Ethical Hacking News
A widespread data theft campaign targeting Salesforce instances via the Salesloft Drift third-party application has been reported by Google Threat Intelligence Group (GTIG). The campaign, carried out by a threat actor tracked as UNC6395, began on August 8, 2025, and continued through at least August 18, 2025. The actor systematically exported large volumes of data from numerous corporate Salesforce instances, targeting sensitive credentials such as AWS access keys, passwords, and Snowflake-related access tokens. Organizations are urged to take immediate remediation steps.
Google issued an advisory about a data theft campaign by threat actor UNC6395. The campaign targeted Salesforce customer instances through compromised OAuth tokens associated with the Salesloft Drift third-party application. The primary intent of the threat actor was to harvest credentials, and they exported large volumes of sensitive data. Organizations should review relevant logs for evidence of data exposure despite UNC6395 deleting query jobs. Clients not integrating with Salesforce are not impacted by this campaign, but customers using Salesloft Drift should review their Salesforce objects.
Google has issued an advisory to alert organizations about a widespread data theft campaign, carried out by a threat actor tracked as UNC6395. The campaign began as early as August 8, 2025, and continued through at least August 18, 2025, targeting Salesforce customer instances through compromised OAuth tokens associated with the Salesloft Drift third-party application.
The threat actor systematically exported large volumes of data from numerous corporate Salesforce instances. Google Threat Intelligence Group (GTIG) assesses that the primary intent of the threat actor is to harvest credentials. After the data was exfiltrated, the actor searched through the data to look for secrets that could be potentially used to compromise victim environments.
GTIG observed UNC6395 targeting sensitive credentials such as Amazon Web Services (AWS) access keys (AKIA), passwords, and Snowflake-related access tokens. UNC6395 demonstrated operational security awareness by deleting query jobs; however, logs were not impacted, and organizations should still review relevant logs for evidence of data exposure.
Salesloft indicated that customers that do not integrate with Salesforce are not impacted by this campaign. There is no evidence indicating direct impact to Google Cloud customers, but any customers that use Salesloft Drift should also review their Salesforce objects for any Google Cloud Platform service account keys.
On August 20, 2025, Salesloft, in collaboration with Salesforce, revoked all active access and refresh tokens with the Drift application. Additionally, Salesforce removed the Drift application from the Salesforce AppExchange until further notice and pending further investigation. This issue does not stem from a vulnerability within the core Salesforce platform.
GTIG, Salesforce, and Salesloft have notified impacted organizations.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Widespread-Data-Theft-Campaign-Targets-Salesforce-Instances-via-Salesloft-Drift-ehn.shtml
https://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesforce-instances-via-salesloft-drift/
Published: Tue Aug 26 12:53:25 2025 by llama3.2 3B Q4_K_M
