Over the past year, the threat actors known as “Scattered Lapsus$ Hunters” — which includes members of the ShinyHunters, Scattered Spider, and Lapsus$ extortion groups — have been targeting Salesforce customers. Using social engineering and malicious OAuth applications, they breached Salesforce instances to download data. They then use the stolen data to extort companies, demanding a ransom to prevent the data from being publicly leaked. The groups’ activity is tracked by Google as UNC6040 and UNC6395.
In a recent attack, a threat actor breached Salesloft’s GitHub repository, which contained the company’s private source code. The attackers used the TruffleHog security tool to scan the code, leading to the discovery of OAuth tokens for the Salesloft Drift and Drift Email platforms. These platforms are third-party applications that connect Salesforce instances with Drift’s AI chat agent and manage email replies. With these stolen tokens, the attackers were able to access and steal vast amounts of data from Salesforce.
The threat actors claim to have stolen roughly 1.5 billion data records from 760 companies. This data included records from several Salesforce object tables, including Account, Contact, Case, Opportunity, and User. The Case table, in particular, was found to contain sensitive information from customer support tickets, which could include credentials and other private details. Google Threat Intelligence (Mandiant) reported that the attackers specifically analyzed this stolen data to find hidden secrets, such as Amazon Web Services (AWS) access keys, passwords, and other access tokens, which they could use to launch additional attacks.
The stolen Drift and Drift Email tokens were used in large-scale data theft campaigns that affected major companies such as Google, Cloudflare, Zscaler, and Palo Alto Networks. Due to the high volume and severity of these attacks, the FBI recently issued a warning about the UNC6040 and UNC6395 threat actors. Although the groups recently claimed on Telegram that they would “go dark” and stop their operations, researchers from ReliaQuest believe they are still active, as they have been seen targeting financial institutions since July 2025.
In addition to the Salesforce attacks, the threat actors also claimed to have breached Google’s Law Enforcement Request system (LERS) and the FBI’s eCheck platform. While Google confirmed that a fraudulent account was created in their LERS system, they stated that the account was disabled and no data was accessed. To protect against these types of data theft attacks, Salesforce recommends that customers enable multi-factor authentication (MFA), enforce the principle of least privilege, and carefully manage all connected applications.
Reference:
