Salesforce Customers Targeted in Data Theft Campaign Using Compromised OAuth Tokens

What's Happening?

A widespread data theft campaign has targeted hundreds of Salesforce customer instances, as reported by the Google Threat Intelligence Group (GTIG). The attacks, carried out by a threat actor known as UNC6395, did not exploit vulnerabilities within Salesforce itself but rather compromised OAuth tokens for Salesloft Drift, a third-party AI chatbot. Between August 8 and August 18, 2025, the actor systematically exported large volumes of data from numerous corporate Salesforce instances, primarily aiming to harvest credentials. Salesloft has shared indicators of compromise to help affected organizations identify potential breaches. The compromised tokens were revoked on August 20, requiring re-authentication for Drift-Salesforce connections. Approximately 700 Salesforce customers were affected, with Salesforce removing Drift from AppExchange and notifying impacted customers.

Why It's Important?

This incident highlights the vulnerabilities associated with third-party integrations in corporate environments. The breach underscores the importance of robust security measures and regular audits of third-party applications to prevent unauthorized access. Organizations using Salesforce and similar platforms must be vigilant about the security of integrated services, as they can become entry points for cybercriminals. The campaign's focus on credential harvesting poses significant risks, potentially leading to further unauthorized access and data breaches. Companies affected by this breach may face reputational damage, financial losses, and increased scrutiny from regulatory bodies.

What's Next?

Affected organizations are advised to hunt for signs of compromise and rotate all credentials and secrets within Salesforce objects. Salesforce and Salesloft are likely to enhance their security protocols and review third-party integrations to prevent future incidents. Companies may also consider implementing stricter access controls and monitoring systems to detect and respond to suspicious activities promptly. The cybersecurity community will continue to monitor the activities of UNC6395 and similar threat actors to mitigate risks and develop countermeasures.