Lawrence Abrams reports:
The ShinyHunters extortion group claims to have stolen over 1.5 billion Salesforce records from 760 companies using compromised Salesloft Drift OAuth tokens.
For the past year, the threat actors have been targeting Salesforce customers in data theft attacks using social engineering and malicious OAuth applications to breach Salesforce instances and download data. The stolen data is then used to extort companies into paying a ransom to prevent the data from being publicly leaked.
These attacks have been claimed by threat actors stating they are part of the ShinyHunters, Scattered Spider, and Lapsus$ extortion groups, now calling themselves “Scattered Lapsus$ Hunters.” Google tracks this activity as UNC6040 and UNC6395.
In March, one of the threat actors breached Salesloft’s GitHub repository, which contained the private source code for the company.
ShinyHunters told BleepingComputer that the threat actors used the TruffleHog security tool to scan the source code for secrets, which resulted in the finding of OAuth tokens for the Salesloft Drift and the Drift Email platforms.
Read more of Abrams’ great reporting on Bleeping Computer.