What’s new: The ShinyHunters extortion group claims to have stolen over 1.5 billion Salesforce records from 760 companies by exploiting compromised Salesloft Drift OAuth tokens. The group has been targeting Salesforce customers for data theft over the past year, using social engineering and malicious OAuth applications. The stolen data includes sensitive information from various Salesforce object tables, with significant records from Account, Contact, Case, Opportunity, and User tables. The group has also shared proof of the breach, including a list of source code folders from a compromised Salesloft GitHub repository.
Who’s affected
Approximately 760 companies using Salesforce, including major organizations like Google, Cloudflare, and Zscaler, have been impacted by these data theft attacks.
What to do
- Enable multi-factor authentication (MFA) for Salesforce accounts.
- Enforce the principle of least privilege for user access.
- Carefully manage connected applications and OAuth tokens.
- Regularly review and monitor for unauthorized access or anomalies in Salesforce data.
