Brinztech Alert: ShinyHunters Claims 1.5 Billion Salesforce Records Stolen in Drift Hacks

Dark Web News Analysis

The notorious ShinyHunters extortion group has claimed responsibility for a massive data theft campaign, asserting they have stolen over 1.5 billion Salesforce records from 760 different companies. The attack, part of a wider campaign tracked by Google as UNC6395, was allegedly carried out using compromised OAuth tokens for the third-party AI chatbot, Salesloft Drift.  

According to the threat actors, they gained access to the OAuth tokens after breaching Salesloft’s private GitHub repository and scanning the source code for secrets using the TruffleHog security tool. These tokens provided trusted, privileged access to the Salesforce instances of hundreds of companies, allowing the attackers to exfiltrate enormous volumes of data from core Salesforce tables including “Account,” “Contact,” “Case,” and “Opportunity.” This ongoing campaign has already impacted a significant number of major global companies, and the FBI recently released an advisory warning about the threat actors.  

Key Insights

This major security incident provides several critical insights into the modern threat landscape:

• A Catastrophic, Quantified Supply Chain Attack: The specific numbers claimed by the attackers—1.5 billion records across 760 companies—illustrate the catastrophic scale of a modern supply chain attack. The breach of a single, widely used third-party application (Salesloft Drift) has led to a massive, cross-industry data heist.  
• The Attack Vector: Stolen OAuth Tokens from Source Code: The attack chain is a textbook example of a sophisticated supply chain compromise. Attackers breached a vendor’s source code repository, found powerful authentication tokens hardcoded within, and then used those trusted tokens to pivot and steal data from the vendor’s entire customer base.  
• The Goal is Extortion and Further Network Intrusion: While the primary goal of the attackers is to extort their victims, Google’s analysis confirms a more dangerous secondary objective. The exfiltrated data, especially from customer support cases, is being actively scanned for other secrets like AWS keys and passwords. These can be used to launch even more damaging attacks on the victims’ core cloud infrastructure.  

Strategic Recommendations

In response to this and similar supply chain threats, all businesses must prioritize the security of their SaaS ecosystems:

• Conduct an Urgent Third-Party Integration Audit: All businesses must conduct an immediate and thorough audit of all third-party applications and integrations connected to their critical SaaS platforms like Salesforce. Any unused, non-essential, or overly permissive applications should have their access revoked immediately.  
• Enforce the Principle of Least Privilege for OAuth Tokens: When connecting third-party apps, organizations must grant them only the absolute minimum permissions (scopes) they need to function. Regularly review the scope of access granted to all OAuth tokens to limit the potential damage if a token is stolen.  
• Mandate Multi-Factor Authentication (MFA): As recommended by Salesforce, MFA is a critical control. It should be enforced for all users on all sensitive platforms to add a crucial layer of security against credential-based attacks. While a stolen OAuth token can bypass some forms of MFA, it remains an essential defense for user-initiated logins.  

Secure Your Organization with Brinztech As a cybersecurity provider, we can protect your business from the threats discussed here. Contact us to learn more about our services.

Questions or Feedback? For expert advice, use our ‘Ask an Analyst’ feature. Brinztech does not warrant the validity of external claims. For general inquiries or to report this post, please email us: contact@brinztech.com