Hackers claim they stole 1.5 billion Salesforce records from hundreds of companies in major hack - but are they telling the truth?

News
By published

Months after the hack, ShinyHunters come forward with more details

Agentforce World Tour London
(Image credit: Future / Mike Moore)
  • ShinyHunters claim theft of 1.5 billion records from 760 global companies
  • Attackers exploited GitHub secrets to access sensitive Salesforce object tables
  • FBI issued warnings as hacker groups announced they were “going dark

ShinyHunters have finally revealed how much data it stole in the Salesloft / Salesforce attack, claiming to have taken 1.5 billion records from 760 companies around the world.

In March 2025, threat actors from three groups: ShinyHunters, Lapsus$, and Scattered Spider, joined forces and breached Salesloft’s GitHub repository, which contained the company’s source codes. Using TruffleHog malware, they scanned the code for secrets and found OAuth tokens for the Salesloft Drift and Drift Email platforms.

From there, they were able to access different Salesforce object tables, belonging to various companies. These tables, labeled “Account”, “Contact”, “Case”, “Opportunity”, and “User”, contained all sorts of sensitive files which the attackers managed to exfiltrate.

Waiting for confirmation

The majority (579 million) are from the Contact table. Case was the second-largest compromised table with 459 million records, followed by Account (250 million), Contact (171 million), Opportunity (171 million), and User (60 million).

To prove their claims, ShinyHunters shared a text file listing the source code folders. So far, Salesforce has not commented on these claims.

We’ve reached out to Salesforce, and will update the article if we hear back - and a source told BleepingComputer that the numbers are accurate.

Whether or not the criminals bit off more than they can chew, remains to be seen.

Following the incident, the FBI issued a security advisory, warning businesses about UNC6040 and UNC6395 (how it tracks the groups), and sharing known indicators of compromise (IOC).

At the same time, the groups announced they were “going dark”, which some cybersecurity companies interpreted as them being afraid of the increasing attention they have been getting.

If these claims turn out to be true, this would also put the incident on par with the 2023 MOVEit Managed File Transfer (MFT) fiasco, which affected thousands of organizations and millions of users worldwide.

Via BleepingComputer

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.