Full Report
Attackers whose methods line up with the data-extortion group ShinyHunters have spent the past year walking into corporate Salesforce environments without exploiting a single flaw in the platform. The way in has been the trust the organization had already extended, usually through the OAuth connections that tie Salesforce to the apps and third-party vendors around it. In
Analysis Summary
# Incident Report: ShinyHunters-Linked Salesforce OAuth Abuse Campaign
## Executive Summary
A year-long campaign linked to the ShinyHunters-affiliated groups (UNC6040, UNC6240, UNC6395) targeted corporate Salesforce environments by exploiting trusted OAuth connections and misconfigurations rather than platform vulnerabilities. The campaign resulted in large-scale data extortion across hundreds of organizations by abusing legitimate integration paths, making detection difficult via standard authentication logs.
## Incident Details
- **Discovery Date:** July 13, 2026 (Microsoft Research Publication)
- **Incident Date:** Mid-2025 to Mid-2026
- **Affected Organizations:** Google, Chanel, Pandora, Cloudflare, Zscaler, Palo Alto Networks, Proofpoint, PagerDuty, Tanium (via Drift), and others.
- **Sector:** Retail, Education, Manufacturing, and Technology/Cybersecurity.
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** Starting mid-2025.
- **Vector:** Three distinct paths: Vishing, Stolen Vendor Tokens, and Guest Access Misconfiguration.
- **Details:** Attackers used voice phishing to trick users into authorizing rogue apps, or stole existing OAuth tokens from third-party vendors (like Salesloft/Drift).
### Lateral Movement
- Attackers used authorized API access to pivot from Salesforce into other SaaS environments or searched Salesforce records for credentials (AWS keys, Snowflake tokens) to move deeper into the victim's cloud infrastructure.
### Data Exfiltration/Impact
- **Details:** Exfiltration of CRM records, business contact data, and sensitive support cases. In the Drift incident alone, tokens for over 700 organizations were potentially compromised.
### Detection & Response
- **Discovery:** Microsoft and Google (Mandiant) identified patterns of OAuth abuse that bypassed traditional sign-in alerts.
- **Response Actions:** Salesforce and Microsoft collaborated to release new detection and governance tooling; affected vendors (like Salesloft) took services offline to rotate compromised secrets.
## Attack Methodology
- **Initial Access:** Vishing (social engineering) and Supply Chain compromise (stealing vendor tokens).
- **Persistence:** Maintaining access through persistent OAuth refresh tokens and authorized "Connected Apps."
- **Privilege Escalation:** Not applicable in the traditional sense; used legitimate high-level API permissions granted via OAuth consent.
- **Defense Evasion:** Abuse of trusted integrations; activity appeared as legitimate "ordinary use" in authentication logs.
- **Credential Access:** Harvesting AWS keys, Snowflake tokens, and passwords stored in Salesforce objects or support tickets.
- **Discovery:** Running SOQL (Salesforce Object Query Language) queries to enumerate data and hunt for secrets.
- **Lateral Movement:** Using harvested secrets to move from Salesforce to AWS, Snowflake, and other SaaS platforms.
- **Collection:** Automated API calls to export CRM data.
- **Exfiltration:** Standard API-based data transfer.
- **Impact:** Financial extortion through data theft.
## Impact Assessment
- **Financial:** Not specified, but involved high-stakes data extortion attempts.
- **Data Breach:** Millions of records across numerous global brands; exposure of high-value secrets (AWS/Snowflake keys).
- **Operational:** Temporary shutdown of third-party services (e.g., Drift) and required remediation across 700+ downstream customers.
- **Reputational:** Significant public disclosure involving major cybersecurity and luxury brands.
## Indicators of Compromise
- **Network:** Access requests originating from unrecognized IP ranges associated with automated API tools (e.g., `Data Loader` impersonation).
- **File:** N/A (Cloud-based attack).
- **Behavioral:**
- Unexpected OAuth authorizations for apps like "Data Loader."
- High-volume SOQL queries searching for keywords like "password," "key," or "secret."
- OAuth token usage from geographic locations inconsistent with vendor/user profiles.
## Response Actions
- **Containment:** Revoking compromised OAuth tokens and disabling malicious Connected Apps.
- **Eradication:** Rotation of all secrets (AWS, Snowflake, passwords) found within Salesforce environments.
- **Recovery:** Deployment of new Salesforce governance tooling to monitor API-level activity.
## Lessons Learned
- **Trust is a Vector:** Traditional identity checks at the "front door" (sign-in) are insufficient to stop post-authentication abuse of trusted apps.
- **Visibility Gap:** Standard logging often fails to capture granular API-level data manipulation within SaaS platforms.
- **Supply Chain Fragility:** A single vendor compromise (Drift/Salesloft) can expose hundreds of downstream customers through persistent OAuth tokens.
## Recommendations
- **OAuth Governance:** Implement strict "Allow Lists" for Connected Apps and regularly audit all OAuth permissions.
- **Employee Training:** Educate staff on "vishing" and ensure they never approve OAuth consent prompts during unsolicited support calls.
- **Secret Management:** Never store plaintext credentials, API keys, or cloud tokens within Salesforce records or support tickets.
- **Enhanced Monitoring:** Utilize specialized SaaS Security Posture Management (SSPM) tools to detect anomalous SOQL queries and data exports.