Hackers exploited a Salesforce integration via the Salesloft platform to steal sensitive credentials including AWS keys and Snowflake tokens. The ShinyHunters group claims responsibility for these coordinated attacks, which also involved breaching downstream cloud services. #ShinyHunters #SalesforceBreaches
Keypoints
- Hackers breached Salesloftβs Salesforce-integrated platform to exfiltrate OAuth tokens.
- The primary goal was to steal credentials such as AWS access keys and Snowflake tokens.
- Active access was revoked, and customers were advised to re-authenticate their integrations.
- Googleβs Threat Intelligence links the attack to the threat actor UNC6395, operated by ShinyHunters.
- The attackers used Tor and cloud services like AWS and DigitalOcean to hide their infrastructure.