Organizations worldwide are urged to review their Salesforce environments following the disclosure by the Google Threat Intelligence Group (GTIG) of a large-scale data exfiltration campaign.
The actor, tracked as UNC6395, exploited compromised OAuth tokens from the Salesloft Drift application to harvest sensitive credentials and secrets from corporate Salesforce instances.
Campaign Overview
Beginning August 8, 2025, UNC6395 systematically exported large volumes of data—including cases, accounts, users, and opportunities—from Salesforce customer instances.
After exfiltration, the actor searched for high-value secrets such as Amazon Web Services (AWS) access keys (AKIA identifiers), Snowflake tokens, and plaintext passwords.
Although the threat actor demonstrated operational security by deleting query jobs, event logs remained intact, enabling incident responders to trace activity.
Salesloft confirmed that only customers integrating Drift with Salesforce were impacted, and non-integrated organizations remain unaffected.
On August 20, 2025, in collaboration with Salesforce, Salesloft revoked all active access and refresh tokens for the Drift application.
Salesforce also removed the Drift app from the AppExchange pending further investigation.
GTIG, Salesforce, and Salesloft have directly notified affected organizations.
Threat Actor Tactics and Recommendations
UNC6395 leveraged SOQL queries to enumerate and extract data from key Salesforce objects.
Typical queries included:
textSELECT COUNT() FROM Account;
SELECT COUNT() FROM Opportunity;
SELECT COUNT() FROM User;
SELECT COUNT() FROM Case;
More targeted queries retrieved user and case details, capturing fields such as email, login dates, and case numbers.
Given the compromise, organizations should assume Salesforce data is exposed and immediately:
- Search for sensitive material within Salesforce objects and external logs.
- Revoke and rotate any discovered keys or secrets.
- Reset affected user passwords and adjust session timeout settings.
- Harden connected-app scopes, enforce IP restrictions, and limit the “API Enabled” permission to authorized users.
A summary of notable indicators of compromise (IOCs) observed during the campaign is provided below.
| Indicator | Type | Description |
|---|---|---|
| 208.68.36.90 | IP Address | DigitalOcean host |
| 44.215.108.109 | IP Address | AWS infrastructure |
| 154.41.95.2 | IP Address | Tor exit node |
| Salesforce-Multi-Org-Fetcher/1.0 | User-Agent string | Malicious enumeration tool |
| python-requests/2.32.4 | User-Agent string | Data retrieval client |
Security teams should review Drift connection user events in Salesforce Event Monitoring and authentication logs to detect unusual access patterns.
Running secret discovery tools such as Trufflehog against Salesforce objects can surface hardcoded credentials.
Organizations are also advised to open a Salesforce support case to obtain the exact query logs executed by the actor.
While GTIG has found no evidence of direct impact on Google Cloud customers, any organization using Salesloft Drift must treat this advisory with utmost urgency.
Comprehensive log reviews, credential rotations, and connected-app hardening will be critical to mitigating ongoing risk and preventing similar attacks in the future.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
%20(1).webp?resize=1600,900&ssl=1&description=The actor, tracked as UNC6395, exploited compromised OAuth tokens from the Salesloft Drift application to harvest sensitive credentials and secrets from corporate Salesforce instances.){kind=link}