Threat hunters and a collection of unconfirmed victims are responding to a series of attacks targeting Salesforce customers, which the vendor disclosed in a security advisory Saturday. 

“Salesforce is actively monitoring threat activity targeting public-facing Experience Cloud sites, including attempts to take advantage of overly permissive guest user configurations,” the company said in the alert.

The campaign marks the third widespread attack spree targeting Salesforce customers in about six months. 

The number of victims ensnared by the latest attacks is unverified, but ShinyHunters, the threat group asserting responsibility for the attacks, claims about 100 companies have already been impacted. 

Researchers told CyberScoop they are confident the threat group behind the campaign is associated with ShinyHunters, an outfit that’s previously stolen data from Salesforce instances for extortion attempts.

Salesforce did not attribute the attacks, but pinned blame on a “known threat actor group,” adding that the issue is not due to a vulnerability in the company’s platform.

The company said the threat activity reflects a broader trend of identity-based targeting, in this case customer-configured guest user settings that expose publicly accessible Experience Cloud sites to potential attacks.

“We are aware of a threat actor attempting to identify misconfigurations within Salesforce Experience Cloud instances,” Charles Carmakal, chief technology officer at Mandiant Consulting, said in a statement. “We are working closely with Salesforce and our customers to provide the necessary telemetry and detection rules to mitigate potential risk.”

Salesforce said the threat actor is using a modified version of the Mandiant-developed open-source tool AuraInspector to scan for public-facing Experience Cloud sites and steal data from instances with a guest user profile. 

This setting is designed to provide unauthenticated users access to data intended for public consumption. Yet, guest profiles with excessive permissions allow attackers to view additional data by directly querying Salesforce CRM objects without logging in, the company explained.

Salesforce did not say when or how it became aware of the latest campaign targeting its customers, nor how many companies have already been impacted. “We don’t have anything further to add at this time,” said Nicole Aranda, senior manager of corporate communications at Salesforce. 

The company advised customers to ensure guest user configurations are properly restricted.

“Any system exposed to the internet must be configured with the expectation that it will be continuously scanned,” Shane Barney, chief information security officer, at Keeper Security, said in an email. 

“At its core, this is an access governance issue,” he added. “Guest accounts, service accounts and API integrations must be treated with the same discipline as privileged users. Applying least privilege, restricting API access and continuously auditing permissions are foundational security controls.”

Salesforce customers confronted a pair of attack sprees involving third-party vendors last year. Google Threat Intelligence Group at the time said it was aware of more than 200 potentially affected Salesforce instances linked to malicious activity in Gainsight applications connected to Salesforce customer environments in November.

A more extensive downstream attack spree discovered in August impacted more than 700 companies who integrated the AI chat agent Salesloft Drift into their Salesforce environments. ShinyHunters or threat clusters affiliated with the extortion group were involved in both of those campaigns as well.

The post Salesforce issues new security alert tied to third customer attack spree in six months appeared first on CyberScoop.

An independent forensic investigation is underway to determine the extent of the intrusion into customer management software Gainsight’s systems and whether the breach has spread beyond Salesforce to other third-party applications. Despite this ongoing analysis, the company maintains that the impact on customer data stored within connected services is limited and largely contained.

“While Salesforce has identified compromised customer tokens, we presently know of only a handful of customers who had their data affected,” Gainsight CEO Chuck Ganapathi wrote in a blog post Tuesday. “Salesforce has notified the affected customers and we have reached out to each of them to provide support and are working directly with them.”

Details about the attack are scattered, and discrepancies remain about the number of companies impacted and the extent to which they are compromised. Information is fragmented, in part, because Gainsight and Salesforce are sharing updates independent of each other and respective to their own systems.

Gainsight is relying on Salesforce and Mandiant, its incident response firm, to identify victims of the attack and provide detailed indicators of compromise. 

Salesforce identified three impacted customers in the immediate aftermath of the attack, and has since found more confirmed victims, Gainsight said in an update on its community page. Neither company has provided a specific number of known victims.

“There is a distinction between the number of customers who Salesforce identified as having compromised tokens and the handful of customers we presently know had their data affected,” a company spokesperson told CyberScoop Tuesday.

Google Threat Intelligence Group, which is affiliated with Mandiant under Google Cloud’s security apparatus, said it was aware of more than 200 Salesforce instances potentially affected by the Gainsight breach last week. Google hasn’t provided an updated figure since then.

Inconsistencies are common in supply-chain attacks that flow downstream.

Meanwhile, Mandiant is continuing to sift through logs and analyze token behavior and connector activity to provide Gainsight with a more complete view of what occurred and how far attackers were able to use Gainsight customers’ access tokens to breach additional systems.

Gainsight previously said Hubspot, Zendesk and revenue intelligence platform Gong.io also temporarily revoked Gainsight customers’ access tokens “out of an abundance of caution.” The company hasn’t reported any confirmed impact on other systems and Salesforce maintains that the issue did not involve a vulnerability in the Salesforce platform.

The breach and its root cause is strikingly similar to an expansive downstream attack spree that impacted more than 700 customers who integrated Salesloft Drift into Salesforce two months ago. 

While Gainsight and Salesforce are both communicating directly with customers, publicly available threat hunting guidance and information about the attacks exist in multiple places.

Salesforce has shared the most comprehensive IOCs, including dates and observed activities for each malicious IP address. The earliest malicious activity linked to the campaign occurred Oct. 23, according to Salesforce.

The company advised customers to review all available logs for potential compromise and noted that the revocation of Gainsight OAuth tokens does not delete a customers’ logs or hinder their ability to investigate the incident.

Gainsight, however, said its logs are of less use. “Based on the nature of the logs we retain, many of our clients have not found them to be material in assessing any risk to their organization,” Brent Krempges, chief customer officer at Gainsight, said on its community page. 

“We strongly recommend that you focus your investigation on the Salesforce logs that show authentication attempts and API calls originating from the Gainsight Connected App,” he added. “These Salesforce-side logs are the authoritative source of information for identifying any anomalous access patterns.”

Gainsight also recommended that customers configure IP restrictions for API calls to ensure only legitimate requests are allowed. This security control is manual and requires cooperation from every vendor in the supply chain. Okta said IP restrictions kept its Drift integrations secure and successfully blocked an attempted attack on its Salesforce environment during the widespread incidents in August.

Ganapathi, who was named CEO in August, acknowledged that Gainsight is critical to its customers’ daily operations and said the company is personally responsible for ensuring access to its products. The company is helping customers manage their Gainsight Customer Success (CS) instances while its Salesforce connected app is offline, he said. 

“The only way we beat these threats is by working together and sharing information and strategies,” Ganapathi said. “That is why I am committing to sharing what we learn from this experience to help everyone in the SaaS community strengthen their defenses and, we hope, avoid going through something similar themselves.”

The post Gainsight CEO downplays impact of attack that spread to Salesforce environments appeared first on CyberScoop.

The recent Salesloft Drift breach offered a sobering reminder of how easily trust can be weaponized in today’s SaaS and AI-integrated environments. In this incident, hackers exploited the Drift chatbot, stole OAuth tokens, and used them to obtain data from CRM systems before the tokens could be revoked. In the wake of the incident, many deemed the weak spot to be the tokens, but they are missing the bigger issue. Namely, identity and permission sprawl, and a misuse of excessive trust.

Inside the Salesloft Drift Attack

With Drift, attackers used OAuth tokens to make legitimate API calls against CRM environments, and since the tokens were valid, the fraudulent activity didn’t raise any flags. In the eyes of all, it was simply business as usual. Organizations later confirmed that data was stolen before tokens could be revoked. This includes sensitive business records, contact information, support data, and, in some cases, embedded credentials across more than 700 organizations using the compromised integration with Salesforce. 

And while those impacted have traced the chain of compromise, the next step is to address the larger underlying problem of the chatbots and the excessive scopes they are given. 

Consider the following:

• Exceedingly Broad Scopes: The chatbots don’t just have access to what they need; they have access to everything, including users’ credentials.
• Ongoing Authorization: Chatbot credentials often remain valid indefinitely in the name of speed, in essence creating a permanent open door.
• Standing Privileges: Permanent credentials mean chatbots stay connected even when not in use, making them targets ready to be exploited at any time.

Add it all up, and you can see how a single compromised credential can create significant exposure. And the risk is only growing, thanks to SaaS and AI-powered integrations that are creating an unimaginable number of vulnerabilities. Still, businesses treat integrations and agents as background utilities that have no ownership, governance, or lifecycle management. Ironically, it’s the absence of these controls that gives them greater operating privileges and reach than any human would ever be granted, while making them ideal targets for attackers.

The identity and access wake-up call

Whether or not an organization was impacted by Drift, it’s time to reassess all SaaS and AI integration footprints. This includes verifying every connected app, API bridge, and automation workflow. 

Start with addressing hygiene, including the following:

• Remove and rotate any old tokens, as well as those with excessive permissions, especially those connected to third-party integrations. Where possible, static tokens should be eliminated entirely in favor of short-lived tokens with a narrow window of operation.
• Replace blanket-scoped permissions with narrowly defined access that is tied to specific roles and actions. 
• Audit logs and event data for unusual exports, API surges, or unexpected user agents. These actions can help surface silent compromises before they grow.

This tactical cleanup is not a one-time exercise. Everything must be re-evaluated on an ongoing basis. Even then, your work is not done. 

From static access to runtime authorization

The next generation of security requires using adaptive access models such as Zero Standing Privileges (ZSP), where “always-on” automation is replaced by dynamic, ephemeral identities and permissions that are enforceable at runtime.  With ZSP, every integration or AI agent receives temporary, just-in-time access that is created at runtime, bound by clear time-to-live parameters and contextual conditions. When the task ends, the permission disappears.

Because these are enabled through runtime authorization, businesses can easily verify not only who or what is making a request, but also why, for how long, and under what conditions. When paired with continuous monitoring, organizations can quickly spot anomalous activities and revoke privileges instantly when behavior deviates from policy.

Treat all integrations as identities

Another key to success is treating all integrations, whether they are human, machine, agentic AI, or AI-driven assistants, equally. Each of these should have a distinct identity, a defined purpose, ownership, and lifecycle stages. These controls provide teams with critical visibility across all identities and, when irregular activities are spotted, the answers to critical questions—who had access, what they did, and for how long?

Pay special attention to AI-driven tools, ensuring that agents operating on behalf of humans only act within the parameters set by their sponsor. Helpful tools here include allowlisting and runtime guardrails that can keep agents in their assigned lane and, in doing so, prevent them from veering off and initiating unauthorized actions. This includes those that have been compromised or manipulated through prompt injection.

The bigger picture: trust as a dynamic perimeter

The Drift incident wasn’t an anomaly—it was a preview. As AI-driven automations and SaaS integrations multiply, every organization will face the same question: can you truly see, control, and verify who or what has access to your data at any given moment?

Security can no longer depend on static controls or the assumption that trusted systems will stay trustworthy. The future belongs to those who treat identity as the new perimeter and access as a living, breathing condition—not a one-time approval. When every token, credential, and agent is governed by context, time, and intent, trust becomes measurable—and defensible.

Because in a world where automation never sleeps, trust can’t either.

Art Poghosyan is the CEO of Britive, a cloud privileged access management software company. 

The post When trust turns toxic: Lessons from the Salesloft Drift incident appeared first on CyberScoop.

Salesforce said yet another breach involving a third-party vendor has compromised customers’ data, warning in a security advisory late Wednesday that it detected unusual activity in Gainsight applications connected to Salesforce customer environments.

“Google Threat Intelligence Group is aware of more than 200 potentially affected Salesforce instances,” Austin Larsen, principal analyst at GTIG, told CyberScoop. 

The breach shares strong similarities to an expansive downstream attack spree that impacted more than 700 customers who integrated Salesloft Drift into Salesforce less than two months ago.

The attacks targeting Gainsight, which bills itself as “customer success” software, and Salesloft Drift customer integrations with Salesforce are also linked to the same threat group or associated cybercriminals. “We assess this is likely the same threat cluster — ShinyHunters or UNC6240 — related to other recent campaigns targeting Salesforce instances, such as UNC6040,” Larsen said.

Salesforce responded to both attacks by revoking access to tokens that allowed customers to connect the third-party services to their Salesforce environments.

“Our investigation indicates this activity may have enabled unauthorized access to certain customers’ Salesforce data through the app’s connection,” Salesforce said in the advisory. “There is no indication that this issue resulted from any vulnerability in the Salesforce platform. The activity appears to be related to the app’s external connection to Salesforce.”

The company did not say when or how it became aware of the unauthorized activity in customer environments. A Salesforce spokesperson did not provide additional details and said it will update its security page with more information and customer guidance as appropriate.

Organizations impacted by the attack originating in Gainsight’s Salesforce connector are unknown, but the platform has about 1,000 customers, including many well-known enterprises and technology firms.

Gainsight issued its first public alert about Salesforce connections failures on its status page late Wednesday. “We continue to work closely with Salesforce as they investigate the unusual activity that led to the revocation of access tokens for Gainsight-published applications,” the company said in an update Thursday.

The company said the Gainsight app has also been “temporarily pulled” from the Hubspot Marketplace, a move that may impact OAuth access for customer connections with that platform. “No suspicious activity related to Hubspot has been observed at this point. These are precautionary steps only.”

While broader impact hasn’t been confirmed, the potential scope beyond Salesforce suggests the breach might have compromised any service Gainsight customers connected to the platform. As Google security researchers responded to the Salesloft Drift attacks in August, they determined any user that integrated the AI chat agent platform to another service may have been compromised.

In a twist of irony, Gainsight previously said it was also one of the Salesloft Drift customers impacted in the previous attacks.

Gainsight, which said its internal investigation is ongoing, did not say how its customers’ access tokens may have been compromised. Salesloft ultimately pinned the root cause of the Drift supply-chain attacks to a threat group that gained access to its GitHub account as far back as March, lurking in the Salesloft application environment undetected until it stole data from hundreds of organizations during a 10-day period in mid-August.

Gainsight, which said its internal investigation is ongoing, did not respond to a request for comment.

The post Hundreds of Salesforce customers hit by yet another third-party vendor breach appeared first on CyberScoop.

A cybercriminal group that used voice phishing attacks to siphon more than a billion records from Salesforce customers earlier this year has launched a website that threatens to publish data stolen from dozens of Fortune 500 firms if they refuse to pay a ransom. The group also claimed responsibility for a recent breach involving Discord user data, and for stealing terabytes of sensitive files from thousands of customers of the enterprise software maker Red Hat.

In May 2025, a prolific and amorphous English-speaking cybercrime group known as ShinyHunters launched a social engineering campaign that used voice phishing to trick targets into connecting a malicious app to their organization’s Salesforce portal.

The first real details about the incident came in early June, when the Google Threat Intelligence Group (GTIG) warned that ShinyHunters — tracked by Google as UNC6040 — was extorting victims over their stolen Salesforce data, and that the group was poised to launch a data leak site to publicly shame victim companies into paying a ransom to keep their records private. A month later, Google acknowledged that one of its own corporate Salesforce instances was impacted in the voice phishing campaign.

Last week, a new victim shaming blog dubbed “Scattered LAPSUS$ Hunters” began publishing the names of companies that had customer Salesforce data stolen as a result of the May voice phishing campaign.

“Contact us to negotiate this ransom or all your customers data will be leaked,” the website stated in a message to Salesforce. “If we come to a resolution all individual extortions against your customers will be withdrawn from. Nobody else will have to pay us, if you pay, Salesforce, Inc.”

Below that message were more than three dozen entries for companies that allegedly had Salesforce data stolen, including Toyota, FedEx, Disney/Hulu, and UPS. The entries for each company specified the volume of stolen data available, as well as the date that the information was retrieved (the stated breach dates range between May and September 2025).

On October 5, the Scattered LAPSUS$ Hunters victim shaming and extortion blog announced that the group was responsible for a breach in September involving a GitLab server used by Red Hat that contained more than 28,000 Git code repositories, including more than 5,000 Customer Engagement Reports (CERs).

“Alot of folders have their client’s secrets such as artifactory access tokens, git tokens, azure, docker (redhat docker, azure containers, dockerhub), their client’s infrastructure details in the CERs like the audits that were done for them, and a whole LOT more, etc.,” the hackers claimed.

Their claims came several days after a previously unknown hacker group calling itself the Crimson Collective took credit for the Red Hat intrusion on Telegram.

Red Hat disclosed on October 2 that attackers had compromised a company GitLab server, and said it was in the process of notifying affected customers.

“The compromised GitLab instance housed consulting engagement data, which may include, for example, Red Hat’s project specifications, example code snippets, internal communications about consulting services, and limited forms of business contact information,” Red Hat wrote.

Separately, Discord has started emailing users affected by another breach claimed by ShinyHunters. Discord said an incident on September 20 at a “third-party customer service provider” impacted a “limited number of users” who communicated with Discord customer support or Trust & Safety teams. The information included Discord usernames, emails, IP address, the last four digits of any stored payment cards, and government ID images submitted during age verification appeals.

The Scattered Lapsus$ Hunters claim they will publish data stolen from Salesforce and its customers if ransom demands aren’t paid by October 10. The group also claims it will soon begin extorting hundreds more organizations that lost data in August after a cybercrime group stole vast amounts of authentication tokens from Salesloft, whose AI chatbot is used by many corporate websites to convert customer interaction into Salesforce leads.

In a communication sent to customers today, Salesforce emphasized that the theft of any third-party Salesloft data allegedly stolen by ShinyHunters did not originate from a vulnerability within the core Salesforce platform. The company also stressed that it has no plans to meet any extortion demands.

“Salesforce will not engage, negotiate with, or pay any extortion demand,” the message to customers read. “Our focus is, and remains, on defending our environment, conducting thorough forensic analysis, supporting our customers, and working with law enforcement and regulatory authorities.”

The GTIG tracked the group behind the Salesloft data thefts as UNC6395, and says the group has been observed harvesting the data for authentication tokens tied to a range of cloud services like Snowflake and Amazon’s AWS.

Google catalogs Scattered Lapsus$ Hunters by so many UNC names (throw in UNC6240 for good measure) because it is thought to be an amalgamation of three hacking groups — Scattered Spider, Lapsus$ and ShinyHunters. The members of these groups hail from many of the same chat channels on the Com, a mostly English-language cybercriminal community that operates across an ocean of Telegram and Discord servers.

The Scattered Lapsus$ Hunters darknet blog is currently offline. The outage appears to have coincided with the disappearance of the group’s new clearnet blog — breachforums[.]hn — which vanished after shifting its Domain Name Service (DNS) servers from DDoS-Guard to Cloudflare.

But before it died, the websites disclosed that hackers were exploiting a critical zero-day vulnerability in Oracle’s E-Business Suite software. Oracle has since confirmed that a security flaw tracked as CVE-2025-61882 allows attackers to perform unauthenticated remote code execution, and is urging customers to apply an emergency update to address the weakness.

Mandiant’s Charles Carmakal shared on LinkedIn that CVE-2025-61882 was initially exploited in August 2025 by the Clop ransomware gang to steal data from Oracle E-Business Suite servers. Bleeping Computer writes that news of the Oracle zero-day first surfaced on the Scattered Lapsus$ Hunters blog, which published a pair of scripts that were used to exploit vulnerable Oracle E-Business Suite instances.

On Monday evening, KrebsOnSecurity received a malware-laced message from a reader that threatened physical violence unless their unstated demands were met. The missive, titled “Shiny hunters,” contained the hashtag $LAPSU$$SCATEREDHUNTER, and urged me to visit a page on limewire[.]com to view their demands.

KrebsOnSecurity did not visit this link, but instead forwarded it to Mandiant, which confirmed that similar menacing missives were sent to employees at Mandiant and other security firms around the same time.

The link in the message fetches a malicious trojan disguised as a Windows screensaver file (Virustotal’s analysis on this malware is here). Simply viewing the booby-trapped screensaver on a Windows PC is enough to cause the bundled trojan to launch in the background.

Mandiant’s Austin Larsen said the trojan is a commercially available backdoor known as ASYNCRAT, a .NET-based backdoor that communicates using a custom binary protocol over TCP, and can execute shell commands and download plugins to extend its features.

“Downloaded plugins may be executed directly in memory or stored in the registry,” Larsen wrote in an analysis shared via email. “Capabilities added via plugins include screenshot capture, file transfer, keylogging, video capture, and cryptocurrency mining. ASYNCRAT also supports a plugin that targets credentials stored by Firefox and Chromium-based web browsers.”

Malware-laced targeted emails are not out of character for certain members of the Scattered Lapsus$ Hunters, who have previously harassed and threatened security researchers and even law enforcement officials who are investigating and warning about the extent of their attacks.

With so many big data breaches and ransom attacks now coming from cybercrime groups operating on the Com, law enforcement agencies on both sides of the pond are under increasing pressure to apprehend the criminal hackers involved. In late September, prosecutors in the U.K. charged two alleged Scattered Spider members aged 18 and 19 with extorting at least $115 million in ransom payments from companies victimized by data theft.

U.S. prosecutors heaped their own charges on the 19 year-old in that duo — U.K. resident Thalha Jubair — who is alleged to have been involved in data ransom attacks against Marks & Spencer and Harrods, the British food retailer Co-op Group, and the 2023 intrusions at MGM Resorts and Caesars Entertainment. Jubair also was allegedly a key member of LAPSUS$, a cybercrime group that broke into dozens of technology companies beginning in late 2021.

In August, convicted Scattered Spider member and 20-year-old Florida man Noah Michael Urban was sentenced to 10 years in federal prison and ordered to pay roughly $13 million in restitution to victims.

In April 2025, a 23-year-old Scottish man thought to be an early Scattered Spider member was extradited from Spain to the U.S., where he is facing charges of wire fraud, conspiracy and identity theft. U.S. prosecutors allege Tyler Robert Buchanan and co-conspirators hacked into dozens of companies in the United States and abroad, and that he personally controlled more than $26 million stolen from victims.

Update, Oct. 8, 8:59 a.m. ET: A previous version of this story incorrectly referred to the malware sent by the reader as a Windows screenshot file. Rather, it is a Windows screensaver file.

The recent mass-theft of authentication tokens from Salesloft, whose AI chatbot is used by a broad swath of corporate America to convert customer interaction into Salesforce leads, has left many companies racing to invalidate the stolen credentials before hackers can exploit them. Now Google warns the breach goes far beyond access to Salesforce data, noting the hackers responsible also stole valid authentication tokens for hundreds of online services that customers can integrate with Salesloft, including Slack, Google Workspace, Amazon S3, Microsoft Azure, and OpenAI.

Salesloft disclosed on August 20 that, “Today, we detected a security issue in the Drift application,” referring to the technology that powers an AI chatbot used by so many corporate websites. The alert urged customers to re-authenticate the connection between the Drift and Salesforce apps to invalidate their existing authentication tokens, but it said nothing then to indicate those tokens had already been stolen.

On August 26, the Google Threat Intelligence Group (GTIG) warned that unidentified hackers tracked as UNC6395 used the access tokens stolen from Salesloft to siphon large amounts of data from numerous corporate Salesforce instances. Google said the data theft began as early as Aug. 8, 2025 and lasted through at least Aug. 18, 2025, and that the incident did not involve any vulnerability in the Salesforce platform.

Google said the attackers have been sifting through the massive data haul for credential materials such as AWS keys, VPN credentials, and credentials to the cloud storage provider Snowflake.

“If successful, the right credentials could allow them to further compromise victim and client environments, as well as pivot to the victim’s clients or partner environments,” the GTIG report stated.

The GTIG updated its advisory on August 28 to acknowledge the attackers used the stolen tokens to access email from “a very small number of Google Workspace accounts” that were specially configured to integrate with Salesloft. More importantly, it warned organizations to immediately invalidate all tokens stored in or connected to their Salesloft integrations — regardless of the third-party service in question.

“Given GTIG’s observations of data exfiltration associated with the campaign, organizations using Salesloft Drift to integrate with third-party platforms (including but not limited to Salesforce) should consider their data compromised and are urged to take immediate remediation steps,” Google advised.

On August 28, Salesforce blocked Drift from integrating with its platform, and with its productivity platforms Slack and Pardot.

The Salesloft incident comes on the heels of a broad social engineering campaign that used voice phishing to trick targets into connecting a malicious app to their organization’s Salesforce portal. That campaign led to data breaches and extortion attacks affecting a number of companies including Adidas, Allianz Life and Qantas.

On August 5, Google disclosed that one of its corporate Salesforce instances was compromised by the attackers, which the GTIG has dubbed UNC6040 (“UNC” stands for “uncategorized threat group”). Google said the extortionists consistently claimed to be the threat group ShinyHunters, and that the group appeared to be preparing to escalate its extortion attacks by launching a data leak site.

ShinyHunters is an amorphous threat group known for using social engineering to break into cloud platforms and third-party IT providers, and for posting dozens of stolen databases to cybercrime communities like the now-defunct Breachforums.

The ShinyHunters brand dates back to 2020, and the group has been credited with or taken responsibility for dozens of data leaks that exposed hundreds of millions of breached records. The group’s member roster is thought to be somewhat fluid, drawing mainly from active denizens of the Com, a mostly English-language cybercrime community scattered across an ocean of Telegram and Discord servers.

Recorded Future’s Alan Liska told Bleeping Computer that the overlap in the “tools, techniques and procedures” used by ShinyHunters and the Scattered Spider extortion group likely indicate some crossover between the two groups.

To muddy the waters even further, on August 28 a Telegram channel that now has nearly 40,000 subscribers was launched under the intentionally confusing banner “Scattered LAPSUS$ Hunters 4.0,” wherein participants have repeatedly claimed responsibility for the Salesloft hack without actually sharing any details to prove their claims.

The Telegram group has been trying to attract media attention by threatening security researchers at Google and other firms. It also is using the channel’s sudden popularity to promote a new cybercrime forum called “Breachstars,” which they claim will soon host data stolen from victim companies who refuse to negotiate a ransom payment.

But Austin Larsen, a principal threat analyst at Google’s threat intelligence group, said there is no compelling evidence to attribute the Salesloft activity to ShinyHunters or to other known groups at this time.

“Their understanding of the incident seems to come from public reporting alone,” Larsen told KrebsOnSecurity, referring to the most active participants in the Scattered LAPSUS$ Hunters 4.0 Telegram channel.

Joshua Wright, a senior technical director at Counter Hack, is credited with coining the term “authorization sprawl” to describe one key reason that social engineering attacks from groups like Scattered Spider and ShinyHunters so often succeed: They abuse legitimate user access tokens to move seamlessly between on-premises and cloud systems.

Wright said this type of attack chain often goes undetected because the attacker sticks to the resources and access already allocated to the user.

“Instead of the conventional chain of initial access, privilege escalation and endpoint bypass, these threat actors are using centralized identity platforms that offer single sign-on (SSO) and integrated authentication and authorization schemes,” Wright wrote in a June 2025 column. “Rather than creating custom malware, attackers use the resources already available to them as authorized users.”

It remains unclear exactly how the attackers gained access to all Salesloft Drift authentication tokens. Salesloft announced on August 27 that it hired Mandiant, Google Cloud’s incident response division, to investigate the root cause(s).

“We are working with Salesloft Drift to investigate the root cause of what occurred and then it’ll be up to them to publish that,” Mandiant Consulting CTO Charles Carmakal told Cyberscoop. “There will be a lot more tomorrow, and the next day, and the next day.”