Forgot about Salesforce data theft? Impacted companies have not

The Salesforce cybersecurity incident from last summer may feel like the distant past, but companies report they’re still experiencing attacks as a result of that initial incursion.

Brief me on the original attacks. The Salesforce incidents happened in 2024 and 2025. The first attack was from UNC6040, a group that used social engineering to access Salesforce customers’ data; they now refer to themselves as “ShinyHunters.”

ShinyHunters is a threat group that broke onto the cyber scene in 2020, according to Bugcrowd. These attackers start by identifying organizations that utilize Microsoft’s Office 365 and then search for businesses that store GitHub open authorization tokens for further supply-chain attacks.

Salesforce faced a second cybersecurity incident in August 2025 when Salesloft announced that it had detected a security issue in its Salesloft Drift application, an AI-powered sales engagement platform that lets sales teams integrate Salesforce instances into their AI chatbot workflows.

The attackers (UNC6395) are reportedly not part of ShinyHunters, but Cory Michal, VP of security at AppOmni, told IT Brew there might be some kind of overlap. The threat actors used stolen OAuth credentials to pull sensitive data from Salesforce customer instances.

“Once they got these tokens, they also use the access to search for other access tokens inside the Salesforce environment,” Michal said.

That was then. This is now. Months after the Salesloft Drift incident, organizations like Grubhub have reported experiencing data theft in connection with the original cybersecurity attacks.

In January, Grubhub confirmed to BleepingComputer that it had experienced a data breach and faced extortion demands. The outlet found that attackers were using the stolen data from the Salesloft Drift attacks for their latest efforts. The outlet reported that multiple sources shared that ShinyHunters was behind the extortions for this company.

Michal said that professionals can expect to see more extortion attempts as attackers monetize what’s left from last year’s Salesforce breaches.

“The pattern we’re seeing is consistent: Salesforce responded by revoking/rotating the relevant OAuth access (tokens/keys), which cuts off that initial path, yet there are ongoing knock-on impacts where attackers appear to have stolen additional tenant-level secrets (API keys, integration credentials, other tokens) that remain valid until each customer rotates them,” Michal wrote in an email to IT Brew.

Who’s being affected? Other companies impacted by the Salesloft Drift attacks include HackerOne, Workday, Dynatrace, Qualys, and more, according to a Nudge Security-powered tracker.

Michal reported in his email that the cybersecurity community is seeing similar “token-theft attempts” aimed at highly integrated environments, which would allow attackers to move through connected SaaS apps. He noted that these attempts are similar in nature to “integration-heavy attacks” reported in incidents like Gainsight, a software development company that experienced unusual activity for apps connected to Salesforce.

Allen Tsai, the senior director for corporate communications at Salesforce, told IT Brew in an email that the company has re-enabled integrations with Salesloft technologies, with the exception of any Salesloft Drift app.

What to do about it. Michal recommended that companies utilize third-party risk management programs where they can evaluate vendors’ security.

“What you need to do is actually verify that these companies have the appropriate integrations and the least amount of privilege into your SaaS products, and you need to know all these integrations that exist,” Michal said. “You also need to know integrations that exist that didn’t go through your third-party security review.”