CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Salesloft OAuth Breach via Drift AI Chat Agent Exposes Salesforce Customer Data

First reported
Last updated
5 unique sources, 19 articles

Summary

Hide ▲

Salesforce is warning customers of an **escalating mass-scanning campaign** targeting misconfigured Experience Cloud instances, now linked to **ShinyHunters (UNC6240)**, which claims to have breached *hundreds of companies*—including 100 high-profile organizations—by exploiting overly permissive guest user permissions. The attackers are using a **modified AuraInspector tool** to extract data directly via the /s/sfsites/aura API endpoint, bypassing authentication for CRM objects. Salesforce emphasizes that this stems from **customer misconfigurations**, not a platform flaw, and urges immediate mitigation: auditing guest user permissions, setting org-wide defaults to *Private*, disabling public API access for guests, and reviewing Aura Event Monitoring logs for anomalies. This follows the **August 2025 Salesloft Drift OAuth breach**, where UNC6395/GRUB1 stole tokens to access Salesforce customer data, impacting over 700 organizations (e.g., Zscaler, Palo Alto Networks, Cloudflare). While earlier waves relied on stolen OAuth tokens, the latest campaign marks a **shift to exploiting misconfigured guest access**—though ShinyHunters is implicated in both. Salesforce and partners have revoked compromised tokens and disabled vulnerable integrations, but the new Aura/Experience Cloud attacks highlight persistent risks from improperly secured public-facing portals. The harvested data (e.g., names, phone numbers) is repurposed for **follow-on vishing and social engineering**, aligning with broader identity-based targeting trends.

Timeline

  1. 09.03.2026 19:12 3 articles · 1d ago

    ShinyHunters exploits Salesforce Aura/Experience Cloud misconfigurations for data theft

    Salesforce has observed a **surge in mass-scanning activity** targeting misconfigured Experience Cloud instances, with **ShinyHunters (UNC6240)** claiming responsibility for breaching *hundreds of companies*—including 100 high-profile organizations—via a **modified AuraInspector tool**. The tool now **extracts data directly** (not just identifies vulnerabilities) by exploiting overly permissive guest user permissions, enabling unauthenticated queries against CRM objects via the /s/sfsites/aura API endpoint. ShinyHunters published screenshots from its leak site on X (formerly Twitter) to substantiate its claims. Salesforce confirms the campaign succeeds when guest user profiles are configured to allow **public access to unintended objects/fields** and urges immediate mitigation: auditing guest permissions to enforce least privilege, setting Default External Access to *Private*, disabling public API access for guests, and unchecking *Portal User Visibility* and *Site User Visibility* to prevent internal user enumeration. Customers are also advised to **disable self-registration** if unauthenticated account creation is unnecessary and to review Aura Event Monitoring logs for unusual access patterns (e.g., unfamiliar IPs or queries against non-public objects). The harvested data (e.g., names, phone numbers) is repurposed for **follow-on social engineering and vishing campaigns**, reflecting a broader trend of identity-based targeting. Salesforce attributes the activity to a known threat actor—likely ShinyHunters—based on their history of targeting Salesforce environments via third-party applications and misconfigurations.

    Show sources
    Open in new tab
  2. 15.09.2025 00:56 2 articles · 5mo ago

    FBI issues FLASH alert on UNC6040 and UNC6395 Salesforce data theft campaigns

    The FBI's latest advisory provides additional context into the technical aspects of the threat campaigns, particularly UNC6040's activity, which began last fall. UNC6040 has conducted social engineering attacks primarily vishing to access organizations' Salesforce accounts. UNC6040 would pose as IT support employees and call the target's call center, claiming that they're addressing "enterprise-wide connectivity issues." UNC6040 actors trick customer support employees into taking actions that grant the attackers access or lead to the sharing of employee credentials, allowing them access to targeted companies' Salesforce instances to exfiltrate customer data. In some cases, the attackers would trick the employee into visiting a phishing page in order to gain initial access, before using API calls to harvest data. In other cases, the attacker simply requests login or MFA credentials. UNC6040 tricks organizations into authorizing malicious apps to connect to the org's Salesforce portal. The application, often a modified version of Salesforce's Data Loader, gives threat actors the ability to exfiltrate large amounts of sensitive data while bypassing authentication requirements. The applications are created via Salesforce trial accounts, which do not require a legitimate corporate account register the apps. Some UNC6040 victims have then received extortion emails allegedly from the ShinyHunters group, demanding payment in cryptocurrency to avoid publication of exfiltrated data. The FBI alert said that on August 20, Salesloft, in collaboration with Salesforce, revoked all active access and refresh tokens with the Drift application, terminating any threat actor access to victims' Salesforce platforms from the previously connected Salesloft app. Salesforce re-enabled integrations with Salesloft technologies, with the exception of any Drift app, and that Drift will remain disabled until further notice. The campaigns were not limited to Salesloft's Drift integration, and the scope of this compromise is not exclusive to the Salesforce integration with Salesloft Drift and impacts other integrations. These campaigns do not involve any vulnerability in the Salesforce platform. The FBI recommends organizations train call center employees to recognize and report phishing attempts, require employees use phishing-resistant MFA, implement "authentication, authorization, and accounting (AAA) systems to limit actions users can perform," enforce IP-based access restrictions, monitor network logs and browser activity for signs of compromise, and review all third-party connections to software instances. The advisory includes indicators of compromise, including IP addresses and URLs associated with the two campaigns.

    Show sources
    Open in new tab
  3. 08.09.2025 18:26 3 articles · 6mo ago

    Salesloft identifies GitHub account compromise as breach origin

    The article provides further details on the initial breach of Salesloft's GitHub account in March 2025, which led to the theft of Drift OAuth tokens. The compromise allowed threat actors to access customer data across various integrations, including Salesforce and Google Workspace. The article also confirms the involvement of the ShinyHunters extortion gang and threat actors claiming to be Scattered Spider in the attacks.

    Show sources
    Open in new tab
  4. 03.09.2025 19:40 3 articles · 6mo ago

    Workiva confirms data breach due to Salesloft Drift OAuth compromise

    Workiva, a cloud-based SaaS provider, was impacted by the Salesforce data breach via Salesloft Drift OAuth tokens. The breach impacted over 700 organizations, including Workiva, and exposed customer information. Workiva's customer list includes 85% of the Fortune 500 companies and high-profile clients such as Google, T-Mobile, Delta Air Lines, Wayfair, Hershey, Slack, Cognizant, Santander, Nokia, Kraft Heinz, Wendy's, Paramount, Air France KLM, and Mercedes-Benz. The threat actors exfiltrated a limited set of business contact information, including names, email addresses, phone numbers, and support ticket content. Workiva stated that its platform and any data within it were not accessed or compromised, and that the breach was limited to the third-party CRM system.

    Show sources
    Open in new tab
  5. 03.09.2025 06:53 3 articles · 6mo ago

    Salesloft engages cybersecurity partners for incident response

    Salesloft isolated the Drift infrastructure, application, and code, and took the application offline on September 5, 2025. Salesloft rotated credentials in the Salesloft environment and hardened it with improved segmentation controls. Salesloft recommends that all third-party applications integrated with Drift via API key revoke the existing key.

    Show sources
    Open in new tab
  6. 02.09.2025 22:54 3 articles · 6mo ago

    Cloudflare confirms data breach due to Salesloft Drift OAuth compromise

    Cloudflare was impacted by the Salesloft Drift supply-chain attack, revealing that attackers accessed a Salesforce instance used for customer case management and support, containing 104 Cloudflare API tokens. The breach involved the theft of text-based data from Salesforce case objects, including customer support tickets and associated data, between August 12 and August 17. Cloudflare suspects the threat actor intended to harvest credentials and customer information for future attacks.

    Show sources
    Open in new tab
  7. 02.09.2025 15:00 4 articles · 6mo ago

    Palo Alto Networks confirms data breach due to Salesloft Drift OAuth compromise

    The Palo Alto Networks incident was limited to its Salesforce CRM and did not affect any of its products, systems, or services. The threat actor searched for secrets, including AWS access keys, VPN and SSO login strings, Snowflake tokens, and generic keywords such as "secret," "password," or "key."

    Show sources
    Open in new tab
  8. 01.09.2025 20:00 4 articles · 6mo ago

    Zscaler reports data breach due to compromised Salesloft Drift credentials

    The customer information stolen from Zscaler's Salesforce instance includes names, business email addresses, phone numbers, job titles, location details, licensing information, and plain text content from certain support cases.

    Show sources
    Open in new tab
  9. 29.08.2025 10:24 5 articles · 6mo ago

    Google Workspace email accounts accessed via stolen OAuth tokens

    The article confirms that the threat actors primarily focused on stealing support cases from Salesforce instances, which were then used to harvest credentials, authentication tokens, and other secrets shared in the support tickets.

    Show sources
    Open in new tab
  10. 27.08.2025 12:39 16 articles · 6mo ago

    Salesloft OAuth Breach via Drift AI Chat Agent Exposes Salesforce Customer Data

    The breach has expanded to include Stellantis, a multinational automotive corporation, which confirmed that attackers stole customer contact information from its North American customers. The breach occurred via a third-party service provider's platform supporting Stellantis' customer service operations. ShinyHunters claimed responsibility for the Stellantis data breach and stated they stole over 18 million Salesforce records. The extortion group has targeted numerous high-profile companies, including Google, Cisco, Qantas, Adidas, and others. ShinyHunters used stolen OAuth tokens for Salesloft's Drift AI chat integration with Salesforce to steal sensitive information.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Optimizely Data Breach After Vishing Attack

Optimizely, an ad tech firm with over 10,000 clients, confirmed a data breach following a voice phishing (vishing) attack. The breach, which occurred on February 11, compromised basic business contact information stored in internal systems and CRM records. The attackers did not escalate privileges or install backdoors, but the company warned customers about potential follow-up phishing attacks. The incident is linked to the ShinyHunters extortion operation, known for targeting SSO accounts at Microsoft, Okta, and Google.

Open in new tab

Figure Fintech Breach Exposes 967,200 Accounts via Social Engineering

Figure Technology Solutions, a blockchain-based fintech firm, suffered a data breach affecting nearly 1 million accounts. Hackers stole personal and contact information through a social engineering attack. The breach was attributed to the ShinyHunters extortion group, which leaked 2.5GB of data from loan applicants. The attackers impersonated IT support to trick employees into providing access to SSO accounts, gaining entry to various enterprise applications.

Open in new tab

Target's internal source code allegedly stolen and offered for sale

Hackers claim to have stolen and are selling internal source code from Target Corporation. They published sample repositories on Gitea and advertised a larger dataset for sale on an underground forum. Target's developer Git server, git.target.com, became inaccessible after the claims were made public. Multiple current and former Target employees have confirmed the authenticity of the leaked source code and documentation. Internal communications announced an 'accelerated' security change restricting access to Target's Enterprise Git server. The leaked data includes references to real internal systems and proprietary project codenames, raising concerns about the scope and sensitivity of the stolen data. Security researcher Alon Gal identified a Target employee workstation compromised by infostealer malware in late September 2025 with extensive access to internal services, potentially linked to the data leak.

Open in new tab

Misconfigured Email Routing Exploited for Internal Domain Phishing

Threat actors are exploiting misconfigured email routing and spoof protections to impersonate organizations' domains and distribute phishing emails that appear to originate internally. This tactic has surged since May 2025, targeting various industries with phishing-as-a-service (PhaaS) platforms like Typhoon2FA. Successful attacks can lead to credential theft and business email compromise (BEC). The issue arises when complex routing scenarios are configured without strict spoof protections, allowing spoofed emails to bypass security measures. Microsoft blocked over 13 million malicious emails linked to the Typhoon2FA kit in October 2025. Organizations are advised to enforce strict DMARC and SPF policies, properly configure third-party connectors, and ensure MX records point directly to Office 365 to mitigate this risk.

Open in new tab

AWS Crypto Mining Campaign Exploits Compromised IAM Credentials

A campaign targeting AWS customers uses compromised IAM credentials to deploy cryptocurrency mining operations. The attackers employ sophisticated persistence techniques, including disabling instance termination, to evade detection and maximize resource consumption. The activity was first detected on November 2, 2025, and involves the creation of multiple ECS clusters and Lambda functions to facilitate mining operations. The attackers leverage the 'DryRun' flag to validate permissions without incurring costs, and use the 'ModifyInstanceAttribute' action to prevent instance termination. The campaign also involves the creation of autoscaling groups to exploit EC2 service quotas and maximize resource consumption. The campaign started cryptomining within 10 minutes of initial access, using a Docker Hub image that had over 100,000 pulls. Each task was configured with 16,384 CPU units and 32GB of memory, with a desired count of 10 for ECS Fargate tasks. The attacker created two launch templates with startup scripts that automatically initiated cryptomining, and configured 14 auto-scaling groups to deploy at least 20 instances each, with a maximum capacity of up to 999 machines.

Open in new tab