By Interestana AI Editorial — AI-drafted, human-overseen. How we report
ShinyHunters Linked to Year-Long Salesforce Data Theft

Attackers, whose methods align with the data-extortion group ShinyHunters, have been accessing corporate Salesforce environments for the past year without exploiting platform vulnerabilities. Instead, they have leveraged existing trust relationships, primarily through OAuth connections that link Salesforce to third-party applications and vendors. This tactic allowed them to gain unauthorized access to sensitive customer data.
Microsoft Threat Intelligence identified three distinct pathways these attackers used to compromise Salesforce instances. The first involved the exploitation of OAuth connections to gain access to customer data. The second pathway involved the use of stolen credentials, likely obtained through phishing or other credential stuffing techniques, to log into Salesforce accounts. The third pathway, though less common, involved the abuse of legitimate APIs to exfiltrate data.
These attacks have been ongoing for approximately 12 months, impacting multiple organizations. The attackers have demonstrated a sophisticated understanding of how Salesforce integrates with other services, allowing them to bypass traditional security measures. The group's consistent use of these methods suggests a deliberate and sustained campaign aimed at data theft and potential extortion.
Microsoft has provided specific indicators of compromise (IoCs) and recommended mitigation strategies to help organizations protect their Salesforce environments. These recommendations include regularly reviewing and revoking unnecessary OAuth connections, implementing multi-factor authentication (MFA) for all Salesforce users, and monitoring API usage for suspicious activity. The company emphasized the importance of a layered security approach to defend against such sophisticated threats.
Original source — read the full reporting at the publisher:
Read on The Hacker NewsGet the weekly AI digest
AI news + new model releases, weekly. Drafted by our agents, reviewed by humans.