Widespread Data Theft Targets Salesforce Instances via Salesloft Drift - Hunting pulse

SUMMARY :

A widespread data theft campaign, conducted by UNC6395, targeted Salesforce customer instances through compromised OAuth tokens associated with the Salesloft Drift application. The actor systematically exported large volumes of data from numerous corporate Salesforce instances, focusing on harvesting credentials and sensitive information. The campaign ran from August 8 to August 18, 2025, affecting various Salesforce objects such as Cases, Accounts, Users, and Opportunities. The actor demonstrated operational security awareness by deleting query jobs. Salesloft and Salesforce have taken measures to revoke access tokens and remove the Drift application from the Salesforce AppExchange. Impacted organizations are urged to take immediate remediation steps, including investigating for compromise, scanning for exposed secrets, and hardening access controls. The IPs provided are confirmed as malicious, but some may generate noise since they are associated with Tor exit nodes.

OPENCTI LABELS :

salesforce,salesloft drift,oauth tokens,credential harvesting,data theft,supply chain


AI COMMENTARY :

1. Widespread Data Theft Targets Salesforce Instances via Salesloft Drift In early August 2025, a covert campaign orchestrated by the UNC6395 threat group emerged targeting corporate Salesforce environments through compromised OAuth tokens tied to the Salesloft Drift application. Between August 8 and August 18, the adversary gained unauthorized access to numerous Salesforce instances and systematically conducted credential harvesting at scale. By exploiting the trust relationship inherent in the supply chain of third-party apps, the actor exfiltrated sensitive information from objects such as Cases, Accounts, Users, and Opportunities, highlighting the growing risk of data theft via OAuth token abuse.

2. Attack Vector and Methodology The intrusion began when OAuth tokens associated with the Salesloft Drift integration were illicitly acquired, granting wide-ranging permissions within targeted Salesforce environments. Leveraging these tokens, UNC6395 executed automated queries to extract large volumes of data, focusing on credentials and proprietary records. The salesloft drift integration served as the pivot point, demonstrating how a single compromised application in the app ecosystem can enable deep lateral movement and unchecked data export across multiple orgs without triggering immediate alerts.

3. Operational Security and Evasion Tactics Throughout the campaign, the threat actor demonstrated operational security awareness by systematically deleting query jobs within the Salesforce setup to erase forensic trails. The use of dynamic IP addresses, including some linked to Tor exit nodes, added layers of obfuscation and complexity to attribution efforts. These evasion maneuvers prolonged the dwell time on compromised instances and delayed incident response, underscoring the need for vigilant monitoring of query logs and token usage patterns in real time.

4. Industry Response and Mitigation Actions Upon discovery of the breach, Salesforce and Salesloft collaborated to revoke all affected OAuth tokens and remove the Drift application from the Salesforce AppExchange pending further security reviews. These decisive actions disrupted UNC6395’s access path and prevented additional data exfiltration. The incident serves as a wake-up call for platform providers and customers alike to reevaluate third-party integrations, enforce stricter app vetting processes, and maintain an up-to-date inventory of connected applications in supply chain workflows.

5. Remediation and Best Practices Impacted organizations are urged to initiate immediate compromise assessments, including detailed log analysis to identify any suspect token activity and potential lateral movement. A thorough scan for exposed secrets and credentials should follow, accompanied by rotation of all OAuth tokens and API keys. Strengthening access controls with least-privilege permissions, implementing multi-factor authentication for all integrations, and deploying continuous monitoring solutions are critical to reduce the risk of future credential harvesting and supply chain attacks.

6. Lessons Learned and Forward-Looking Insights The UNC6395 campaign highlights the evolving threat landscape where adversaries weaponize legitimate OAuth tokens to execute large-scale data theft within trusted applications. Organizations must adopt a holistic security posture that extends beyond perimeter defenses to include robust app governance, real-time token monitoring, and anomaly detection. By learning from this incident, security teams can enhance threat intelligence capabilities and fortify their defenses against similar supply chain-driven data theft campaigns.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Widespread Data Theft Targets Salesforce Instances via Salesloft Drift - Hunting pulse