- Shinyhunters claim theft of 1.5 billion records of 760 global companies
- The attackers exploited Github’s secrets to access confidential Salesforce objects for the objects of Salesforce
- FBI issued warnings when computer pirate groups announced that “they were getting dark
Shinyhunters has finally revealed how many data stole in the attack Salesloft / Salesforce, claiming to have taken 1.5 billion records of 760 companies worldwide.
In March 2025, the threat actors of three groups: Shinyhunters, Lapsus $ and Sptered Spider, united strength and violated the Github repository of Salesloft, which contained the company’s source codes. Using Trufflehog malware, they scanned the code in search of secrets and found Oauth tokens for drifting email platforms and derives from Salesloft.
From there, they were able to access different tables of Salesforce objects, belonging to several companies. These tables, labeled as “counts”, “contact”, “case”, “opportunity” and “user”, contained all kinds of sensitive files that the attackers managed to exfiltrate.
Waiting for confirmation
The majority (579 million) come from the contact table. The case was the second largest committed table with 459 million records, followed by an account (250 million), contact (171 million), opportunity (171 million) and user (60 million).
To prove his statements, Shinyhunters shared a text file that lists the folders of the source code. Until now, Salesforce has not commented on these claims.
We have communicated with Salesforce and we will update the article if we receive news, and a source told you Bleepingcomputer that the numbers are precise.
It remains to be seen if criminals bit more than they can chew.
After the incident, the FBI issued a security notice, warning companies about UNC6040 and UNC6395 (how it tracks the groups) and sharing known compromise indicators (COI).
At the same time, the groups announced that they were going to “darken”, that some cybersecurity companies interpreted as they fear the growing attention they have been receiving.
If these statements turn out to be true, this would also put the incident on the same time with the FIASCO of transferred files administered (MFT) 2023, which affected thousands of organizations and millions of users worldwide.
Through Bleepingcomputer
