By Sead Fadilpašić

Copyright techradar

Skip to main content

Tech Radar Pro

Tech Radar Gaming

Close main menu

the business technology experts

België (Nederlands)

Deutschland

North America

US (English)

Australasia

New Zealand

View Profile

Search TechRadar

Expert Insights

Website builders

Web hosting

Best web hosting
Best office chairs
Best website builder
Best antivirus
Expert Insights

Don’t miss these

Salesforce platforms are being cracked open for data theft – FBI warns of UNC6040 and UNC6395 IOCs

Google says hackers stole some of its data following Salesforce breach

Salesloft breached to steal OAuth tokens for Salesforce data-theft attacks

Palo Alto Networks becomes the latest to confirm it was hit by Salesloft Drift attack

Zscaler says it suffered data breach following Salesloft Drift compromise

Reports claim billions of Gmail accounts could be vulnerable after data breach – but Google says that’s not true

Allianz Life breach now thought to have affected 1.1 million customers – here’s how to stay safe

TransUnion data breach may have affected 4.4 million users – here’s what we know, and how to stay safe

“No evidence” – here’s why the massive 16 billion record data breach may not be as bad as first thought

Even Cloudflare isn’t safe from Salesloft Drift data breaches

Hackers breach HR firm Workday – is it the latest Salesforce CRM attack victim?

Insurance giant Allianz Life says data on over a million US customers stolen in breach – here’s how to stay protected

Discord hackers claim to have leaked billions of messages as millions of users targeted – here’s what we know

Supermarket giant admits 2.2 million people could be hit by worrying data breach – what to do if you’re affected

Scattered Spider hackers return to hit more victims – despite retirement claims

Hackers claim they stole 1.5 billion Salesforce records from hundreds of companies in major hack – but are they telling the truth?

Sead Fadilpašić

18 September 2025

Months after the hack, ShinyHunters come forward with more details

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

(Image credit: Future / Mike Moore)

ShinyHunters claim theft of 1.5 billion records from 760 global companies
Attackers exploited GitHub secrets to access sensitive Salesforce object tables
FBI issued warnings as hacker groups announced they were “going dark

ShinyHunters have finally revealed how much data it stole in the Salesloft / Salesforce attack, claiming to have taken 1.5 billion records from 760 companies around the world.

In March 2025, threat actors from three groups: ShinyHunters, Lapsus$, and Scattered Spider, joined forces and breached Salesloft’s GitHub repository, which contained the company’s source codes. Using TruffleHog malware, they scanned the code for secrets and found OAuth tokens for the Salesloft Drift and Drift Email platforms.
From there, they were able to access different Salesforce object tables, belonging to various companies. These tables, labeled “Account”, “Contact”, “Case”, “Opportunity”, and “User”, contained all sorts of sensitive files which the attackers managed to exfiltrate.

You may like

Salesforce platforms are being cracked open for data theft – FBI warns of UNC6040 and UNC6395 IOCs

Google says hackers stole some of its data following Salesforce breach

Salesloft breached to steal OAuth tokens for Salesforce data-theft attacks

Waiting for confirmation
The majority (579 million) are from the Contact table. Case was the second-largest compromised table with 459 million records, followed by Account (250 million), Contact (171 million), Opportunity (171 million), and User (60 million).

To prove their claims, ShinyHunters shared a text file listing the source code folders. So far, Salesforce has not commented on these claims.
We’ve reached out to Salesforce, and will update the article if we hear back – and a source told BleepingComputer that the numbers are accurate.
Whether or not the criminals bit off more than they can chew, remains to be seen.

Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.
Following the incident, the FBI issued a security advisory, warning businesses about UNC6040 and UNC6395 (how it tracks the groups), and sharing known indicators of compromise (IOC).
At the same time, the groups announced they were “going dark”, which some cybersecurity companies interpreted as them being afraid of the increasing attention they have been getting.
If these claims turn out to be true, this would also put the incident on par with the 2023 MOVEit Managed File Transfer (MFT) fiasco, which affected thousands of organizations and millions of users worldwide.
Via BleepingComputer
You might also like

Google warns Salesloft Drift attack may have compromised Workspace accounts and Salesforce instances
Take a look at our guide to the best authenticator app
We’ve rounded up the best password managers

Sead Fadilpašić

Social Links Navigation

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Salesforce platforms are being cracked open for data theft – FBI warns of UNC6040 and UNC6395 IOCs

Google says hackers stole some of its data following Salesforce breach

Salesloft breached to steal OAuth tokens for Salesforce data-theft attacks

Palo Alto Networks becomes the latest to confirm it was hit by Salesloft Drift attack

Zscaler says it suffered data breach following Salesloft Drift compromise

Reports claim billions of Gmail accounts could be vulnerable after data breach – but Google says that’s not true

Latest in Security

CrowdStrike snaps up Pangea to boost AI security

Scattered Spider hackers return to hit more victims – despite retirement claims

1Password and Perplexity partner on Comet AI browser – a full time personal assistant with security by default

Microsoft and Cloudflare jointly take down phishing network that stole thousands of Microsoft 365 credentials

Nvidia and a Huawei subsidiary shared a building – and now it’s being probed for Chinese espionage

Jaguar Land Rover cyber attack outage continues – systems unlikely to be online for another week

Latest in News

You can now toggle GPT-5’s thinking time for faster or smarter answers – here’s how to do it

Intel will build custom x86 CPUs for Nvidia’s AI infrastructure as world’s largest company invests $5 billion in beleaguered tech firm – and don’t discount a data center x86 APU

A US retailer may have leaked the Xbox ROG Ally’s price – and it’s better than we thought

You can now buy Hisense’s mid-range 116-inch mini-LED 4K TV, because that’s a thing in today’s TV world

“A wider campaign against human rights” – Experts condemn Russia’s escalation against VPNs and encrypted apps

Not ready for Cloud PCs just yet? Microsoft will still let you stream individual apps to get you started

LATEST ARTICLES

Battlefield 6 will let console players avoid PC crossplay to prevent cheaters ruining everyone’s good time

Rippling IT IAM solution review

Not ready for Cloud PCs just yet? Microsoft will still let you stream individual apps to get you started

YouTube Shorts now lets you turn text into 8-second videos using Veo 3’s AI magic

Quordle hints and answers for Friday, September 19 (game #1334)

TechRadar is part of Future US Inc, an international media group and leading digital publisher. Visit our corporate site.

Contact Future’s experts

Terms and conditions

Privacy policy

Cookies policy

Advertise with us

Web notifications

Accessibility Statement

Future US, Inc. Full 7th Floor, 130 West 42nd Street,

Please login or signup to comment

Please wait…