Widespread Data Theft Targets Salesforce Instances via Salesloft Drift

SUMMARY :

A widespread data theft campaign, conducted by UNC6395, targeted Salesforce customer instances through compromised OAuth tokens associated with the Salesloft Drift application. The actor systematically exported large volumes of data from numerous corporate Salesforce instances, focusing on harvesting credentials and sensitive information. The campaign ran from August 8 to August 18, 2025, affecting various Salesforce objects such as Cases, Accounts, Users, and Opportunities. The actor demonstrated operational security awareness by deleting query jobs. Salesloft and Salesforce have taken measures to revoke access tokens and remove the Drift application from the Salesforce AppExchange. Impacted organizations are urged to take immediate remediation steps, including investigating for compromise, scanning for exposed secrets, and hardening access controls.

OPENCTI LABELS :

supply chain,data theft,credential harvesting,salesforce,oauth tokens,salesloft drift


AI COMMENTARY :

1. Introduction: The recent discovery of a sophisticated threat campaign dubbed Widespread Data Theft Targets Salesforce Instances via Salesloft Drift highlights a critical supply chain vulnerability within the Salesforce ecosystem. Between August 8 and August 18, 2025, the advanced persistent threat group UNC6395 exploited compromised OAuth tokens tied to the popular Salesloft Drift application on the Salesforce AppExchange. By leveraging these tokens, the adversary accessed and systematically exfiltrated sensitive corporate data, underscoring the growing risk of third-party integrations in modern business environments.

2. Threat Actor Profile and Timeline: UNC6395 executed a meticulously planned operation over ten days, initiating unauthorized access once valid OAuth tokens were obtained. These tokens, originally granted to the Salesloft Drift integration, permitted the actor to assume the identity of legitimate application users. During the campaign window, the group targeted hundreds of Salesforce instances, focusing on environments where the Drift application had elevated permissions. The narrow timeframe and the actor’s choice to delete query jobs immediately after data exports demonstrated a high level of operational security awareness.

3. Attack Methodology: The adversary’s approach hinged on credential harvesting and data theft techniques. By compromising the OAuth tokens, UNC6395 bypassed multi-factor authentication controls and leveraged the Drift application’s API privileges to issue large data queries against core Salesforce objects. The campaign extracted records from Cases, Accounts, Users, Opportunities, and other key tables. To minimize detection, the actor deleted System Query Jobs post-exfiltration and rotated through multiple compromised tokens. This methodical use of OAuth tokens exemplifies how malicious actors can weaponize legitimate integrations to facilitate supply chain attacks.

4. Impact on Salesforce Environments: The unauthorized export of customer data has potentially severe implications for compliance, customer trust, and competitive advantage. Harvested information may include contact details, account hierarchies, revenue figures, and sensitive user credentials. Organizations affected by this supply chain breach face the risk of follow-on attacks, such as account takeover or targeted phishing campaigns using the stolen data. The campaign also revealed how third-party applications, once compromised, can undermine an entire Salesforce tenant, making this incident a cautionary tale for enterprises dependent on external integrations.

5. Remediation and Hardening Recommendations: In response to this incident, Salesloft and Salesforce swiftly revoked all impacted OAuth tokens and removed the Salesloft Drift app from the AppExchange. Affected organizations are urged to conduct a thorough investigation of their Salesforce environments, scanning for exposed secrets, audit logs, and evidence of unauthorized data exports. Security teams should enforce the principle of least privilege on all connected applications, regularly rotate OAuth credentials, and implement continuous monitoring of System Query Jobs. Additional measures include enabling event monitoring, deploying anomaly detection for API usage, and requiring granular consent for each third-party integration to reduce the attack surface.

6. Conclusion: The Widespread Data Theft Targets Salesforce Instances via Salesloft Drift campaign serves as a stark reminder that supply chain security is only as strong as its weakest link. As cloud-based applications and service integrations become ever more pervasive, organizations must adopt a proactive, zero-trust mindset. By scrutinizing OAuth token usage, enforcing stringent access controls, and maintaining real-time visibility into all API interactions, enterprises can bolster their defenses against threats seeking to exploit legitimate credentials for credential harvesting and large-scale data theft. Vigilance and rapid incident response remain the keys to mitigating such sophisticated attacks in the future.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Widespread Data Theft Targets Salesforce Instances via Salesloft Drift