A major data theft campaign has hit corporate Salesforce instances. The actor, tracked as UNC6395, leveraged compromised OAuth tokens from the Salesloft Drift application to pull data. The attacks ran from August 8 through at least August 18.
Google Threat Intelligence Group (GTIG) says the campaign moved at scale. Data was exported by the bucketful. The goal was credentials: AWS access keys, passwords, Snowflake tokens. The intruder worked carefully, deleting query jobs to hide activity. Logs remain untouched. Organizations should assume exposure and review their records.
Salesloft confirmed that customers without Salesforce integrations are unaffected. Google Cloud customers appear safe, though any Drift users should check for exposed service account keys.
On 20 August, Salesloft and Salesforce moved swiftly: they revoked all active Drift tokens and pulled the application from the Salesforce AppExchange pending investigation. The core Salesforce platform itself is not at fault.
How the Attack Worked
UNC6395 queried Salesforce objects (Cases, Accounts, Users, Opportunities) to gather information. Simple SQL-style commands returned massive datasets, including detailed user information. The threat actor then combed these records for secrets.
GTIG says any organization using Drift with Salesforce should assume compromise. Immediate action is necessary.
Steps for Defense
- Investigate for Compromise: Scan Salesforce logs, check authentication activity, review UniqueQuery events, and search for IPs and User-Agent strings linked to the attack. Tor exit nodes should also be considered.
- Search for Secrets: Look for AWS keys (AKIA), Snowflake credentials, passwords, API keys, and organization-specific login strings. Tools like Trufflehog can help.
- Rotate Credentials: Revoke exposed keys, reset user passwords, and configure session timeouts to limit exposure.
- Harden Access Controls: Restrict connected app scopes, enforce IP restrictions, define login IP ranges, and remove API permissions from unauthorized users.
Salesforce and Salesloft continue to update guidance on mitigation. Organizations affected by the attack should follow advisories closely to secure data and prevent further exposure.
GTIG thanks Salesforce, Salesloft, and other partners for their collaboration in responding to this threat.
A Failure of Cloud, SaaS Security
Lawrence Pingree, Technical Evangelist at Dispersive.io, says: “The most notable thing is the use of automation to cascade the breach across multiple entities. A wide scale breach like this is an essential feature of a failure to bring security properly to the cloud and SaaS. We must realize that all these new cloud services are just that, new, and they have potentially new vulnerabilities.”
He says bad actors take advantage of the scale and duplicity in code to scale out and breach many targets instead of just one organization. “That’s always been the downside of monoculture protection (e.g. the fox guarding the henhouse). So we need to prioritize best of breed and innovations in security.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.