• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
Sq Magazine LogoSQ Magazine

Smarter Insights for a Fast-Moving Digital World

  • Latest News
  • Statistics
  • About
  • Contact
Subscribe
Sq Magazine Logo
  • Latest News
  • Statistics
  • About
  • Contact
Subscribe
Home » Cybersecurity

ShinyHunters Abuses Salesforce OAuth to Bypass MFA

Published on: July 14, 2026
Sofia Ramirez
Written By
Sofia Ramirez
Sofia Ramirez
Senior Tech Writer • 492 Articles
Sofia Ramirez is a technology and cybersecurity writer at SQ Magazine. With a keen eye on emerging threats and innovations, she helps reader...
LATEST POSTS:
What Are Large Language Models? How LLMs Work and Who Builds Them
Lidl Confirms Data Breach at Third-Party IT Provider
GhostCommit Attack Hides Prompt Injection Inside Images
Robert A. Lee
Reviewed By
Robert A. Lee
Robert A. Lee
Senior Editor • 407 Articles
Robert A. Lee is a journalist at SQ Magazine who unpacks the fast-moving worlds of gaming and internet trends. He tracks everything from maj...
LATEST POSTS:
Amazon Music Statistics 2026: Subscribers, Share and Revenue
Document AI Statistics 2026: How Businesses Are Automating Paperwork
How Many People Use YouTube 2026: Users by Country
Shinyhunters Abuses Salesforce Oauth To Bypass Mfa
As Featured In
The New York Times LogoForbes LogoWired LogoDeloitte LogoResearch.com Logo
Share on LinkedIn ChatGPT Perplexity Share on X Share on Facebook

Microsoft disclosed on July 13, 2026 that attackers using tradecraft associated with ShinyHunters abused trusted Salesforce OAuth connections between mid-2025 and mid-2026 to sidestep multi-factor authentication (MFA) and exfiltrate CRM data. The campaigns hit Salesforce tenants across retail, education and manufacturing.

Quick Summary – TLDR:

  • Microsoft tied a year of Salesforce intrusions to ShinyHunters-associated tradecraft spanning voice phishing, supply-chain compromise and misconfigured guest access.
  • A fake Salesforce Data Loader app tricked employees into granting OAuth consent, letting attackers inherit the user’s session and skip MFA entirely.
  • Compromised Salesloft Drift credentials in August 2025 exposed connection secrets used across multiple customer Salesforce tenants.
  • A Gainsight-integration campaign in November 2025 kept persistent API access without triggering sign-in anomalies.
  • The threat actor Storm-3138 breached market-intelligence platform Klue in June 2026 and reused the same Salesforce credential-abuse pattern.

What Happened?

Microsoft’s threat intelligence team said the activity was not the result of a vulnerability inherent to Salesforce, but of attackers abusing trusted OAuth relationships, according to Microsoft. OAuth is the delegated sign-in system that lets one application act on a user’s behalf without ever seeing that user’s password. Once a victim approves the wrong connection, the attacker’s app inherits real permissions and can query the CRM (customer relationship management) system like any authorized user.

The disclosure centers on tradecraft including voice phishing (vishing), supply chain compromise, and misconfigured guest access used against customer SaaS-based applications such as Salesforce. That single throughline is why a year of seemingly unrelated vendor breaches, at Salesloft, Gainsight and now Klue, reads as one long campaign rather than three coincidences.

Microsoft identified threat actor activity with overlapping tradecraft commonly associated with ShinyHunters, including voice phishing (vishing), supply-chain compromise, and misconfigured guest access targeting SaaS-based applications. https://t.co/CijwSaeJ18

Across intrusion…

— Microsoft Threat Intelligence (@MsftSecIntel) July 13, 2026

How the OAuth Bypass Works?

The most common route started with vishing, voice calls where attackers impersonated IT support staff. Employees who approved the fake Data Loader app handed attackers a session that could issue Salesforce API calls without repeat authentication. GBHackers, a security outlet that separately reviewed the disclosure, described the effect as neutralizing MFA as a meaningful barrier, since the activity ran through a valid, authorized OAuth session rather than a stolen password or an anomalous login.

Other paths in the campaign targeted infrastructure instead of individual employees:

  • Salesloft Drift (August 2025): compromised credentials exposed connection secrets that let attackers reuse OAuth tokens across multiple customer Salesforce instances.
  • Gainsight (November 2025): a follow-on campaign targeted Gainsight-published Salesforce apps to maintain persistent API access in multiple customer environments.
  • Klue / Storm-3138 (June 2026): the threat actor Storm-3138 accessed Klue’s own systems and reused Salesforce credentials to discover, query and exfiltrate data the same way.
  • Guest-access abuse: Microsoft also flagged a wave of suspicious guest user activity targeting Salesforce Aura endpoints. Chaining requests against that framework let attackers pull far more data than a guest account should ever reach.

Microsoft published two indicators of compromise (IOCs, the technical fingerprints defenders use to spot an attack) alongside the disclosure: IP address 138.226.246.94, used by the Klue integration to query Salesforce on June 11, and IP address 103.75.11.78, used to target the Aura framework with guest access between June 19 and 22.

SQ Magazine’s Takeaway

This is a governance failure dressed as a technical one. Every intrusion path here relied on Salesforce granting access to something the organization itself authorized: a connected app, a vendor integration, a guest account.

None of it needed a stolen password to work. MFA protects a login, but it does nothing once an OAuth token has already been handed to the wrong party.

The fix is not a stronger password policy. Security teams need to inventory every connected app tied to their Salesforce tenant, check who granted it access and why, and cut off anything unused or over-privileged.

Expect more vendors in this same supply chain to disclose related incidents as investigators keep tracing where the Storm-3138 and Klue credentials surfaced next. Organizations running Salesforce Experience Cloud should audit guest-user permissions now, before an Aura-endpoint scan turns up in their own logs.

This article has been reviewed and fact-checked by Robert A. Lee. SQ Magazine follows strict Publishing Principles and a documented Fact-Check Policy to ensure accuracy, transparency, and editorial independence across all content.

Add SQ Magazine as a Preferred Source on Google for updates! Follow on Google News
Share ChatGPT Perplexity

References

  • Microsoft Security Blog: Defending SaaS-based applications against ShinyHunters OAuth abuse (July 13, 2026)
  • GBHackers: ShinyHunters Hackers Abuse Salesforce OAuth to Bypass MFA and Exfiltrate CRM Data (July 14, 2026)
Sofia Ramirez

Sofia Ramirez

Senior Tech Writer


Sofia Ramirez is a technology and cybersecurity writer at SQ Magazine. With a keen eye on emerging threats and innovations, she helps readers stay informed and secure in today’s fast-changing tech landscape. Passionate about making cybersecurity accessible, Sofia blends research-driven analysis with straightforward explanations; so whether you’re a tech professional or a curious reader, her work ensures you’re always one step ahead in the digital world.

Related Posts

Oracle Peoplesoft Flaw Linked To Shinyhunters
Cybersecurity

Urgent Oracle PeopleSoft Flaw Linked to ShinyHunters Campaign

Soudncloud Data Breach Affected 29 8 Million Users
Cybersecurity

29.8 Million SoundCloud Users Affected in Data Leak Tied to ShinyHunters

Charter Communications Confirm 4 9m Customers Affected
Cybersecurity

Charter Data Breach Exposes 4.9 Million Accounts After Hack

Disclaimer: The content published on SQ Magazine is for informational and educational purposes only. Please verify details independently before making any important decisions based on our content.

Reader Interactions

Leave a Comment Cancel reply

Primary Sidebar

Connect With Us

facebook x linkedin google-news telegram pinterest whatsapp email
google-preferred-source-badge Add as a preferred source on Google

You Should Also Read

Tangem Wallet Cards Vulnerable to Laser Fault Attack
Microsoft Patches RoguePlanet Zero-Day in Defender
Palo Alto Networks Patches 13 PAN-OS Vulnerabilities

Table of Contents

  • Quick Summary – TLDR:
  • What Happened?
  • How the OAuth Bypass Works?
  • SQ Magazine’s Takeaway
Connect on Telegram

Footer

SQ Magazine Logo

Smarter Insights for a Fast-Moving Digital World

Connect With Us

Follow Us on Google News

Editorial & Trust

  • About
  • Publishing Principles
  • Fact-Check Policy
  • Corrections Policy
  • Ethics Policy
  • Disclaimer

Worth Checking

  • Social Media Attention Span Stats
  • Gen Z Social Media Statistics
  • TikTok vs. Instagram Statistics
  • LLM Hallucination Statistics
  • Spotify User Statistics
  • Apple Customer Loyalty Statistics
Contact Us
13570 Grove Dr #189,
Maple Grove, MN 55311,
United States
10 a.m. to 6 p.m. | Every day

Copyright © 2022–2026 SQ Magazine. All Rights Reserved. Powered by the Neural Stack.

  • Privacy Policy
  • Terms
  • Accessibility Statement
Company
  • About Us
  • Our Team
  • Our Mission
  • Core Values
Discover
  • Brand Assets
    Brand Assets
  • Stats Methodology
    Stats Research Process
  • Glossary
    Glossary
Categories
  • Internet
  • Technology
  • Artificial Intelligence
  • Gaming
  • Cybersecurity
Internet
Amazon Music Statistics
Amazon Music Statistics 2026: Subscribers, Share and Revenue
How Many People Use YouTube
How Many People Use YouTube 2026: Users by Country
How Many People Work At Amazon
How Many People Work At Amazon 2026: Headcount, Layoffs, Productivity
Hulu Statistics
Hulu Statistics 2026: Subscribers, Revenue and Market Share
Spotify vs Apple Music Statistics
Spotify vs Apple Music Statistics 2026: Subscribers, Revenue, Market Share
Time Spent on TikTok Statistics
Time Spent on TikTok Statistics 2026: Daily Minutes by Age
Technology
Google Cloud Platform Statistics
Google Cloud Platform Statistics 2026: Market Growth
Asana Statistics
Asana Statistics 2026: Revenue, Customers, AI ARR and Market Share
AWS Statistics
AWS Statistics 2026: Revenue, Market Share and AI Growth
Adobe Creative Cloud Statistics
Adobe Creative Cloud Statistics 2026: Subscribers, Revenue and Market Share
Adobe Statistics
Adobe Statistics 2026: Revenue, ARR, and Workforce Data
Employee Productivity Statistics
Employee Productivity Statistics 2026: Engagement, Costs & Trends
Artificial Intelligence
How Many People Work At Midjourney
How Many People Work At Midjourney 2026: Lean Team, Big Revenue
Grammarly AI Statistics
Grammarly AI Statistics 2026: Users, Revenue, Funding, Rebrand
Copilot Statistics
Copilot Statistics 2026: Users, Adoption, Revenue and Market Share
AI Image Generation Statistics
AI Image Generation Statistics 2026: Market Size, Adoption & Risks
Machine Learning Adoption
Machine Learning Adoption in 2026: What Businesses Need to Know
AI Influencer Marketing Statistics
AI Influencer Marketing Statistics: Market Size and Engagement
Gaming
Online Gambling Regulations Statistics
Online Gambling Regulations Statistics 2026: Global Compliance and Enforcement Data
Fantasy Sports Statistics
Fantasy Sports Statistics 2026: Users, Revenue & Trends
Apex Legends Statistics
Apex Legends Statistics 2026: Players, Revenue, and Esports
Fortnite Statistics
Fortnite Statistics 2026: Players, Revenue, Esports, and Engagement
Gamers Statistics
Gamers Statistics 2026: Players, Habits & Global Data
Minecraft Statistics
Minecraft Statistics 2026: 300 Million Copies Sold & 212M Monthly Players
Cybersecurity
Password Statistics
Password Statistics 2026: Credential Theft, MFA, and the Passkey Tipping Point
Identity Theft Statistics
Identity Theft Statistics 2026: Key Fraud Data and Trends
CVE Statistics
CVE Statistics 2026: Severity Distribution and Top Affected Vendors
Dark Web AI Tool Marketplace Statistics
Dark Web AI Tool Marketplace Statistics 2026: Explosive Market Growth
API Security Breach Statistics
API Security Breach Statistics 2026: Hidden Threats
AI Voice Cloning Fraud Statistics
AI Voice Cloning Fraud Statistics 2026: Alarming Trends You Must Know Now
Categories
  • Cybersecurity
  • Artificial Intelligence
  • Internet
  • Technology
  • Gaming
Cybersecurity
Telegram S T Me Domain Suspended Amid Ofac Sanctions Link
Telegram’s t.me Domain Suspended Amid OFAC Sanctions Link
Shinyhunters Abuses Salesforce Oauth To Bypass Mfa
ShinyHunters Abuses Salesforce OAuth to Bypass MFA
Lidl Confirmed Data Breach Of Online Store
Lidl Confirms Data Breach at Third-Party IT Provider
Ghostcommit Attack Hides Prompt Injection Inside Images
GhostCommit Attack Hides Prompt Injection Inside Images
Tangem Wallet Cards Vulnerable To Laser Fault Attack
Tangem Wallet Cards Vulnerable to Laser Fault Attack
Microsoft Patches Rogueplanet Zero Day In Defender
Microsoft Patches RoguePlanet Zero-Day in Defender
Artificial Intelligence
Anthropic Extends Claude Fable 5 Access Again
Anthropic Extends Claude Fable 5 Access Again
Openai Launches Chatgpt Work With Gpt 5 6 Agents
OpenAI Launches ChatGPT Work With GPT-5.6 Agents
Openai Shuts Down Standalone Atlas Browser
OpenAI Shuts Down Standalone Atlas Browser
Meta Launches Muse Spark 1 1 Ai Coding Model
Meta Launches Muse Spark 1.1 to Challenge Anthropic, OpenAI
Anthropic Launches Claude Reflect Beta To Track Ai Habits
Anthropic Launches Claude Reflect Beta to Track AI Habits
Xai Launches Grok 4 5
xAI Launches Grok 4.5, Elon Musk Calls It Opus-Class
Internet
Whatsapp Launches Username Reservation Feature
WhatsApp Opens Username Reservations for Its 3 Billion Users
Chrome 149 Update Fixes Serious Vulnerabilities
Google Chrome 149 Fixes 18 Serious Security Flaws
Meta Hands Whatsapp Reins To Cred Founder Kunal Shah
Meta Hands WhatsApp Reins to CRED Founder Kunal Shah
Major X Outage Disrupts Users Worldwide
Major X Outage Disrupts Users Worldwide, Service Restored
Meta Adds 13 Plus Age Verification For Teen Safety
Meta Adds 13+ Content Settings and AI Age Checks for Teens
Telegram Restricted In India Temporarily
Telegram Restricted in India as NEET Fraud Crackdown Grows
Technology
Apple S Foldable Iphone Ultra Battery Capacity Allegedly Leaks
Apple’s Foldable iPhone Ultra Battery Capacity Allegedly Leaks
Microsoft Lays Off 4800 Employees
Microsoft Cuts 4,800 Jobs, Resets Xbox Strategy
Chrome Update Fixes 382 Vulnerabilities
Chrome 150 Patches 382 Security Fixes, 15 Critical
Apple Leak Reveals Six New Iphones For 2027
Massive Apple Leak Reveals Six New iPhones for 2027
Google Finance Comes Out Of Beta With Android App
Google Finance Gets Major AI Upgrade and New Android App
Windows Recycle Bin Bug Confirmed After June Security Update
Windows Recycle Bin Bug Confirmed After June Security Update
Gaming
Gta Vi Official Cover Art
GTA 6 Pre-Orders Start June 25, New Cover Art Unveiled
Epic Games Teases Unreal Engine 6 For Rocket League
Epic Games Teases Unreal Engine 6 for Rocket League
Stardew Valley Launched For Nintendo Switch 2 Edition
Stardew Valley Switch 2 Edition Arrives with Online Co-op
Hogwarts Legacy Game Crosses 40m Downloads
Hogwarts Legacy Crosses 40M Sales, Beating Industry Giants
Pubg Black Budget Closed Alpha Launched
PUBG: Black Budget Launches Closed Alpha Test With a Bold PvPvE Twist
Counter Strike 2 Skin Market Crashes After Valve Update
Counter-Strike 2’s $5.9 Billion Skin Economy Just Got Shattered
Newsletter

Subscribe To Our Newsletter!

Be the first to get exclusive offers and the latest news.

Newsletter

Subscribe To Our Newsletter!

Be the first to get exclusive offers and the latest news.