Numerous Salesforce Customer Organizations Targeted in Sophisticated Attack with Potentially Widespread Impact

The threat group tracked by Google as UNC6395 has successfully pilfered extensive data from Salesforce corporate instances, primarily in search of credentials that could compromise the targeted organisations’ environments. The Google Threat Intelligence Group reported that UNC6395 focused on sensitive credentials, including Amazon Web Services (AWS) access keys, passwords, and Snowflake-related access tokens. The group accessed Salesforce instances by first compromising OAuth access tokens linked to the Salesloft Drift, an AI-driven live chat tool integrated into the Salesloft revenue orchestration platform. The method by which the attackers obtained these OAuth tokens remains unclear. Between August 8 and August 18, 2025, they utilised these tokens to exfiltrate data, executing queries to retrieve information from various Salesforce objects, such as Cases, Accounts, Users, and Opportunities.

In response to the incident, Salesloft, in collaboration with Salesforce, revoked all active access and refresh tokens associated with the Drift application on August 20, 2025. Furthermore, Salesforce removed the Drift application from the Salesforce AppExchange until further notice, pending an investigation. It was clarified that this incident did not arise from a vulnerability within the core Salesforce platform. Affected organisations have been notified, and both Google and Salesloft have provided indicators of compromise, including user-agent strings and IP addresses, for organisations to investigate. The Google Threat Intelligence Group has also shared specific steps for victims to uncover evidence of the attackers’ access to their Salesforce instances. Despite UNC6395 demonstrating operational security awareness by deleting query jobs, logs remained intact, allowing organisations to review them for evidence of data exposure. Those who discovered evidence of compromise are advised to check the contents of Salesforce objects, revoke all API keys, and rotate any credentials stored there. Additionally, they should investigate whether any secrets have been exploited in further attacks, particularly to determine if the group used them to pivot to other cloud or SaaS systems. The scale and discipline of the UNC6395 attacks are particularly noteworthy, as they targeted hundreds of Salesforce tenants belonging to specific organisations of interest using stolen OAuth tokens. 

Categories: Cybersecurity Threats, Data Exfiltration, OAuth Token Compromise 

Tags: UNC6395, Salesforce, OAuth, Credentials, Data Exfiltration, AWS, Access Tokens, Salesloft, Compromise, Security