ShinyHunters Counts 1.5 Billion Stolen Salesforce Records

Group Reportedly Scanned Salesloft's Source Code on GitHub, Recovered OAuth Tokens Mathew J. Schwartz (euroinfosec) • September 18, 2025

The extortionists behind data-grabbing attacks on Salesloft Drift users claim to have stolen 1.5 billion Salesforce records from 760 companies.

See Also: Why Cyberattackers Love 'Living Off the Land'

Hackers using the moniker ShinyHunters claimed responsibility. The group, which joined forces with the loose cybercriminal collectives Spider and Lapsus$, now collectively call themselves Scattered Lapsus$ Hunters. They continue to specialize in data theft and extortion, sometimes also unleashing ransomware inside an organization's environment.

The FBI published Friday an advisory warning that the attackers steal OAuth tokens used to integrate the Salesloft Drift artificial intelligence chatbot with Salesforce instances. Google's threat intelligence group previously reported that the attacks started as early as Aug. 8 and ran until Aug. 18, and that approximately 700 Salesloft customers fell ...