A significant data breach involving corporate Salesforce instances has emerged, with hackers exploiting compromised OAuth tokens associated with the Salesloft Drift application. This sophisticated exfiltration campaign has led to the exposure of sensitive data from numerous organizations.
The threat group, identified as UNC6395, executed their operations between August 8 and 18, 2025. They showcased a high level of operational security while systematically extracting sensitive information by executing Salesforce Object Query Language (SOQL) queries across various Salesforce objects, revealing a methodical approach to their attack.
Key elements of the breach include the unauthorized access of AWS keys, Snowflake tokens, and user passwords, all harvested from Salesforce data. The actor’s leveraged usage of compromised OAuth tokens allowed them to bypass traditional security safeguards, complicating detection efforts for affected businesses.
This incident exemplifies a critical supply chain attack vector, taking advantage of the established trust between Salesforce instances and their integrated third-party applications. As UNC6395 navigated the environment using legitimate credentials, they effectively circumvented established security measures, indicating a pronounced adaptation of tactics outlined in the MITRE ATT&CK framework, particularly under initial access and credential dumping categories.
Following their discovery of the breach, Salesforce and Salesloft took immediate action by revoking all active OAuth tokens associated with the Drift application on August 20, 2025. Subsequently, the Drift app was suspended from the Salesforce AppExchange pending a thorough security review.
Organizations utilizing the Salesloft Drift integration are urged to undertake several critical remediation measures. It is vital to examine Event Monitoring logs for any unusual authentication events tied to the connected app and to utilize tools such as TruffleHog to identify exposed secrets in Salesforce objects.
Moreover, reinforcing the permissions associated with connected apps is essential. This includes implementing scope restrictions, IP address limitations, and adhering to the principle of least privilege. Organizations should also promptly optimize session timeout settings to minimize the risk of exposure from compromised accounts.
This incident serves as a stark reminder of the vulnerabilities present in third-party integrations and underscores the importance of continuously monitoring OAuth-enabled applications that have access to sensitive corporate data.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
