Skip to main content
Emerging ThreatsMalware & Ransomware

Microsoft Tracks ShinyHunters' Salesforce Data Theft Via OAuth Flaws

Business setting with laptop on desk, papers and supplies nearby, and CRM system on screen.

“The way in has been the trust the organization had already extended,” Microsoft wrote, and that trusted path — not a software bug or a leaked password in the conventional sense — explains a year-long run of Salesforce data thefts traced to techniques linked to the extortion group ShinyHunters.

The phone call: vishing to authorize a malicious connected app

Microsoft mapped the first intrusion path to vishing campaigns beginning in mid-2025. Actors posing as IT support walked employees through Salesforce's OAuth consent screen and persuaded them to approve a connected app disguised as Salesforce's own Data Loader tool. Once consent was granted, the app made API calls as the user, letting attackers enumerate CRM records, maintain persistent access, and search for credentials that could open other SaaS doors.

No malware was required, and no stolen-password replay was needed — just a phone call and a consent click. Google’s Threat Intelligence Group (GTIG) and Mandiant documented the initial access and follow-on extortion in mid-2025, tracking clusters that used the ShinyHunters name as part of their pressure campaign. Google confirmed a June 2025 compromise of one of its corporate Salesforce instances in which attackers took largely public business contact data. Public reporting tied the same wave to incidents at Chanel and Pandora and named Adidas, Qantas, Allianz Life, and several LVMH brands as targets.

Stolen OAuth tokens from trusted vendors: Salesloft/Drift, Gainsight, Klue

The second intrusion path bypassed employees entirely by targeting vendors whose applications held OAuth access to many customer Salesforce orgs. In August 2025, attackers stole OAuth and refresh tokens tied to the Drift AI chat integration in the Salesloft compromise and used those tokens against customer Salesforce environments. Google estimated the Drift token theft potentially exposed more than 700 organizations, including Cloudflare, Zscaler, Palo Alto Networks, Proofpoint, PagerDuty, and Tanium.

Salesloft later traced the root cause to access to its GitHub account as early as March 2025, which the attackers used to reach Drift's AWS environment and harvest tokens. Attackers ran SOQL queries to look through support cases and objects for AWS keys, Snowflake tokens, and passwords, and they deleted query jobs to slow investigations.

GTIG linked a November 2025 Gainsight incident to ShinyHunters affiliates across more than 200 Salesforce instances. In June 2026, a Klue compromise involved a legacy credential for a test integration that remained active; attackers pushed a code update that harvested customers' OAuth tokens and used those tokens to reach Salesforce and Gong data belonging to Klue customers, including Huntress and Recorded Future. Microsoft tracks the Klue actor as Storm-3138; industry reporting also links the extortion to a group calling itself Icarus and a Telegram account claiming ShinyHunters. Microsoft and the security community note that these labels overlap and are claimed opportunistically.

Guest access misconfiguration and Aura endpoints on Experience Cloud sites

The third path required no credentials at all. Microsoft observed suspicious guest-user activity targeting Salesforce Aura endpoints, the framework behind Experience Cloud sites. Where guest-user permissions were misconfigured, actors called the GraphQL Aura controller and used cursor-based pagination to bypass the standard 2,000-record query limit, extracting far more data than the guest role was intended to expose. Microsoft’s detections point to the use of the AuraInspector tooling to probe endpoints; no software exploit was necessary — the guest role simply had overly permissive visibility.

Defender for Cloud Apps and Salesforce Shield Event Monitoring: changes shipped

Microsoft and Salesforce rolled out detection and governance changes to address what traditional sign-in and authentication logs miss. For customers running Salesforce Shield Event Monitoring, the upgraded Salesforce connector into Microsoft Defender for Cloud Apps onboards the Real-Time Event Monitoring framework for near-real-time detection and adds connected-app attribution. That ties activity to a specific app identity and its granted OAuth scopes and provides greater session and API context.

Microsoft also added posture and governance features for connected OAuth apps: a view of highly privileged apps holding elevated scopes, a way to surface unused apps inactive for 90 days while still holding live permissions, and a 0–100 risk score per app that teams can wire to alerts and policies. The stated aim is to find over-permissioned and forgotten integrations before attackers do.

What this means for technologists, procurement leaders, and end users

  • Technologists and security teams — Inventory connected apps, enable and monitor Salesforce event logs, connect Salesforce to Defender for Cloud Apps, and be prepared to revoke and rotate tokens when an integration behaves oddly; Microsoft’s guidance echoes vendor post-incident recommendations.
  • Procurement and vendor teams — The incidents at Salesloft/Drift, Gainsight, and Klue underscore the downstream risk from vendor credentials and legacy test integrations; vendors' development and secrets practices directly affect customer exposure.
  • End users and help desks — Mandiant advised that vishing exploits a help desk's instinct to be helpful, and standard identity checks may not apply; the safe move in such scenarios is to hang up and call back on a known-good channel.

The common thread across all three paths is identity in the broad sense: OAuth-connected apps, integration accounts, and service credentials often sit outside the controls built for human logins — MFA, conditional access, and session policies — and when those machine and vendor identities are forgotten or over-permissioned, the attackers exploited them for a year. The Hacker News has reached out to Microsoft for further details on its attribution of the actors behind these campaigns and will update the story with any response.

Original story