The Anatomy of a SaaS Supply Chain Cascade
The breach did not start with a zero-day exploit or a brute-force attack on a corporate firewall. It started with access to a GitHub repository.
In March 2025, a threat cluster tracked by Mandiant as UNC6395 gained access to Salesloft’s private GitHub organization. Over the following four months, the attackers downloaded code repositories, added a guest user, and established persistent workflows to maintain access. Their target was not the source code itself but what was embedded inside it: OAuth tokens for Drift, the conversational marketing platform that Salesloft had acquired and deeply integrated with Salesforce.
Using TruffleHog, an open-source secret detection tool built for defensive security teams, the attackers scanned the stolen repositories and extracted Drift OAuth tokens that connected to hundreds of Salesforce customer instances. Between August 8 and August 18, 2025, UNC6395 used those tokens to systematically query and export data from more than 700 Salesforce environments. By the time Salesforce and Salesloft disabled all Drift integrations on August 20, the damage was done.
The group, which identified itself as ShinyHunters during extortion communications, claims to have stolen approximately 1.5 billion Salesforce records from 760 companies: 579 million Contact records, 459 million Case records, 250 million Account records, 171 million Opportunity records, and 60 million User records. Victims included Cloudflare, Google, PagerDuty, Palo Alto Networks, Proofpoint, SpyCloud, Tanium, and Zscaler.
But the Salesforce data was only the first wave. The stolen Case records contained plaintext credentials, AWS keys, VPN access tokens, and Snowflake credentials buried in support tickets and internal communications. ShinyHunters used TruffleHog again to mine this data for follow-on attack paths, turning one breach into a credential cascade that rippled across cloud environments throughout early 2026.
ShinyHunters: From Forum Sellers to Industrial Extortionists
ShinyHunters emerged around 2019 as a financially motivated data theft group that sold stolen databases on underground forums for $500 to $5,000 each. Early targets included Tokopedia (91 million accounts, 2020), Wattpad (270 million records, 2020), and dozens of web applications with misconfigured cloud storage or exposed GitHub repositories.
The group’s operational model shifted dramatically with the 2024 Snowflake campaign. Tracked by Mandiant as UNC5537, that operation used credentials harvested from infostealer malware to access Snowflake data warehouses belonging to AT&T, Ticketmaster, Santander, and over 160 other organizations. AT&T alone disclosed that call and text records of nearly all its wireless customers, roughly 110 million people, had been accessed. The Snowflake campaign proved that targeting platform-level access points yielded exponentially more data than breaching individual companies.
The 2025 Salesloft/Drift campaign refined this model further. Rather than exploiting stolen employee credentials one by one, the attackers compromised the platform’s own infrastructure and extracted integration tokens that provided simultaneous access to hundreds of downstream environments. They then industrialized the exploitation using automated scanning tools, shifting from artisanal data theft to factory-scale exfiltration.
Law enforcement has pursued ShinyHunters across multiple jurisdictions. Sebastien Raoult, a French member, was arrested in Morocco in 2022, extradited to the United States, and sentenced to three years in prison with $5 million in restitution. Alexander Moucka, a Canadian national linked to the Snowflake campaign, was arrested in late 2024. Four additional members were arrested in France in June 2025. Despite these arrests, the group reconstituted and continued operations, with threat intelligence firms noting overlap between ShinyHunters, Scattered Spider, and Lapsus$ in a loose collective operating through shared Telegram channels.
Advertisement
The Downstream Carnage
The credential cascade from the Salesloft/Drift breach generated a series of high-profile downstream compromises that extended well into 2026.
TELUS Digital suffered the most severe impact. ShinyHunters discovered Google Cloud Platform credentials for TELUS Digital, Canada’s largest BPO provider, embedded within the stolen Drift/Salesforce data. Those credentials unlocked access to TELUS’s BigQuery instances and numerous cloud systems. The attackers claimed to have exfiltrated nearly 1 petabyte of data, including call records, source code, FBI background check results for employees, AI training data, voice recordings, and fraud detection system details covering approximately 28 client companies. ShinyHunters demanded $65 million in ransom. TELUS Digital confirmed the breach on March 12, 2026, and sources indicated the company refused to engage with the extortion demand.
Aura, an identity protection firm, was breached through a complementary vector. While the Salesloft/Drift data provided reconnaissance, the actual compromise came through vishing: attackers called Aura employees, impersonated trusted parties, and convinced them to hand over credentials. The attackers then exploited an Okta single sign-on vulnerability to access a marketing database from a 2021 acquisition, exposing 903,100 records including IP addresses, phone numbers, home addresses, and customer service comments. Aura disclosed the breach on March 18, 2026, noting the unauthorized access lasted approximately one hour before revocation.
CarGurus, the automotive marketplace, was breached on February 13, 2026 via vishing attacks targeting employees to obtain single sign-on codes. The breach exposed 12.4 million records containing names, addresses, and financial data, triggering multiple lawsuits. Crunchyroll had approximately 2 million records leaked, Betterment lost roughly 1.4 million user records, and Match Group saw 10 million records compromised across Hinge, Match.com, and OkCupid.
Why SaaS Integration Credentials Are the New Attack Surface
The Salesloft/Drift cascade exposes a structural vulnerability in how the modern SaaS ecosystem operates. Large enterprises average over 130 SaaS applications, and each application connects to others through OAuth tokens, API keys, and service account credentials stored across multiple environments.
Three dynamics make this architecture uniquely fragile. First, integration is encouraged and normalized. SaaS platforms compete on their ability to connect with other tools, creating dense webs of credential dependencies that no single team fully maps. Second, credentials are overly permissioned. Integration guides routinely instruct users to grant broad API access for compatibility, even when read-only scopes would suffice. The Drift OAuth tokens that enabled this breach had permissions to read Contacts, Accounts, Cases, Opportunities, and Users across connected Salesforce instances. Third, credentials rarely rotate. Many organizations configure integrations once and never revisit them, leaving tokens valid for years even after the employees who created them have left.
The use of TruffleHog in this campaign highlights a dual-use reality in security tooling. TruffleHog was built by Truffle Security to help defenders find exposed secrets in code repositories and data stores. It maintains pattern matchers for hundreds of credential types. ShinyHunters repurposed this defensive tool offensively, first scanning GitHub repositories for OAuth tokens and then mining stolen Salesforce Case data for additional credentials. The tool’s comprehensive detection capabilities made it trivially effective in both contexts.
Defensive Priorities After the Cascade
Organizations that used Salesloft or Drift should treat all connected credentials as compromised, rotate them immediately, and audit access logs for anomalous API activity during August 2025 through March 2026.
For the broader security posture, this campaign demands five structural changes. Inventory all third-party credentials: use SaaS security posture management tools like Nudge Security, Valence Security, or AppOmni to map every OAuth token, API key, and service account stored across SaaS platforms. Enforce least-privilege scopes: never grant admin-level API access when read-only permissions suffice, and review existing integration permissions against actual usage. Automate credential rotation: any credential that cannot be rotated automatically should be flagged for periodic manual rotation, at minimum annually. Require hardware-based MFA for administrative access: FIDO2 security keys resist the phishing and infostealer vectors that enabled the initial GitHub compromise. Monitor for API abuse patterns: detect anomalous data export volumes, access from unexpected locations, and API calls outside business hours, since valid credentials will bypass traditional access controls.
The SaaS economy was built on the promise that interconnected tools make businesses more productive. ShinyHunters proved that those same interconnections, secured by hardcoded tokens with excessive permissions and no rotation, can make businesses catastrophically vulnerable at industrial scale.
Frequently Asked Questions
How did ShinyHunters breach 760 companies from a single access point?
The attackers compromised Salesloft’s private GitHub repository in March 2025 and used TruffleHog to extract Drift OAuth tokens hardcoded in the source. These tokens provided direct access to Salesforce instances of over 760 companies that had integrated Drift for customer engagement. The stolen Salesforce Case data then contained additional credentials (AWS keys, VPN tokens) enabling follow-on compromises like the TELUS Digital breach.
What is the difference between UNC6395, UNC6040, and ShinyHunters?
UNC6395 is Mandiant’s designation for the threat cluster behind the Salesloft/Drift supply chain intrusion. UNC6040 is the separate Mandiant cluster that consistently identifies as ShinyHunters during extortion communications and is known for vishing-based attacks on Salesforce customers. While the groups share tactics and infrastructure, Google has not formally merged them. The Snowflake campaign of 2024 was tracked under yet another designation, UNC5537.
What should organizations do right now to protect against SaaS credential cascades?
Start by inventorying all OAuth tokens and API keys stored in third-party SaaS platforms using tools like Nudge Security or AppOmni. Rotate any credentials connected to Salesloft or Drift immediately. Enforce least-privilege scopes on all integrations, require FIDO2 hardware keys for administrative access, and implement monitoring for anomalous API data export patterns. These five measures address the specific attack vectors ShinyHunters exploited.
Sources & Further Reading
- ShinyHunters Claims 1.5 Billion Salesforce Records Stolen in Drift Hacks — BleepingComputer
- Widespread Data Theft Targets Salesforce Instances via Salesloft Drift — Google Cloud Blog
- Salesloft Drift Breach Traced to GitHub Compromise and Stolen OAuth Tokens — HackRead
- Salesloft Drift Security Incident Started With Undetected GitHub Access — CyberScoop
- Telus Digital Confirms Breach After Hacker Claims 1 Petabyte Data Theft — BleepingComputer
- Identity Protection Firm Aura Suffers Data Breach Exposing 900,000 Records — Help Net Security
- Salesloft Drift Attack: One Compromised Integration Shakes 700+ Companies — CM-Alliance
- ShinyHunters and UNC6395: Inside the Salesforce and Salesloft Breaches — Mitiga
