In a recent wave of cybercrime, the notorious hacker group ShinyHunters has claimed responsibility for stealing a staggering 1.5 billion Salesforce records from 760 companies. This group, now operating under the name Scattered Lapsus$ Hunters, is known for its data theft and extortion tactics, often employing ransomware to infiltrate organizational environments. The FBI issued a warning about their latest attack, which involved the theft of OAuth tokens used to integrate Salesloft Drift’s AI chatbot with Salesforce instances. Google’s threat intelligence team traced the beginning of these attacks to August 8, with the operation impacting approximately 700 Salesloft customers.

The breach reportedly began when ShinyHunters infiltrated Salesloft’s GitHub repository, gaining access to private source code. Utilizing the legitimate security tool TruffleHog, the hackers scanned the code to uncover OAuth tokens that allowed them access to companies that had integrated their Drift platform with Salesforce. This method of exploiting GitHub repositories to extract sensitive information has been a favored technique of the ShinyHunters group since 2020, demonstrating its continued effectiveness.

Once inside, ShinyHunters exfiltrated a significant volume of data, including 250 million records from the Account table, 579 million from Contact, and hundreds of millions more from other Salesforce tables. Google’s analysis of this cyberattack revealed the group’s primary objective was to harvest credentials, seeking sensitive information such as AWS access keys and Snowflake-related tokens. This breach extended beyond Salesforce to other applications integrated with Drift, including Google Workspace and several other third-party tools.

In response to the attacks, Salesloft collaborated with Salesforce to revoke and refresh all active OAuth tokens for Drift on August 20, effectively blocking further unauthorized access. Despite these efforts, the ramifications of ShinyHunters’ data heist continue to unfold, with numerous high-profile companies reporting breaches. Victims include BeyondTrust, Cato Networks, Cloudflare, CyberArk, JFrog, Nutanix, Palo Alto Networks, Proofpoint, Qualys, Rubrik, SpyCloud, Tenable, and Zscaler.

While a member of the Scattered Lapsus$ Hunters recently claimed that the group was “going dark,” security experts remain skeptical, pointing to evidence of ongoing activity. The cybersecurity landscape remains vigilant as organizations fortify defenses against the relentless threat posed by sophisticated cybercriminal collectives like ShinyHunters.