A widespread data theft campaign, tracked by Google’s Threat Intelligence Group (GTIG) as UNC6395, has targeted hundreds of organizations by exploiting a security breach at the sales automation platform Salesloft. Between August 8 and August 18, 2025, the threat actors obtained OAuth and refresh tokens from Salesloft’s Drift AI chat agent integration with Salesforce. This breach allowed the hackers to access and exfiltrate large volumes of data from numerous corporate Salesforce instances. Salesloft, in coordination with Salesforce, has since revoked all active access and refresh tokens for the Drift application to mitigate the attack and has notified all impacted customers.
The primary objective of the attackers was to harvest credentials and sensitive information that could be used for further compromise.
According to advisories from both Salesloft and Google, UNC6395 specifically targeted sensitive data such as AWS access keys, passwords, and Snowflake-related access tokens. Once they gained access to a Salesforce instance, they executed a series of Salesforce Object Query Language (SOQL) queries to systematically extract data from various objects, including Cases, Accounts, Users, and Opportunities. This methodical approach demonstrates a high level of operational discipline and a clear focus on acquiring credentials to expand their access to other platforms.
To obscure their malicious activity, the attackers employed several techniques. They used infrastructure hosted on providers like AWS and DigitalOcean, and routed their traffic through the Tor network to hide their IP addresses. Additionally, GTIG observed that UNC6395 demonstrated a high degree of operational security by deleting query jobs after execution, a tactic designed to cover their tracks. However, the attack did not impact event logs, which remain a crucial resource for organizations to investigate and determine the extent of their data exposure. The attackers also used custom tools, with user-agent strings like Salesforce-Multi-Org-Fetcher/1.0 and Salesforce-CLI/1.0, to automate the data theft process.
In response to the incident, Salesforce has temporarily removed the Drift application from its AppExchange marketplace. Both Salesloft and Google have provided guidance to affected organizations on how to respond and remediate the breach. Administrators of environments that used the Drift-Salesforce integration are strongly advised to assume their data has been compromised. Remediation steps include rotating all credentials, particularly those for AWS and Snowflake, and searching Salesforce objects for any other hardcoded secrets that may have been stolen. Organizations should review their Salesforce Event Monitoring logs for suspicious activity and unusual queries associated with the Drift connection user.
While the extortion group ShinyHunters initially claimed responsibility for the attack, Google’s Threat Intelligence Team has not been able to find any compelling evidence to connect them to UNC6395 at this time. The attack highlights a significant supply chain vulnerability, where a compromise of a third-party application can provide a gateway to an organization’s critical data. The incident serves as a stark reminder for companies to continuously audit third-party integrations, enforce the principle of least privilege, and maintain a robust security posture to protect against similar attacks.
Reference:
