Why Stolen OAuth Tokens Are Still Opening Doors to Salesforce Customer Data

Food delivery giant Grubhub confirmed this week that hackers accessed its internal systems and downloaded company data. Sources indicate the ShinyHunters cybercrime group is now extorting the company, demanding Bitcoin to prevent release of stolen Salesforce and Zendesk records. What makes this breach particularly concerning is that the attack did not start at Grubhub. Investigators believe attackers used OAuth tokens stolen during the Salesloft Drift breach campaign last summer to open the door to Grubhub’s Salesforce customer data months later.

Grubhub Confirms Unauthorized Access to Internal Systems

Grubhub acknowledged the breach in a statement to BleepingComputer on January 17, 2026, confirming that “unauthorized individuals recently downloaded data from certain Grubhub systems.” The company claims financial information and order history were not affected, but declined to answer questions about when the breach occurred, what customer data was exposed, or whether ransom negotiations are underway.

Security researchers and sources familiar with the incident have provided additional details. The attackers accessed Grubhub’s Zendesk customer support platform, which powers the company’s online support chat system for orders, account problems, and billing issues. They also obtained older Salesforce CRM data dating back to a February 2025 breach. ShinyHunters is reportedly demanding payment to prevent public release of both datasets.

This is not Grubhub’s first security issue in recent months. Weeks before this disclosure, fraudulent cryptocurrency scam emails were sent from a legitimate Grubhub subdomain, raising questions about persistent attacker access to company systems.

For context on what is at stake, Grubhub operates in over 4,000 U.S. cities with 375,000 merchants and 200,000 delivery providers. Wonder Group acquired the company for $650 million in late 2024, which represents a fraction of the $7.3 billion Just Eat Takeaway paid in 2020.

Why a Five-Month-Old Breach Is Still Your Problem

The technical story here is more important than the breach itself because it explains why your organization could be next.

The Salesloft Drift Campaign

Between August 8-18, 2025, threat actors exploited OAuth tokens for Salesloft’s Salesforce integration to conduct a massive data theft campaign. ShinyHunters claims they stole approximately 1.5 billion records spanning Salesforce “Account,” “Contact,” “Case,” “Opportunity,” and “User” tables across more than 700 companies. The victim list includes Jaguar Land Rover, Gucci, Chanel, Cisco Systems, Google, and now Grubhub.

Google Threat Intelligence Group advised all Salesloft Drift customers to “treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised.” That advisory went out months ago. Grubhub’s breach this week demonstrates that many organizations either did not rotate their tokens or did not act quickly enough.

Why OAuth Tokens Bypass Your MFA Investment

Cory Michal, CSO at AppOmni, explained the mechanics to Cybernews: “Those tokens often operate as bearer credentials: if an attacker obtains them, they can be used as a single-factor access method to act as the integration without triggering an interactive login or MFA challenge.” When a connected app like Salesloft Drift has authenticated access to your Salesforce org, that access persists through tokens rather than through interactive logins. Attackers who steal those tokens inherit that access without needing a password and without triggering an MFA prompt.

Why New Victims Are Still Emerging Five Months Later

What should concern every security leader is that the August 2025 Salesloft breach is still producing new victims in January 2026. That represents a five-month exploitation window that continues to expand. The attack chain demonstrates how supply chain compromises cascade. Attackers targeted Salesloft, and Salesloft’s integration tokens provided access to over 700 customer Salesforce orgs. Data stolen from those orgs, including AWS keys, Snowflake tokens, and additional credentials, enabled follow-on attacks against systems like Zendesk.

One breach produced hundreds of victims. Months of exploitation. And the count is still rising.

Protect Your Organization Before You Become the Next Headline

A breach from last year can still be your problem this year. The Grubhub incident reinforces what we have been discussing in Salesforce Security Office Hours: attackers are not breaking into Salesforce directly. They are walking through doors that connected apps left open.

Immediate Actions

If your organization uses or has ever used Salesloft Drift, you should treat this as an active incident.

Audit your connected apps. Review all OAuth connections in your org. Check Setup, then Apps, then Connected Apps, then OAuth Usage. Look for unknown apps, apps with excessive scopes, and old authorizations that no one remembers approving. If you do not recognize it, revoke it.

Rotate all tokens and secrets. If you have not rotated credentials connected to Drift since August 2025, assume they are compromised. This applies to OAuth tokens, API keys, and any secrets stored in or connected to the platform.

Use one integration user per vendor. When Gainsight and Drift got compromised this year, organizations with shared integration users had no way to isolate the damage. One user per vendor limits your blast radius. It takes 30 minutes to set up. Breach containment takes months. Learn more in our session on Architecting Trusted Salesforce Solutions.

Enable IP restrictions on every request. Salesforce validates your IP at login, but the entire session runs without another check. An attacker who steals a session token can access your org from anywhere. Enable “Enforce login IP ranges on every request” in Session Settings.

Search for indicators of compromise. Pull access logs for the past six months. Look for unusual API calls, failed login spikes, elevated access errors, and unexpected data exports. If attackers had access, the evidence is in your logs. For guidance on what to look for, see our session on the Threat Response Lifecycle for Salesforce Administrators.

Why Most Organizations Cannot Answer Basic Questions

Most organizations cannot answer basic questions about their connected app exposure. How many integrations have Salesforce access? What permissions do they have? When were those permissions last reviewed? Which tokens have not been rotated in over a year? Hackers work like a business. You are a lead they want to convert and exploit. If you cannot answer those questions, you are already in their pipeline, waiting for them to work through their inventory and get to you.

Why the Salesforce Ecosystem Is the Real Target

The Grubhub breach is not an isolated incident. It is a case study in how modern attackers have shifted their strategy. Direct platform attacks are difficult because Salesforce’s core infrastructure is well-defended. The ecosystem around it is where the vulnerabilities live. By compromising a widely used service provider like Salesloft, attackers potentially gain keys to hundreds or thousands of downstream customers. A single successful breach yields access to far more valuable data than attacking individual companies one at a time.

Why Your Vendors’ Security Is Your Security

Every OAuth token you grant, every connected app you install, and every third-party integration you approve extends your attack surface into someone else’s environment. Their breach becomes your breach, sometimes months later when you have forgotten the connection ever existed.

The February 2025 Grubhub breach came through a third-party support service provider. The January 2026 breach came through Salesloft. Different vendors produced the same outcome: attackers exploiting the trust relationships between platforms.

Google Threat Intelligence Group, Mandiant, and AppOmni have all flagged this pattern. The FBI issued a specific warning about Salesforce ecosystem attacks in September 2025. Organizations that treated the Salesloft Drift advisory as someone else’s problem are discovering it was always their problem.

What This Means for Your Organization

The Grubhub breach is not really about Grubhub. It is about what happens when organizations treat connected app security as an afterthought, when OAuth tokens sit unrotated for months, when integration inventories do not exist, and when vendor security reviews stop at the contract signing. ShinyHunters did not hack Grubhub directly. They used stolen OAuth tokens to open the door to Salesforce customer data months after the original breach. That door is still open at hundreds of organizations who have not rotated their tokens.

The question is not whether your organization uses Salesloft. The question is whether you know what tokens are active in your environment, what access they grant, and when they were last rotated.

Join Us for Salesforce Security Office Hours

Every session referenced in this article came from this live community series hosted by Matt Myers, Salesforce CTA and CEO/CoFounder of EzProtect and industry experts from Google, PayPal, DocuSign, and across the ecosystem with live Q&A. Bring your burning questions and we will see you online.