Category: Social Engineering

Google Salesforce Breach: ShinyHunters, OAuth Token Compromise, and Data Theft via Drift

Posted on by Srishti Chaubey

Last month, Google issued an advisory, a little bit for your well-being, more for saving their own… face. They declared that their Salesforce instances got breached by a threat actor by the name of UNC6040, who is also known by the alias ShinyHunters.  Contact details of small and medium businesses were stolen, though Google insists no passwords were taken.

A few days later, the scope widened. Google warned that OAuth tokens tied to the Drift platform were also compromised, including the Drift Email integration. OAuth tokens allow apps to connect without passwords, so if stolen, attackers can access connected services until revoked.

In response, Google revoked all OAuth tokens granted to Drift Email and disabled the integration between Google Workspace and Salesloft Drift pending further investigation.

Credit: Google

Attack Technique

The breach wasn’t just a simple data grab. Attackers used:

  • A fake Okta Phishing Panel to steal credentials.
  • Vishing (voice phishing) calls to trick users into giving MFA codes.
  • Salesforce Data Loader abuse– Once authenticated, they linked actor-controlled apps through Salesforce’s “Connected Apps” functionality. Victims were told to enter a “connection code,” giving attackers full access to extract large volumes of data.

What’s Next for Victims

According to Google, ShinyHunters is likely to:

  • Demand ransom payments in Bitcoin.
  • Launch a data leak site (DLS) to pressure victims into compliance.

Links to Other Groups

ShinyHunters is no stranger to large-scale breaches. Past victims include PowerSchool, Oracle Cloud, the Snowflake data-theft campaign, AT&T, NitroPDF, Wattpad, and MathWay.

We are also noticing a partnership between Shinyhunters and Scattered Spider in recent years. Additionally, a new alias, Sp1d3rHunters, has been surfacing.

We have to start wondering whether this new partnership will also play a role in the doomsday for Google users in the coming days. Additionally, Google has discovered links to the infamous “The Com” group.

Whether these alliances will escalate into broader attacks against Google’s user base remains to be seen, but defenders should be prepared.

Recommendation

Google also issued a Mitigation list:

  • Adhere to the Principle of Least Privilege, Especially for Data Access Tools
  • Manage Access to Connected Applications Rigorously
  • Enforce IP-Based Access Restrictions
  • Leverage Advanced Security Monitoring and Policy Enforcement
  • Revoke and Rotate Credentials
  • Harden Access Controls
  • Investigate for Compromise and Scan for Exposed Secrets

Speaking of being prepared, I’d recommend getting PureAUTH and avoiding the whole phishing, vishing, social engineering fiasco altogether, but you do you. Keep entering those passwords and MFA, only to get scammed and phished. Your choice 🙂

The £650M Mistake: M&S Breach Breakdown

Posted on by Srishti Chaubey

The On-the-Job Hack That Shook a Retailing Goliath

Consider this. You get a call from one of your co-workers. He’s locked out, needs a password reset, and sounds precisely like all the others you deal with daily. You press some keys to reset it. Job done. Behind that voice, though, is a hacker, and a few hours later, the company loses hundreds of millions.

This is exactly how attackers brought Marks and Spencer to its knees. The attack wasn’t the result of advanced malware or brute-force attacks. It was founded on trust, rapid chatter, and human error. Welcome to social engineering.

M&S Cybersecurity Breach
Credit: Bleeping Computer

What Occurred at M&S

1. The Entry Point: Manipulation of Help Desk

Attackers posed as employees and convinced IT support staff to reset passwords.
No evil code, just believable lies and a sense of urgency.

Result: Instant access to in-house systems.

2. The Damage

Inside, the attackers:

  • Enjoyed admin-level access
  • Installed the DragonForce ransomware
  • Locked up virtual machines
  • Topped online orders and payments

M&S lost £650 million in value overnight. Their business online ground to a halt. Hundreds of staff were let go.

3. Not a One-Time Trick

Other large firms fell in the same way:

CompanyEntry Method
Group
Known Impact
MGM ResortsHelp desk spoofingScattered Spider$100M+ revenue loss
CaesarsSocial engineeringScattered Spider$15M ransom paid
Co-opPassword reset scamDragonForce20 Million Customer data leaked
HarrodsIdentity spoofingDragonForceSystem outages
M&SHelp desk deceptionScattered Spider£650M market loss

The Core Issue: Passwords Still Break Everything

Even more recent approaches like passkeys fall back on passwords. Hackers exploit this by attacking the human element, not the technology. If help desks are susceptible to deception, passwords can be reset. If passwords can be reset, attackers can walk in.

How PureAuth Stops It

PureAuth stops this attack chain by:

  • Removing password fallbacks entirely
  • Stopping help desk resets
  • Refraining from admin privilege abuse

There is no social trick that can bypass actual behavior analysis.

Final Thought: Hackers Don’t Crack Systems, They Fool People

M&S didn’t lose millions because of insecure software. They lost it because someone followed regular help desk protocol.

That’s the danger. That’s the fix.
Secure people, not passwords.

PureAuth protects against a world where attackers launch their first compromise with a phone call.

Read More

Privacy Beyond Customers: Why Comprehensive IAM Matters for Everyone

© 2025 | PureID. All Rights Reserved

Privacy & Terms | Licenses