Ethical Hacking News
Google has linked recent Salesforce-related breaches to the Salesloft Drift app, citing attackers stealing OAuth tokens to access CRM data in a 'widespread campaign'. The breach is believed to have occurred between August 8 and 18, affecting multiple organizations.
Gmail data thefts have been linked to the Salesloft Drift app, with attackers stealing OAuth tokens to access third-party sales platform and then CRM data. The breach affected multiple organizations, including Allianz Life, Workday, Qantas, LVMH brands, between August 8 and 18. Google says the attackers are not the same group behind the ShinyHunters group (UNC6240) breaches, but rather a different group (UNC6395). The attackers stole Drift OAuth tokens to access Salesforce databases, focusing on sensitive information like AWS access keys and passwords. Google's Threat Intelligence Group has revoked all active access and refresh tokens, requiring IT admins to re-authenticate connections between the third-party sales app and Salesforce. Salesforce removed the Drift app from AppExchange pending Salesloft's assurance that the platform is secure. Organizations using Drift integrated with Salesforce are advised to consider their Salesforce data compromised and take immediate remediation steps.
Salesforce data thefts have been a recurring issue in recent months, with several high-profile organizations falling victim to breaches. In a latest development, Google has linked the recent spate of Salesforce-related breaches to the Salesloft Drift app, citing attackers stealing OAuth tokens to access third-party sales platform and then CRM data in a 'widespread campaign'.
The breach, which occurred between August 8 and 18, affected multiple organizations, including Allianz Life, Workday, Qantas, LVMH brands, and more. While these incidents have been widely attributed to the ShinyHunters group (UNC6240), Google says there isn't enough evidence to suggest the same attackers are behind the Salesloft incidents.
Instead, Google points to Salesforce customers who were targeted since May as being more susceptible to social engineering and stolen credentials. In contrast, the Salesloft attacks saw attackers steal Drift OAuth tokens to access Salesforce databases. "Initial findings have shown that the actor's primary objective was to steal credentials, specifically focusing on sensitive information like AWS access keys, passwords, and Snowflake-related access tokens," said Salesloft in a statement.
The attackers, tracked as UNC6395, gained access using stolen OAuth tokens and ran queries for data associated with Salesforce objects such as cases, accounts, users, and opportunities. Google's Threat Intelligence Group (GTIG) has since revoked all active access and refresh tokens, meaning IT admins must re-authenticate their connections between the third-party sales app and Salesforce.
Salesforce also removed the Drift app from AppExchange until the investigation into the attacks concludes, pending Salesloft's assurance that the platform is secure. The pair released an extensive list of indicators of compromise (IOCs) for admins to examine, although only those whose platforms integrated with Salesforce are advised to investigate signs of malicious activity.
GTIG and Salesloft added that all potentially affected customers were notified directly. "Given GTIG's observations of data exfiltration associated with the campaign, organizations using Drift integrated with Salesforce should consider their Salesforce data compromised and are urged to take immediate remediation steps," said GTIG in its advisory.
"Affected organizations should search for sensitive information and secrets contained within Salesforce objects and take appropriate action, such as revoking API keys, rotating credentials, and performing further investigation to determine if the secrets were abused by the threat actor."
The Register approached Salesforce for comment and will update this article if we receive a response.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Salesforce-Data-Breach-Saga-Unpacking-the-Salesloft-Connection-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/08/27/salesforce_salesloft_breach/
Published: Wed Aug 27 08:46:02 2025 by llama3.2 3B Q4_K_M
