A widespread data theft campaign allowed hackers to compromise sales automation platform SalesLoft, steal OAuth and update tokens associated with drift artificial intelligence (AI) chat agents.
Activities rated as inherently opportunistic are threat actors tracked by Google Threat Intelligence Group and Mandiant, tracked as UNC6395.
“Until August 8, 2025, and at least until August 18, 2025, the actor targeted Salesforce customer instances through compromised OAUTH tokens related to Salesloft Drift’s third-party applications.”
These attacks have been observed that threat actors export large amounts of data from numerous corporate Salesforce instances, and are then aimed at harvesting qualifications that can be used to compromise the victim environment. These include Amazon Web Services (AWS) Access Key (AKIA), passwords, and snowflake-related access tokens.
UNC6395 also demonstrates operational security awareness by deleting query jobs, but Google is urging organizations to perform further investigations to determine the extent of API key revocation, entitlement rotation, and compromise, as well as to review relevant logs for evidence of data exposure.
In an advisory published on August 20, 2025, SalesLoft stated that it has identified security issues in its drift application and actively cancelled the connection between Drift and Salesforce. This incident will not affect customers who have not integrated with Salesforce.
“The threat actor used OAuth credentials to remove data from your Salesforce instance,” SalesLoft said. “The threat actors ran a query to retrieve information related to various Salesforce objects, such as cases, accounts, users, opportunities, and more.”
The company also recommends that administrators re-recognise Salesforce Connection and re-enable the integration. The exact scale of the activity is unknown. However, SalesLoft said it notified all affected parties.
In a statement Tuesday, Salesforce said “a small number of customers” were affected and the issue was attributed to “compromising app connections.”
“We worked with Salesforce to disable active access, update the token, remove drift from AppExchange, and then notified the affected customers,” Salesforce added.
The development has made Salesforce instances an active target for financially motivated threat groups such as UNC6040 and UNC6240 (aka Shiny Hunters), the latter tweaked with scattered spiders (aka UNC3944) to ensure initial access.
“The most notable thing about UNC6395’s attacks is both scale and discipline,” said Cory Michal, CSO at Apomni. “This was not a one-off compromise. Hundreds of sales force tentants from a particular organization of interest were targeted using stolen OAuth tokens, and attackers were systematically queried and exported in many environments.”
“They have demonstrated that they try to cover tracks by performing high levels of operational discipline, running structured queries, specially searching for credentials, and removing jobs. The combination of scale, focus and tradecraft makes this campaign stand out.”
Mikal also points out that many of the targeted and compromised organizations are security and technology companies in their own right, indicating that the campaign could be a “opening move” as part of a broader supply chain attack strategy.
“By infiltrating the initial vendor and service provider, the attacker put him in a position to turn his downstream customers and partners,” Mikal added. “This could be a compromise for isolated SaaS, as well as the foundation for a much larger campaign aimed at exploiting the trust that exists throughout the technology supply chain.”
Source link
