory warning about the threat actors due to large-scale data theft campaigns.

Salesforce’s Extortion Saga

In a plot twist that could rival a soap opera, the ShinyHunters extortion group has claimed responsibility for lifting 1.5 billion Salesforce records. How, you ask? By charming their way in with compromised Salesloft Drift OAuth tokens, of course! With their magical prowess, they accessed a treasure trove of data from 760 companies. It seems that in the world of cybersecurity, trust is like that “one ring” from Tolkien—everyone’s after it, and it could lead to doom.

OAuth Tokens: The Key to the Kingdom

In a move straight out of a hacker’s handbook, the ShinyHunters breached Salesloft’s GitHub repository. Using the TruffleHog tool, they sniffed out precious OAuth tokens for the Drift AI chat agent and Drift Email platforms. These tokens might as well have been labeled “open sesame,” as they unlocked Salesforce instances and gave the group access to millions of records. If only Salesloft had used a more secure password like “123456”—oh wait, scratch that.

The Great Salesforce Heist

Once inside, the ShinyHunters made off with records from Salesforce object tables, including “Account,” “Contact,” “Case,” “Opportunity,” and “User.” This data could easily fill a digital ocean, with 250 million records from the Account table alone. The Case table, chock-full of sensitive customer support information, must have been like striking oil for these digital prospectors. Who knew data mining could be so lucrative?

Data Analysis: Secrets Unveiled

Google Threat Intelligence (Mandiant) reported that the stolen data was thoroughly analyzed for hidden secrets like credentials and access keys, allowing the attackers to pivot and plan further attacks. It seems the ShinyHunters are not just content with stealing data—they want to explore every nook and cranny for that extra bit of mischief. They might want to consider adding “digital archaeologist” to their résumés.

Going Dark But Not Gone

In a surprise twist, the threat actors announced they were going dark, claiming to have breached Google’s Law Enforcement Request system and the FBI eCheck platform. While Google confirmed a fraudulent account was created, it seems the ShinyHunters are simply taking a sabbatical. However, researchers believe they are merely reloading their digital arsenal and may soon target financial institutions. Like a bad penny, they just keep coming back.

What Now, Salesforce?

With the dust settling, Salesforce is advising its customers to buckle up and follow security best practices—multi-factor authentication, least privilege enforcement, and careful management of connected applications. It’s like putting a deadbolt on the barn door after the horse has bolted, but better late than never, right? As the ShinyHunters continue lurking in the shadows, companies must remember that cybersecurity isn’t just a buzzword—it’s a way of life.

In this unfolding drama of cat-and-mouse, one thing is clear: The ShinyHunters may have temporarily retired, but the cybersecurity landscape remains as unpredictable as ever. So, keep your digital defenses up and your OAuth tokens well-guarded—because who knows what shiny new disaster might be lurking around the corner?

Membership Required

 You must be a member to access this content.

View Membership Levels
Already a member? Log in here
The Nimble Nerd
powered by the NSA, er,  GDPR Cookie Compliance
Confessional Booth of Our Digital Sins

Okay, deep breath, let's get this over with. In the grand act of digital self-sabotage, we've littered this site with cookies. Yep, we did that. Why? So your highness can have a 'premium' experience or whatever. These traitorous cookies hide in your browser, eagerly waiting to welcome you back like a guilty dog that's just chewed your favorite shoe. And, if that's not enough, they also tattle on which parts of our sad little corner of the web you obsess over. Feels dirty, doesn't it?