Widespread Data Theft Targets Salesforce Instances via Salesloft Drift
Source report →From August 8 to August 18, 2025, the threat actor tracked as UNC6395 conducted a large-scale data theft campaign by compromising OAuth tokens issued to the Salesloft Drift application, used to integrate Drift’s AI-enabled chat with Salesforce, and weaponizing these tokens to infiltrate numerous Salesforce instances. The attacker systematically exfiltrated high-value data from Salesforce objects such as Cases, Accounts, Users, and Opportunities. Their primary objective appears to have been harvesting credentials including AWS access keys, passwords, and Snowflake access tokens. After accessing the data, UNC6395 demonstrated operational security awareness by deleting query jobs to cover their tracks, although logs remained intact for post-incident analysis.
Additional reports from vendors confirmed that the incident had the characteristics of a supply chain compromise stemming from the Salesloft Drift integration. More than twenty organizations, including Google Workspace, Cloudflare, CyberArk, and Palo Alto Networks acknowledged some level of impact.
IOCs (19)
Scan your environment for IOCs →IP ADDRESS 19
154.41.95.2176.65.149.100179.43.159.19844.215.108.109185.130.47.58185.207.107.130185.220.101.133185.220.101.143185.220.101.164185.220.101.167185.220.101.169185.220.101.180185.220.101.185185.220.101.33192.42.116.179192.42.116.20195.47.238.178195.47.238.83194.15.36.117Detections
- Monitor software supply chain for unauthorized modifications to build pipelines or package registries
- Detect broad file system enumeration or searching across SharePoint, code repos, and internal wikis
- Monitor public-facing services for exploitation patterns — unusual POST bodies, deserialization payloads