A sophisticated data exfiltration campaign targeting corporate Salesforce instances has exposed sensitive information from multiple organizations through compromised OAuth tokens<\/a> associated with the Salesloft Drift third-party application.\u00a0<\/p>\n The threat actor, designated as UNC6395, systematically harvested credentials and sensitive data between August 8-18, 2025, demonstrating advanced operational security awareness while executing SOQL queries across numerous Salesforce objects.<\/p>\n The campaign represents a significant supply chain attack vector, exploiting the trust relationship between Salesforce instances and integrated third-party applications.\u00a0<\/p>\n UNC6395 leveraged legitimate OAuth authentication mechanisms to gain unauthorized access, bypassing traditional security controls and making detection particularly challenging for affected organizations.<\/p>\n Google Threat Intelligence Group\u00a0reported<\/a> that the threat actor utilized compromised OAuth access tokens and refresh tokens from the Salesloft Drift application to authenticate against target Salesforce instances.\u00a0<\/p>\n This attack vector exploited the OAuth 2.0 authorization framework<\/a>, which allows third-party applications to access Salesforce data without exposing user credentials directly.<\/p>\n UNC6395 executed systematic SOQL (Salesforce Object Query Language) queries to enumerate and extract data from critical Salesforce objects including Cases, Accounts, Users, and Opportunities.\u00a0<\/p>\n The actor demonstrated technical sophistication by running COUNT queries to assess data volumes before exfiltration:<\/p>\n Salesloft stated<\/a> that the attacker specifically targeted AWS access keys (AKIA identifiers), passwords, Snowflake credentials, and other sensitive authentication materials stored within Salesforce custom fields and standard objects.\u00a0<\/p>\n Post-exfiltration analysis revealed the actor searched extracted data for patterns matching credential formats, indicating a primary objective of credential harvesting rather than traditional data theft.<\/p>\n Salesforce and Salesloft responded by revoking all active OAuth tokens associated with the Drift application on August 20, 2025, effectively terminating the attack vector.\u00a0<\/p>\n The Drift application was subsequently removed from the Salesforce <\/a>AppExchange pending a comprehensive security review.<\/p>\n Organizations using the Salesloft Drift integration should immediately implement several remediation measures.\u00a0<\/p>\n Event Monitoring logs should be reviewed for suspicious UniqueQuery events and authentication anomalies associated with the Drift connected app.\u00a0<\/p>\n Security teams must scan Salesforce<\/a> objects for exposed secrets using tools like TruffleHog and search for patterns including \u201cAKIA\u201d, \u201csnowflakecomputing[.]com\u201d, and generic credential references.<\/p>\n Connected app permissions require immediate hardening through scope restriction, IP address restrictions, and implementation of the principle of least privilege.\u00a0<\/p>\n The \u201cAPI Enabled\u201d permission should be removed from user profiles and granted selectively through Permission Sets to authorized personnel only.\u00a0<\/p>\n Session timeout configurations in Session Settings should be optimized to limit exposure windows for compromised credentials.<\/p>\n This incident highlights the crucial importance of securing third-party integration and the necessity for continuous monitoring of OAuth-enabled applications with access to sensitive corporate data repositories.<\/p>\n Find this Story Interesting! Follow us on\u00a0LinkedIn<\/a>\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>.<\/p>\n The post Salesloft Drift Hacked to Steal OAuth Tokens and Exfiltrate from Salesforce Corporate Instances<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nKey Takeaways<\/strong>
<\/mark>1. UNC6395 used compromised Salesloft Drift OAuth tokens to access Salesforce instances .
2. Harvested AWS keys, Snowflake tokens, and passwords from Salesforce data.
3. All Drift tokens revoked; organizations must rotate credentials.<\/pre>\nOAuth Token Exploitation\u00a0<\/strong><\/h2>\n
![\"Hackers](\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXdGItvPH5jBp0pUtk00rFXzfsi1qsdQjMOcXRlNSODIYM9w3mRUEb4kI7EKaYrYWVCT_Bgeeh7iCkiuvlVBLYeBHKPZ9pjx7GV0Sf9f1oLNpRg0sylFd3ayfbP2LXZNOnq-XKO7IA?key=6taIYw8fYGXkBnKvDqE80w\")
Mitigatons<\/strong><\/h2>\n