Hackers assert possession of 1.5 billion Salesforce records allegedly accessed from Salesloft
In a series of coordinated attacks, the hacker group UNC6395 has allegedly stolen over 1.5 billion records from Salesloft Drift, an AI chatbot platform integrated with Salesforce. The attacks, which impacted dozens of organizations globally, were carried out between August 8 and 18, 2025.
The hackers exploited compromised OAuth tokens from the Salesloft Drift platform to systematically access and steal data from hundreds of Salesforce instances. They executed queries to retrieve information associated with Salesforce objects such as Cases, Accounts, Users, and Opportunities. Hackers were also able to steal records from a series of object tables where customer information was stored, including the 'Case' table that hosted information and text pertaining to customer support tickets.
The veracity of these claims has been questioned by cybersecurity experts. However, reports suggest that the hackers behind these attacks say they've hit upwards of 750 companies so far. Major tech firms like Google, Palo Alto Networks, Zscaler, and Cloudflare have confirmed incidents linked to the hacking campaign.
Prior to the campaign, hackers gained access to Salesloot's GitHub repository months earlier, containing critical source code belonging to the company. BleepingComputer shared a text file listing source code folders in the breached Salesloot GitHub repository.
In response to these attacks, the FBI released a FLASH advisory urging organizations to shore up defenses and remain vigilant amidst continued targeting by hackers. The advisory detailed best practices and tips for organizations potentially at risk, including a comprehensive list of IP addresses linked to those behind the attacks.
Interestingly, responsibility for the attacks has been claimed by threat actors from the ShinyHunters, Lapsus$, and Scattered Spider groups, now referring to themselves as Scattered Lapsus$ Hunters. Last week, the Scattered Lapsus$ Hunters announced that it plans to shut down in a series of messages posted on its Telegram channel.
Jamie Akhtar, CEO and Co-founder of CyberSmart, stated that attacks aren't just about zero days and malware, but also about exploiting trust and integrations. The hackers used social engineering techniques and malicious OAuth tokens to access Salesforce instances, highlighting the importance of secure integration practices.
Hackers involved in the campaign have been taking action to avoid scrutiny from law enforcement. Google's Threat Intelligence Group (GTIG) has published an analysis of the threat campaign that aligns with the claims made by ShinyHunters, shedding light on the sophisticated tactics used by these cybercriminals.
Read also:
- Reporter of Silenced Torment or Individual Recording Suppressed Agony
- JPMorgan Chase Announces Plans for a Digital Bank Launch in Germany's Retail Sector
- Urgent Action: Users of Smartphones Advised to Instantly Erase Specific Messages, as per FBI Admonition
- American self-driving vehicle company secures $40 million contract for LiDAR technology with United States robotaxi firm
