A major cybersecurity incident has shaken the enterprise software ecosystem, with the ShinyHunters extortion group claiming responsibility for the theft of over 1.5 billion Salesforce records. The data breach, which impacted 760 companies worldwide, reportedly stems from a March 2025 breach of Salesloft’s GitHub repository, exposing OAuth tokens tied to Salesloft Drift and Drift Email platforms. This large-scale compromise has since fueled targeted data theft and extortion campaigns against some of the world’s leading organizations.
The attack chain began when the threat actors infiltrated Salesloft’s private GitHub source code. Using the TruffleHog security tool, they scanned for sensitive information and discovered OAuth tokens linked to Drift integrations with Salesforce CRM. These tokens provided unauthorized access to sync mechanisms that connect customer conversations, leads, support cases, and marketing automation data into Salesforce. With these stolen credentials, attackers exfiltrated massive datasets from key Salesforce tables, including Account (250 million records), Contact (579 million), Opportunity (171 million), User (60 million), and Case (459 million). The Case records in particular raised alarms, as they often contain sensitive support ticket information, customer communications, and technical details.
Security researchers at Google Mandiant Threat Intelligence confirmed that the stolen data was not just exfiltrated but also mined for hidden credentials and access keys, such as AWS keys, Snowflake tokens, and authentication passwords. These findings indicate that the attackers aimed not only to steal data but also to pivot into other cloud environments for secondary intrusions. Companies affected include a who’s who of enterprise technology: Google, Cloudflare, Palo Alto Networks, Zscaler, CyberArk, Proofpoint, Qualys, and many others.
While ShinyHunters initially boasted of their operations under the banner of “Scattered Lapsus$ Hunters”, they later announced a supposed retirement. However, intelligence reports from ReliaQuest suggest otherwise, noting that the same actors began targeting financial institutions in mid-2025. The FBI has since issued an advisory warning about the groups UNC6040 and UNC6395, providing indicators of compromise (IOCs) tied to these campaigns.
Interestingly, as part of their final public claims, the attackers alleged breaches of Google’s Law Enforcement Request System (LERS) and the FBI’s eCheck platform. Google later confirmed that a fraudulent account had been added to LERS, but clarified that no unauthorized requests were made and no data was accessed.
This incident highlights the growing risks of supply chain vulnerabilities and the dangers posed by poorly secured developer environments. The compromise of OAuth tokens illustrates how attackers are increasingly shifting toward exploiting identity and access misconfigurations rather than relying on traditional malware.
In conclusion, the Salesloft-Salesforce breach underscores the urgent need for enterprises to adopt stronger identity security controls, including multi-factor authentication (MFA), strict least privilege policies, and regular audits of connected third-party applications. With extortion groups like ShinyHunters evolving into more sophisticated adversaries, organizations must treat OAuth tokens and API integrations as high-value attack surfaces. The sheer scale of this breach is a reminder that even one compromised integration can cascade into catastrophic data loss across entire industries.
