Particle.news
Download on the App Store
12 ARTICLES
·
6h ago

Google Ties Salesforce Data-Theft Spree to Stolen Drift OAuth Tokens, Flags UNC6395

GTIG attributes the spree to UNC6395, urging Drift–Salesforce customers to assume compromise.

Salesforce
Salesforce
Salesforce data breach via Salesloft Drift app reported by Google
Google Reveals UNC6395’s OAuth Token Theft in Salesforce Breach

Overview

  • Attackers used compromised OAuth and refresh tokens from Salesloft’s Drift integration to access and export data from Salesforce customer instances between August 8 and 18, 2025.
  • GTIG says it is aware of over 700 potentially impacted organizations, while Salesforce describes the number of affected customer instances via the Drift connection as small.
  • The campaign focused on harvesting high‑value secrets, including AWS access keys, passwords, VPN/SSO details, and Snowflake tokens, to enable downstream compromise.
  • Operations were automated with Python tools using identifiable user‑agent strings, and the actor attempted to delete query jobs to hide activity, but relevant logs remained available for review.
  • Salesloft and Salesforce revoked Drift tokens on August 20 and removed the app from AppExchange; customers using the integration must reauthenticate, review IOCs, and rotate exposed credentials, as ShinyHunters’ claim of responsibility remains uncorroborated by Google.