Widespread Data Theft Targets Salesforce Instances via Salesloft Drift - Hunting pulse
NetmanageIT OpenCTI - opencti.netmanageit.com
SUMMARY :
A widespread data theft campaign, conducted by UNC6395, targeted Salesforce customer instances through compromised OAuth tokens associated with the Salesloft Drift application. The actor systematically exported large volumes of data from numerous corporate Salesforce instances, focusing on harvesting credentials and sensitive information. The campaign ran from August 8 to August 18, 2025, affecting various Salesforce objects such as Cases, Accounts, Users, and Opportunities. The actor demonstrated operational security awareness by deleting query jobs. Salesloft and Salesforce have taken measures to revoke access tokens and remove the Drift application from the Salesforce AppExchange. Impacted organizations are urged to take immediate remediation steps, including investigating for compromise, scanning for exposed secrets, and hardening access controls. The IPs provided are confirmed as malicious, but some may generate noise since they are associated with Tor exit nodes.
OPENCTI LABELS :
supply chain,data theft,credential harvesting,salesforce,oauth tokens,salesloft drift
AI COMMENTARY :
1. Introduction to the Campaign
The report titled “Widespread Data Theft Targets Salesforce Instances via Salesloft Drift - Hunting pulse” details a sophisticated data exfiltration operation carried out by the threat actor UNC6395. Between August 8 and August 18, 2025, UNC6395 systematically compromised OAuth tokens linked to the Salesloft Drift application to infiltrate numerous Salesforce customer instances. By exploiting this trusted integration, the actor was able to harvest a vast array of corporate data without raising immediate suspicion.
2. Attack Vector and Initial Compromise
The adversary gained unauthorized access by targeting the OAuth tokens that grant the Salesloft Drift app permissions to Salesforce environments. Once these tokens were compromised, UNC6395 leveraged the permissions to query critical Salesforce objects such as Cases, Accounts, Users, and Opportunities. This attack vector underscores the inherent risks in third-party application integrations and the need for rigorous vetting and continuous monitoring of OAuth credentials.
3. Data Theft and Credential Harvesting
UNC6395 focused its efforts on exporting large volumes of sensitive information, including user credentials and proprietary corporate data. The actor’s objective was to harvest credentials that could facilitate further lateral movement within victim environments or be sold on underground forums. By targeting multiple Salesforce objects, the campaign amassed a wide spectrum of data that extends beyond basic customer relationship records, posing a severe risk to organizational security and privacy compliance.
4. Operational Security Measures by UNC6395
Throughout the campaign, the threat actor demonstrated a high level of operational security awareness by deleting query jobs after data extraction. This tactic helped minimize detection by erasing forensic evidence of the queries run against Salesforce instances. The deliberate removal of logs and query artifacts highlights the sophistication of UNC6395 and the challenges defenders face when investigating compromised environments.
5. Response from Salesloft and Salesforce
Upon discovery of the unauthorized activity, Salesloft and Salesforce moved swiftly to revoke impacted OAuth tokens and remove the Salesloft Drift application from the Salesforce AppExchange. These actions helped contain the breach and prevented further data exfiltration. Both vendors have also communicated remediation guidance to affected customers and urged a review of existing integrations to ensure no residual unauthorized access remains.
6. Recommended Remediation Steps
Organizations impacted by this campaign are advised to immediately investigate for signs of compromise, including unauthorized API calls and anomalous user behavior. It is critical to scan for exposed secrets and rotate any credentials that may have been exposed. Hardening access controls by implementing least-privilege permissions for third-party applications and enforcing multi-factor authentication for OAuth token issuance will further reduce the risk of future compromise.
7. Monitoring and Future Mitigation
Continuous monitoring for suspicious IP addresses is essential, especially when some identified malicious IPs may overlap with Tor exit nodes generating benign noise. Establishing robust network and application logging, coupled with real-time alerting on unusual query patterns, can help detect similar attacks early. Periodic auditing of third-party integrations and OAuth token lifecycles will strengthen overall security posture against supply chain threats like data theft and credential harvesting.
8. Conclusion and Lessons Learned
The widespread data theft campaign conducted by UNC6395 underscores the critical intersection of supply chain risk, OAuth security, and vigilant threat intelligence. By understanding the tactics, techniques, and procedures used in this incident, organizations can enhance their defenses against future campaigns targeting third-party integrations. Proactive remediation, continuous monitoring, and stringent access controls are key to mitigating the evolving threat landscape in cloud-based applications.
OPEN NETMANAGEIT OPENCTI REPORT LINK!
Use public read only username and password on login page.
NOTE : Use Public READ only user credentials on login page banner.
Widespread Data Theft Targets Salesforce Instances via Salesloft Drift - Hunting pulse