The ShinyHunters extortion group claims to have stolen over 1.5 billion Salesforce records from 760 companies using compromised Salesloft Drift OAuth tokens.
For the past year, the threat actors have been targeting Salesforce customers in data theft attacks using social engineering and malicious OAuth applications to breach Salesforce instances and download data. The stolen data is then used to extort companies into paying a ransom to prevent the data from being publicly leaked.
These attacks have been claimed by threat actors stating they are part of the ShinyHunters, Scattered Spider, and Lapsus$ extortion groups, now calling themselves "Scattered Lapsus$ Hunters." Google tracks this activity as UNC6040 and UNC6395.
In March, one of the threat actors breached Salesloft's GitHub repository, which contained the private source code for the company.
ShinyHunters told BleepingComputer that the threat actors used the TruffleHog security tool to scan the source code for secrets, which resulted in the finding of OAuth tokens for the Salesloft Drift and the Drift Email platforms.
Salesloft Drift is a third-party platform that connects the Drift AI chat agent with a Salesforce instance, allowing organizations to sync conversations, leads, and support cases into their CRM. Drift Email is used to manage email replies and organize CRM and marketing automation databases.
Using these stolen Drift OAuth tokens, ShinyHunters told BleepingComputer that the threat actors stole approximately 1.5 billion data records for 760 companies from the "Account", "Contact", "Case", "Opportunity", and "User" Salesforce object tables.
Of these records, approximately 250 million were from the Account, 579 million from Contact, 171 million from Opportunity, 60 million from User, and about 459 million records from the Case Salesforce tables.
The Case table was used to store information and text from support tickets submitted by customers of these companies, which, for tech companies, could include sensitive data.
As proof that they were behind the attack, the threat actor shared a text file listing the source code folders in the breached Salesloft GitHub repository.
... continue reading