A new cybercrime coalition is using stolen Salesforce data to threaten federal agents, tech executives, and global companies.
What happened
Three teenage cybercrime gangs, ShinyHunters, LAPSUS$, and Scattered Spider, have regrouped under a new identity, calling themselves “scattered LAPSUS$ hunters” (SLH). According to Cybernews, the group has claimed responsibility for a string of high-profile breaches tied to compromised Salesforce instances and is now publicly threatening the FBI, Google, and other targets. The hackers demanded that investigations be dropped and specific FBI and Google employees be fired or else stolen databases would be leaked.
The group has already published the names and job titles of 14 FBI agents and threatened Google CEO Sundar Pichai directly. Posts from their new Telegram channel include further threats toward individuals at CrowdStrike, Allianz, and even political figures.
Going deeper
The attackers claim to have breached multiple companies via stolen authentication tokens tied to Salesloft Drift, an AI-powered conversational marketing platform. These tokens were used to infiltrate Salesforce instances belonging to companies like Google, Victoria’s Secret, and Zscaler. Once inside, they allegedly exfiltrated sensitive credentials, including AWS keys, Snowflake tokens, and GCP service account keys.
Google confirmed that a small number of Workspace accounts were affected through integrations with Salesloft Drift, but said Gmail and broader Workspace services were not compromised. TransUnion, another company allegedly targeted, has already notified 4.4 million customers of a possible data exposure.
The group is now advertising stolen credentials on dark web forums and claims that many are still active. Cybernews could not independently verify the validity of the data.
What was said
The hackers’ new Telegram channel, launched on August 28, features posts full of taunts, profanity, and threats. They’ve posted screenshots of internal tools, leaked databases (like one titled “Gemini.com”), and issued public ultimatums. While Google warned customers about token compromises, it stated that only accounts directly connected to Salesloft Drift were at risk. A spokesperson confirmed that the company had notified affected Workspace administrators.
Cybersecurity journalist Brian Krebs noted that while the group seeks maximum attention, it’s still unclear how the authentication tokens were initially obtained or which group member executed the attacks.
FAQs
What is Salesloft Drift, and how does it fit into the breach?
Salesloft Drift is a conversational marketing platform that integrates with Salesforce. Hackers abused authentication tokens stored in Drift to access customers’ Salesforce data.
Why are authentication tokens so dangerous in breaches like this?
Tokens often allow direct access to platforms without needing passwords. If stolen and still active, they can be reused to infiltrate systems without detection.
What are companies doing to prevent similar attacks?
Vendors like Google have advised customers to treat all tokens stored in connected platforms as compromised, rotate credentials, and audit third-party app integrations.
How are threat groups like SLH able to regroup after major arrests?
Despite high-profile takedowns, these groups often operate as loose online collectives. New members and leaders emerge, using shared infrastructure and anonymous channels like Telegram to rebuild.
Can law enforcement track attackers who use platforms like Telegram?
While encrypted messaging apps offer some anonymity, coordinated investigations across jurisdictions, digital forensics, and international cooperation have led to arrests in past cases.
Farah Amod
