Full Report
A threat group Google tracks as UNC6395 systematically stole large amounts of data from Salesforce customer instances by using OAuth tokens stolen from Salesloft Drift, researchers said. The post Hundreds of Salesforce customers impacted by attack spree linked to third-party AI agent appeared first on CyberScoop.
Analysis Summary
# Incident Report: Widespread Data Theft via Compromised Third-Party Salesforce Integration
## Executive Summary
A threat group tracked as UNC6395 executed a widespread data theft campaign targeting hundreds of Salesforce customers over a ten-day period (Aug 8–18) by exploiting stolen OAuth tokens from Salesloft Drift, a third-party AI sales agent. The attackers systematically exfiltrated data, focusing on collecting plaintext credentials for AWS, VPNs, and Snowflake. The incident concluded after Salesforce and Salesloft revoked the compromised application tokens on August 20th.
## Incident Details
- **Discovery Date:** August 19 (Salesloft issued an alert)
- **Incident Date:** At least August 8 to August 18, 2025
- **Affected Organization:** Hundreds of Salesforce customers (Over 700 potentially impacted organizations identified by Google)
- **Sector:** SaaS/CRM Integration (Multiple downstream sectors affected)
- **Geography:** Not explicitly stated, assumed global given Salesforce/Salesloft user base.
## Timeline of Events
### Initial Access
- **Date/Time:** On or before August 8, 2025
- **Vector:** Compromise of OAuth tokens associated with the Salesloft Drift application integrated with Salesforce.
- **Details:** UNC6395 likely obtained valid OAuth tokens from Salesloft Drift, granting them authorized access to linked Salesforce customer instances.
### Lateral Movement
- **Details:** Using the Salesforce tokens, the threat actor accessed tokens for any other Drift-linked organization. They then used these credentials to search specifically for AWS access keys, VPN credentials, and Snowflake passwords within the exfiltrated Salesforce data.
### Data Exfiltration/Impact
- **Details:** Large volumes of data were exfiltrated from several hundred Salesforce instances to attacker-controlled servers. The primary goal of the exfiltration was credential harvesting. Attackers attempted to cover their tracks by deleting jobs post-export.
### Detection & Response
- **How it was discovered:** Salesloft issued an alert on August 19 regarding malicious activity targeting Salesloft Drift applications integrated with Salesforce.
- **Response actions taken:** Salesloft and Salesforce coordinated to revoke all active access and refresh tokens for the affected application on August 20, which immediately halted the attacks.
## Attack Methodology
- **Initial Access:** Stolen OAuth tokens from a third-party vendor integration (Salesloft Drift).
- **Persistence:** Not explicitly detailed, but the use of active OAuth tokens provided temporary authorized access.
- **Privilege Escalation:** Not necessary for primary access, as the OAuth tokens provided broad access based on the granted permissions; however, the goal was escalating access to cloud environments (AWS, Snowflake) via stolen credentials.
- **Defense Evasion:** Not explicitly detailed, but the access model (using valid OAuth tokens) is a native, authorized channel, potentially bypassing traditional perimeter defenses. Attackers deleted jobs afterward, suggesting cleanup efforts.
- **Credential Access:** Searching exfiltrated Salesforce data for plaintext credentials, including AWS access keys, VPN credentials, and Snowflake passwords.
- **Discovery:** Methodical querying and structured queries within the Salesforce environments to locate target data.
- **Lateral Movement:** Utilizing stolen credentials found in the Salesforce data to access connected cloud environments (AWS, Snowflake).
- **Collection:** Systematically querying and exporting data across multiple environments.
- **Exfiltration:** Exporting data to attacker-controlled servers.
- **Impact:** Compromise and theft of sensitive data, including organizational credentials leading to potential widespread cloud environment compromise.
## Impact Assessment
- **Financial:** Not specified, but likely substantial given the scale and focus on lucrative credentials (AWS, Snowflake).
- **Data Breach:** Large volumes of data stolen from over 700 Salesforce instances. Primary sensitive data sought were plaintext credentials for other critical infrastructure.
- **Operational:** Limited operational disruption reported by the organizations themselves, as the attack focused on data theft rather than destruction.
- **Reputational:** Significant negative impact for Salesloft and Salesforce due to the breach occurring through a trusted integration.
## Indicators of Compromise
- **Network indicators:** Data exfiltrated to attacker-controlled servers (IPs/domains defanged).
- **File indicators:** Python tool used to automate data theft (specific file hashes or names not provided).
- **Behavioral indicators:** Structured queries and methodical data export across multiple Salesforce environments; deletion of forensic artifacts (jobs).
## Response Actions
- **Containment measures:** Salesloft and Salesforce revoked all active access and refresh tokens for the Salesloft Drift integration on August 20.
- **Eradication steps:** Google advised all potentially impacted customers to search for secrets within their Salesforce instances.
- **Recovery actions:** Customers were advised to revoke API keys and rotate credentials across all potentially compromised systems (AWS, VPN, Snowflake).
## Lessons Learned
- **Key takeaways:** Cloud-to-cloud integration security, particularly the abuse of OAuth tokens via third-party SaaS connectors, remains a critical and often overlooked vulnerability blind spot.
- **What could have been done better:** The scale and discipline of the attack (methodical credential searching, structured queries) demonstrate a high level of tradecraft that current security tooling may not detect when accessing via authorized OAuth channels.
## Recommendations
- **Prevention measures for similar incidents:** Enterprises must rigorously vet third-party application access permissions (OAuth scopes) and implement continuous monitoring for suspicious data access patterns even when originating from trusted integrated applications. Mandate immediate credential rotation for any services (like AWS keys, Snowflake logins) found exposed in public-facing or integrated application storage.