Particle.news
Download on the App Store
9 ARTICLES
·
5h ago

Google Flags Widespread Salesforce Data Theft Tied to Salesloft Drift Token Breach

Investigators say UNC6395 used a third-party integration to siphon CRM records as part of a credential-harvesting operation.

Salesforce
Salesforce
Google Reveals UNC6395’s OAuth Token Theft in Salesforce Breach
Image

Overview

  • GTIG reports that attackers used stolen OAuth and refresh tokens from Salesloft’s Drift integration between August 8 and 18 to access and export data from hundreds of customer instances.
  • Over 700 organizations are potentially impacted, with automated queries pulling data from objects such as Cases, Accounts, Users, and Opportunities.
  • The campaign focused on harvesting secrets including AWS access keys, passwords, VPN details, and Snowflake tokens to enable downstream compromise.
  • Salesloft and Salesforce revoked Drift access and refresh tokens on August 20, removed the app from AppExchange, required reauthentication, and notified affected customers.
  • UNC6395 used Tor and cloud hosts and deleted query jobs to obscure activity, but GTIG released IPs and user-agent IOCs and urged Drift–Salesforce customers to assume compromise, search for secrets, and rotate credentials; Salesforce says a small number of customers were accessed via the app connection as attribution remains disputed after a ShinyHunters claim.