A widespread data theft campaign has compromised Salesforce customer instances through the Drift application, a product offered by Salesloft.
Between August 8 and 18, 2025, a threat actor tracked as UNC6395 leveraged stolen OAuth tokens tied to Drift to access and exfiltrate large volumes of corporate data from numerous Salesforce environments, according to Google’s Threat Intelligence Group (GTIG) and Mandiant.
The attackers used valid OAuth credentials, typically granted through integrations with Drift, to run structured SOQL queries and export data from Salesforce objects, including User, Account, Case, and Opportunity. GTIG reports that the attackers specifically searched for secrets within this data, such as AWS access keys (AKIA), passwords, and Snowflake access tokens. These secrets could enable further compromise of internal systems.
UNC6395 demonstrated a degree of operational security by deleting query jobs to obscure activity, although logs remained intact. The use of anonymizing infrastructure and automation tools such as python-requests/2.32.4 and aiohttp/3.12.15 was observed, with activity traced to multiple Tor exit nodes.
Response from Salesloft and Salesforce
Salesloft, whose Drift product is commonly used for conversational marketing and CRM integrations, confirmed that only customers using the Drift-Salesforce integration were affected. In response, Salesloft and Salesforce revoked all active tokens for the Drift app on August 20 and temporarily removed the app from Salesforce AppExchange.
Salesloft has also engaged a third-party forensics firm and is coordinating with Salesforce to provide affected organizations with attacker-specific activity logs. Customers are being advised to re-authenticate the Drift integration and review their Salesforce logs for evidence of compromise.
Broader campaign
This incident follows an earlier wave of Salesforce-related attacks tracked by GTIG in June and July 2025. In those campaigns, another financially motivated group, UNC6040, employed vishing tactics to convince employees to authorize rogue connected apps that mimicked legitimate Salesforce utilities, such as Data Loader. These malicious apps were then used to exfiltrate sensitive business data without exploiting any direct vulnerability in Salesforce.
A related group, UNC6240, has since carried out an extortion phase, contacting victims under the ShinyHunters name and demanding payment in exchange for not leaking stolen data. Communications were sent from addresses like shinycorp@tuta[.]com, and threats included public exposure via a possible upcoming data leak site.
Even Google acknowledged that one of its own Salesforce instances was briefly compromised during the earlier campaign, though the data involved was limited to SMB contact records. High-profile victims across the broader campaigns have included Chanel, Workday, Pandora, Cisco, KLM/Air France, and Allianz Life.
Defense recommendations
Organizations using Drift with Salesforce should assume compromise and take immediate action, including:
- Audit Salesforce objects for exposed credentials, especially AWS, Snowflake, or hardcoded secrets.
- Revoke and rotate any discovered API keys or credentials.
- Review logs for suspicious SOQL queries tied to the Drift app.
- Enforce strict access controls for connected apps, including IP restrictions and limited scopes.
- Disable “API Enabled” permissions for broad user profiles unless necessary.
Leave a Reply