What's Happening?
A widespread data theft campaign has impacted hundreds of Salesforce customer instances, as reported by the Google Threat Intelligence Group (GTIG). The attacks, carried out by a threat actor known as UNC6395, did not exploit a vulnerability within Salesforce itself but relied on compromised OAuth tokens for Salesloft Drift, a third-party AI chatbot. The campaign occurred between August 8 and August 18, 2025, with the actor exporting large volumes of data from corporate Salesforce instances. The primary intent was to harvest credentials, including AWS access keys and Snowflake-related access tokens. Salesloft has revoked the tokens for Drift, requiring re-authentication for affected connections.
AD
Why It's Important?
This incident highlights vulnerabilities in third-party integrations and the potential risks they pose to data security. The exploitation of OAuth tokens underscores the importance of securing authentication mechanisms and monitoring third-party applications. Organizations using Drift with Salesforce are advised to consider their data compromised and take steps to secure their systems. The attack demonstrates the operational security awareness of the threat actor, emphasizing the need for robust security measures and regular audits to prevent data breaches.
What's Next?
Affected organizations should review their security logs for evidence of data exposure and rotate all credentials and secrets within Salesforce objects. Salesforce has removed Drift from AppExchange, and customers are advised to hunt for signs of compromise. The incident may prompt Salesforce and other companies to enhance security protocols for third-party integrations and improve incident response strategies. Continuous monitoring and adaptation of security measures will be crucial to prevent similar attacks in the future.
