A sophisticated data exfiltration campaign targeting companies’ Salesforce instances was conducted, resulting in the exposure of sensitive information from several organizations. This occurred through compromised OAuth tokens associated with the third-party Salesloft Drift application.
The threat actor, identified as UNC6395, collected credentials and sensitive data between August 8 and August 18, 2025. This demonstrated significant knowledge of operational security procedures, as SOQL queries were run against multiple Salesforce objects.
UNC6395 ran systematic Salesforce Object Query Language (SOQL) queries to enumerate and extract data from critical Salesforce objects, including cases, accounts, users, and opportunities. The report comes from Google Threat Intelligence Group that the threat actor used compromised OAuth access tokens and refresh tokens from the Salesloft Drift application to authenticate to the targeted Salesforce instances.
Salesloft stated that the attacker specifically targeted AWS access keys (AKIA identifiers), passwords, Snowflake credentials, and other Sensitive authentication materials stored in custom fields and standard Salesforce objects.
UNC6395 leveraged legitimate OAuth authentication mechanisms to gain unauthorized access, bypassing traditional security controls and making detection particularly difficult for affected organizations.
Salesforce and Salesloft responded by revoking all active OAuth tokens associated with the Drift application on August 20, 2025, effectively terminating the attack vector. Post-exfiltration analysis revealed that the actor searched the extracted data for patterns matching credential formats, indicating a primary goal of credential harvesting rather than traditional data theft.
This attack vector leverages the OAuth 2.0 authorization framework, which allows third-party applications to access Salesforce data without directly exposing user credentials. The actor demonstrated technical sophistication by running COUNT queries to assess data volumes before exfiltration:
The Drift application was subsequently removed from the Salesforce AppExchange pending a full security review.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
