Google Salesforce Breach: ShinyHunters, OAuth Token Compromise, and Data Theft via Drift

Last month, Google issued an advisory, a little bit for your well-being, more for saving their own… face. They declared that their Salesforce instances got breached by a threat actor by the name of UNC6040, who is also known by the alias ShinyHunters.  Contact details of small and medium businesses were stolen, though Google insists no passwords were taken.

A few days later, the scope widened. Google warned that OAuth tokens tied to the Drift platform were also compromised, including the Drift Email integration. OAuth tokens allow apps to connect without passwords, so if stolen, attackers can access connected services until revoked.

In response, Google revoked all OAuth tokens granted to Drift Email and disabled the integration between Google Workspace and Salesloft Drift pending further investigation.

Attack Technique

The breach wasn’t just a simple data grab. Attackers used:

• A fake Okta Phishing Panel to steal credentials.
• Vishing (voice phishing) calls to trick users into giving MFA codes.
• Salesforce Data Loader abuse- Once authenticated, they linked actor-controlled apps through Salesforce’s “Connected Apps” functionality. Victims were told to enter a “connection code,” giving attackers full access to extract large volumes of data.

What’s Next for Victims

According to Google, ShinyHunters is likely to:

• Demand ransom payments in Bitcoin.
• Launch a data leak site (DLS) to pressure victims into compliance.

Links to Other Groups

ShinyHunters is no stranger to large-scale breaches. Past victims include PowerSchool, Oracle Cloud, the Snowflake data-theft campaign, AT&T, NitroPDF, Wattpad, and MathWay.

We are also noticing a partnership between Shinyhunters and Scattered Spider in recent years. Additionally, a new alias, Sp1d3rHunters, has been surfacing.

We have to start wondering whether this new partnership will also play a role in the doomsday for Google users in the coming days. Additionally, Google has discovered links to the infamous “The Com” group.

Whether these alliances will escalate into broader attacks against Google’s user base remains to be seen, but defenders should be prepared.

Recommendation

Google also issued a Mitigation list:

• Adhere to the Principle of Least Privilege, Especially for Data Access Tools
• Manage Access to Connected Applications Rigorously
• Enforce IP-Based Access Restrictions
• Leverage Advanced Security Monitoring and Policy Enforcement
• Revoke and Rotate Credentials
• Harden Access Controls
• Investigate for Compromise and Scan for Exposed Secrets
  

Speaking of being prepared, I’d recommend getting PureAUTH and avoiding the whole phishing, vishing, social engineering fiasco altogether, but you do you. Keep entering those passwords and MFA, only to get scammed and phished. Your choice :)