Salesforce Attackers Threaten Google and FBI Over Breach

Salesforce attackers threaten Google and FBI after a major supply-chain compromise linked to Salesloft Drift. The cybercriminal groups behind the breach—ShinyHunters, LAPSUS$, and Scattered Spider—demanded an end to ongoing investigations while claiming access to sensitive systems.

Who the Attackers Are

The coalition of groups declared themselves “invincible” in a public statement. They demanded Google dismiss employees in its Threat Intelligence Group and ordered the FBI to remove 14 agents assigned to the case.

The attackers also claimed they infiltrated Google’s networks and threatened to leak stolen data and expose FBI agent identities if their demands are ignored.

How the Breach Happened

The attackers exploited stolen OAuth tokens from the Salesloft Drift integration, an AI-powered chat tool connected to Salesforce. Using these tokens, they infiltrated multiple Salesforce environments, including instances linked to Google, Zscaler, and Victoria’s Secret.

Investigators discovered that the attackers stole AWS keys, Snowflake tokens, and customer account credentials. Google’s Threat Intelligence Group traced the activity back to August, identifying UNC6395 as the group responsible for harvesting stolen data across hundreds of Salesforce accounts.

Why This Matters

This incident represents a dangerous escalation in cyber extortion. Beyond stealing data, the attackers are openly threatening federal investigators and one of the world’s largest tech companies. The campaign highlights the risks of third-party integrations, where one compromised app can ripple across entire enterprise ecosystems.

For organizations, the breach underscores the urgent need to strengthen authentication controls, monitor access tokens, and conduct regular audits of SaaS integrations. The threats against Google and the FBI also demonstrate how emboldened cybercrime groups have become.

Conclusion

Salesforce attackers threaten Google and FBI in a bold move that combines data theft with public intimidation. By exploiting stolen OAuth tokens, they infiltrated high-profile Salesforce environments and escalated their demands into direct threats. This case shows that token-based compromises and supply-chain flaws remain critical risks. Attackers now openly challenge global institutions.