Data Theft Alert: Salesforce Instances Breached via Third-Party App OAuth Tokens
Ddos 
The Google Threat Intelligence Group (GTIG) has issued an urgent advisory on a widespread data theft campaign attributed to the actor UNC6395, who systematically exploited Salesforce environments through compromised OAuth tokens linked to the Salesloft Drift application.
According to the advisory, “Beginning as early as Aug. 8, 2025 through at least Aug. 18, 2025, the actor targeted Salesforce customer instances through compromised OAuth tokens associated with the Salesloft Drift third-party application.”
The campaign’s primary intent was credential harvesting. GTIG explains: “The actor systematically exported large volumes of data from numerous corporate Salesforce instances. GTIG assesses the primary intent of the threat actor is to harvest credentials.”
Attackers sifted through exfiltrated Salesforce data for sensitive secrets including:
- Amazon Web Services (AWS) access keys (AKIA)
- Passwords
- Snowflake-related access tokens
GTIG further noted that UNC6395 demonstrated operational security by deleting query jobs to cover tracks. However, Salesforce logs remained intact, allowing organizations to investigate exposure.
The threat actor executed a series of Salesforce Object Query Language (SOQL) queries to retrieve valuable datasets. For instance:
They also exfiltrated detailed user information, including IDs, usernames, emails, phone numbers, department details, and login history.
By pulling large volumes of Cases, Accounts, Users, and Opportunities, the attackers maximized the chance of finding embedded secrets, such as hardcoded API keys or login credentials hidden within Salesforce objects.
The theft of cloud service keys poses severe risks. With AWS and Snowflake tokens, attackers could pivot into broader enterprise systems, escalate privileges, and move laterally into sensitive workloads.
GTIG stressed: “Organizations using Drift integrated with Salesforce should consider their Salesforce data compromised and are urged to take immediate remediation steps.”
On August 20, 2025, Salesloft, in coordination with Salesforce, revoked all active Drift-related tokens. Salesforce also removed the Drift app from the AppExchange, pending investigation. GTIG emphasized that “this issue does not stem from a vulnerability within the core Salesforce platform.”
Salesloft clarified that customers not integrating Drift with Salesforce were not impacted, and GTIG confirmed “there is no evidence indicating direct impact to Google Cloud customers.”
GTIG, Salesforce, and Salesloft advise impacted organizations to take the following actions:
- Investigate for Compromise
- Search Salesforce logs for suspicious queries and Drift app activity.
- Check for secrets such as AWS keys, Snowflake tokens, or VPN/SSO credentials in Salesforce objects.
- Monitor for Tor-based access attempts, as many observed IPs were linked to Tor exit nodes.
- Rotate Credentials
- Revoke and regenerate API keys and service account tokens.
- Reset passwords for associated accounts.
- Enforce stricter session timeouts to reduce token exposure risk.
- Harden Access Controls
- Restrict connected app scopes to least privilege.
- Enforce IP restrictions on connected apps.
- Define login IP ranges for trusted networks.
- Remove the API Enabled permission from all but essential roles.
GTIG also recommends using tools like Trufflehog to scan Salesforce objects for embedded secrets.
Related Posts:
- Google: Zero-Day Exploits Shift from Browsers to Enterprise Security Tools in 2024
- RCE, SSRF & Data Exposure: Salesforce Patches 8 Serious Flaws in Tableau Server
- Malicious Firefox Extensions Unmasked: Fake Games, VPNs, & Calendar Tools Hijack Traffic, Steal Crypto & OAuth Tokens
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
