What is the story about?
What's Happening?
A widespread data theft campaign has impacted hundreds of Salesforce customers, according to the Google Threat Intelligence Group (GTIG). The attack, which occurred between August 8 and August 18, 2025, did not exploit a vulnerability within Salesforce itself but rather targeted compromised OAuth tokens for Salesloft Drift, a third-party AI chatbot. The threat actor, identified as UNC6395, systematically exported large volumes of data from numerous Salesforce instances, seeking sensitive information such as AWS access keys and passwords. Salesloft has since revoked the tokens for Drift, requiring re-authentication for affected integrations. Salesforce has removed Drift from its AppExchange and notified impacted customers.
Why It's Important?
This incident highlights the vulnerabilities associated with third-party integrations and the potential risks they pose to data security. As businesses increasingly rely on cloud-based services and third-party applications, ensuring the security of these integrations becomes critical. The attack underscores the importance of robust security measures, including regular audits and monitoring of third-party access to sensitive data. Organizations must remain vigilant and proactive in safeguarding their data against such threats, which can have significant financial and reputational consequences.
What's Next?
Organizations affected by the data theft are advised to conduct thorough investigations to identify any signs of compromise and rotate all credentials and secrets stored within Salesforce. The incident may prompt businesses to reassess their third-party integration policies and strengthen their security protocols. Additionally, regulatory bodies may increase scrutiny on data protection practices, leading to more stringent compliance requirements for companies handling sensitive information.
AI Generated Content
Do you find this article useful?
