Widespread Data Theft Targets Salesforce Instances via Salesloft Drift
Summary:
Google Threat Intelligence Group has issued an advisory regarding a widespread data theft campaign conducted by the threat actor UNC6395. Active between August 8 and August 18, 2025, the campaign targeted Salesforce customer instances by abusing compromised OAuth tokens associated with the Salesloft Drift third-party application. Once access was obtained, UNC6395 systematically exported large amounts of data and sifted through it to identify sensitive credentials such as AWS access keys, passwords, and Snowflake-related tokens that could be leveraged for further compromise. GTIG noted that the actor attempted to conceal their activity by deleting query jobs, though the logs themselves remain intact, allowing organizations to review evidence of potential exposure.
Security Officer Comments:
Salesloft confirmed that customers not integrated with Salesforce are unaffected, and GTIG found no indication that Google Cloud customers were directly impacted. However, organizations using Salesloft Drift were strongly urged to examine their Salesforce objects for any exposed Google Cloud Platform service account keys. In response to the campaign, Salesloft and Salesforce took joint action on August 20, 2025, revoking all active Drift tokens and removing the application from the AppExchange pending further investigation. Importantly, the compromise was not the result of a flaw in Salesforce’s core platform. GTIG, Salesforce, and Salesloft have proactively notified impacted organizations and continue to coordinate mitigations. Technical analysis revealed that UNC6395 conducted specific queries against Salesforce objects such as Accounts, Opportunities, Users, and Cases, retrieving detailed user and organizational data including usernames, emails, login history, and case records.
Suggested Corrections:
GTIG researchers recommend that organizations using Drift integrated with Salesforce should consider their Salesforce data compromised and are urged to take immediate remediation steps. Impacted organizations should search for sensitive information and secrets contained within Salesforce objects and take appropriate action, such as revoking API keys, rotating credentials, and performing further investigation to determine if the secrets were abused by the threat actor.
Investigate for Compromise and Scan for Exposed Secrets
Rotate Credentials
Link(s):
https://cloud.google.com/blog/topic...heft-salesforce-instances-via-salesloft-drift
Google Threat Intelligence Group has issued an advisory regarding a widespread data theft campaign conducted by the threat actor UNC6395. Active between August 8 and August 18, 2025, the campaign targeted Salesforce customer instances by abusing compromised OAuth tokens associated with the Salesloft Drift third-party application. Once access was obtained, UNC6395 systematically exported large amounts of data and sifted through it to identify sensitive credentials such as AWS access keys, passwords, and Snowflake-related tokens that could be leveraged for further compromise. GTIG noted that the actor attempted to conceal their activity by deleting query jobs, though the logs themselves remain intact, allowing organizations to review evidence of potential exposure.
Security Officer Comments:
Salesloft confirmed that customers not integrated with Salesforce are unaffected, and GTIG found no indication that Google Cloud customers were directly impacted. However, organizations using Salesloft Drift were strongly urged to examine their Salesforce objects for any exposed Google Cloud Platform service account keys. In response to the campaign, Salesloft and Salesforce took joint action on August 20, 2025, revoking all active Drift tokens and removing the application from the AppExchange pending further investigation. Importantly, the compromise was not the result of a flaw in Salesforce’s core platform. GTIG, Salesforce, and Salesloft have proactively notified impacted organizations and continue to coordinate mitigations. Technical analysis revealed that UNC6395 conducted specific queries against Salesforce objects such as Accounts, Opportunities, Users, and Cases, retrieving detailed user and organizational data including usernames, emails, login history, and case records.
Suggested Corrections:
GTIG researchers recommend that organizations using Drift integrated with Salesforce should consider their Salesforce data compromised and are urged to take immediate remediation steps. Impacted organizations should search for sensitive information and secrets contained within Salesforce objects and take appropriate action, such as revoking API keys, rotating credentials, and performing further investigation to determine if the secrets were abused by the threat actor.
Investigate for Compromise and Scan for Exposed Secrets
- Search for the IP addresses and User-Agent strings provided in the IOCs section below. While this list includes IPs from the Tor network that have been observed to date, Mandiant recommends a broader search for any activity originating from Tor exit nodes.
- Review Salesforce Event Monitoring logs for unusual activity associated with the Drift connection user.
- Review authentication activity from the Drift Connected App.
- Review UniqueQuery events that log executed SOQL queries.
- Open a Salesforce support case to obtain specific queries used by the threat actor.
- Search Salesforce objects for potential secrets, such as:
- AKIA for long-term AWS access key identifiers
- Snowflake or snowflakecomputing.com for Snowflake credentials
- password, secret,key to find potential references to credential material
- Strings related to organization-specific login URLs, such as VPN or SSO login pages
- Run tools like Trufflehog to find secrets and hardcoded credentials.
Rotate Credentials
- Immediately revoke and rotate any discovered keys or secrets.
- Reset passwords for associated user accounts.
- Configure session timeout values in Session Settings to limit the lifespan of a compromised session.
- Review and Restrict Connected App Scopes: Ensure that applications have the minimum necessary permissions and avoid overly permissive scopes like full access.
- Enforce IP Restrictions on the Connected App: In the app’s settings, set the ‘IP Relaxation’ policy to ‘Enforce IP restrictions’.
- Define Login IP Ranges: On user profiles, define IP ranges to only allow access from trusted networks.
- Remove the 'API Enabled' Permission: Remove the 'API Enabled' permission from profiles and grant it only to authorized users via a Permission Set.
Link(s):
https://cloud.google.com/blog/topic...heft-salesforce-instances-via-salesloft-drift