Hackers Claim $1.5 Billion Salesforce Records Stolen in Major Hack - But Are They Telling the Truth?
ShinyHunters, a group of hackers, has finally revealed the extent of the data they stole in the Salesloft/Salesforce attack, claiming to have taken 1.5 billion records from 760 companies worldwide.
The Attack: A Joint Effort
In March 2025, threat actors from three groups - ShinyHunters, Lapsus$, and Scattered Spider - joined forces to breach Salesloft's GitHub repository, which contained the company's source codes. This initial breach allowed the attackers to gain access to sensitive information.
The Malware: TruffleHog
Using the TruffleHog malware, the attackers scanned the code for secrets and found OAuth tokens for the Salesloft Drift and Drift Email platforms. These tokens enabled them to access different Salesforce object tables belonging to various companies.
The Data: A Sensitive Treasure Trove
The attackers managed to exfiltrate sensitive files from the compromised tables, including:
- Account (250 million records)
- Contact (579 million records)
- Case (459 million records)
- Opportunity (171 million records)
- User (60 million records)
The majority of the stolen data came from the Contact table, followed by the Case and Account tables. The exact nature of this sensitive information is not specified, but its value to potential hackers is undeniable.
Proving Their Claims
To prove their claims, ShinyHunters shared a text file listing the source code folders. While this may seem like a minor detail, it lends credence to their assertion that they indeed stole 1.5 billion records from hundreds of companies.
Salesforce Response: What's Next?
So far, Salesforce has not commented on these claims. BleepingComputer has reached out to the company for an update, and we will keep our readers informed if we receive any new information.
A source close to the incident confirmed that the numbers are accurate, leaving no doubt about the severity of the breach.
The FBI's Warning: UNC6040 and UNC6395
Following the incident, the FBI issued a security advisory, warning businesses about UNC6040 and UNC6395 (how it tracks the groups), and sharing known indicators of compromise (IOC). This move highlights the growing concern over these threat actors.
The Groups' "Going Dark" Statement
At the same time, the groups announced that they were "going dark", which some cybersecurity companies interpreted as them being afraid of the increasing attention they have been getting. Only time will tell if this statement is a genuine attempt to avoid detection or just a clever ruse.
A Breach of Epic Proportions
If these claims are true, this would put the incident on par with the 2023 MOVEit Managed File Transfer (MFT) fiasco, which affected thousands of organizations and millions of users worldwide. The scale of the breach is unprecedented and has significant implications for data protection.
The Verdict: Still to be Seen
Whether or not the criminals bit off more than they can chew remains to be seen. As we continue to monitor this situation, our readers will receive updates on any new developments.
If you're interested in staying up-to-date with the latest cybersecurity news and trends, sign up for our TechRadar Pro newsletter today!