ShinyHunters Exploits OAuth to Breach Salesforce Environments for a Year
Attackers linked to ShinyHunters bypassed traditional exploits by leveraging pre-existing OAuth trust relationships. They accessed corporate Salesforce data without triggering platform vulnerabilities.
TL;DR
- Attackers疑似 ShinyHunters breached Salesforce environments for over a year.
- No platform exploits were used—access was gained via existing OAuth integrations.
- Microsoft mapped three distinct attack paths used by the threat actors.
- Organizations unknowingly granted access through trusted third-party app connections.
- The campaign highlights risks of overly permissive identity and access policies.
Cybercriminals believed to be part of the notorious data extortion group ShinyHunters have compromised numerous enterprise Salesforce environments over the past year. Rather than exploiting technical flaws in Salesforce itself, they leveraged legitimate OAuth-based integrations that organizations had previously authorized.
These integrations, meant to connect Salesforce with third-party applications and services, became entry points when misconfigured or excessively permissive. Microsoft's recent analysis uncovered how attackers maintained persistent access across multiple victim environments through these trusted pathways. This prolonged campaign underscores critical weaknesses in how businesses manage identity and access within cloud ecosystems.
How the Attackers Gained Access
- Attackers did not exploit any vulnerabilities in Salesforce’s core infrastructure.
- Access was achieved through pre-approved OAuth connections between Salesforce and external apps.
- Organizations had unknowingly granted broad permissions to third-party integrations.
- The attackers used these established trust relationships to move laterally and extract data.
Implications for Enterprise Security
- OAuth misuse represents a growing threat vector in cloud security.
- Traditional vulnerability scanning may miss risks from authorized but abused integrations.
- Continuous monitoring of API activity and integration permissions is essential.
- Organizations should audit and restrict third-party app access regularly.
- Incident response plans must account for credential abuse beyond stolen passwords.
Sources
Sources
Security email updates
One digest email when we publish new security articles (TL;DR plus links to read more). Unsubscribe anytime from the message footer. See our Privacy Policy.