ShinyHunters-linked extortion group abused Salesforce OAuth trusts for months
Source headline: Microsoft Maps Year-Long ShinyHunters-Linked Salesforce Data Theft Across Three Paths
Intelligence Summary
A ShinyHunters-linked extortion group has allegedly gained access to corporate Salesforce environments without exploiting platform vulnerabilities. The intrusion paths rely on existing trust relationships, especially OAuth connections between Salesforce and connected apps or third-party vendors. This approach reduces the need for traditional Salesforce exploits and makes detection harder. Organizations using OAuth-integrated apps may have had standing authorization that attackers could reuse. The risk is persistent unauthorized access to customer and business data. Teams should review OAuth grants, connected apps, and account-level permissions for Salesforce exposure.
Recommended Action
Review affected assets, schedule urgent remediation, and monitor related indicators.