Salesforce customers have been targeted in yet another data theft campaign – this time carried out through the third-party application, Salesloft Drift.
Google Threat Intelligence Group (GTIG) says the widespread data theft campaign, which started as early as August 8 and ran until at least August 18, was carried out by the actor tracked as ‘UNC6395’ – a different designation than that given to the ‘ShinyHunters’ group, said to be responsible for several recent social engineering attacks.
In this instance, hackers targeted Salesforce instances through compromised OAuth tokens associated with Salesloft Drift, and then systematically exported “large volumes of data” from numerous corporate Salesforce instances, according to GTIG.
The primary intent of the threat actor was to “harvest credentials”, Google says. Once compromised, attackers searched for secrets that might potentially be used to compromise other systems integrated with Salesforce.
Salesloft Drift Hack: What Happened?
UNC6395 targeted sensitive credentials like Amazon Web Services (AWS) access keys (AKIA), passwords, and Snowflake-related access tokens. They demonstrated “operational security awareness” by deleting query jobs, Google says, but the logs were not impacted; organizations should still review relevant logs for evidence of data exposure.
GTIG said that there is no evidence indicating a direct impact on Google Cloud customers, but any customers who use Salesloft Drift should review their Salesforce objects for any Google Cloud Platform service account keys.
On August 20, Salesloft and Salesforce collaborated to revoke all active access and refresh tokens with the Drift application.
Salesforce also removed the Drift application from the Salesforce AppExchange until further notice and pending further investigation.
This issue does not stem from a vulnerability within the core Salesforce platform.
Salesloft indicated that customers who do not integrate with Salesforce are not impacted by the campaign.
GTIG, Salesforce, and Salesloft have notified impacted organizations.
On August 26, Salesloft posted a security update concerning the Drift integration with Salesforce. They wrote: “From August 8 to August 18, 2025, a threat actor used OAuth credentials to exfiltrate data from our customers’ Salesforce instances. All impacted customers have been notified.
“Initial findings have shown that the actor’s primary objective was to steal credentials, specifically focusing on sensitive information like AWS access keys, passwords, and Snowflake-related access tokens.
“We have determined that this incident did not impact customers who do not use our Drift-Salesforce integration. Based on our ongoing investigation, we do not see evidence of ongoing malicious activity related to this incident.”
Salesloft also revealed that they have hired a third-party digital forensics and incident response (DFIR) firm to assist in their investigation and ensure all appropriate remediation steps have been taken.
GTIG made available a list of indicators of compromise (IOCs), including IP addresses and the following User-Agent Strings:
- python-requests/2.32.4
- Salesforce-Multi-Org-Fetcher/1.0
- Python/3.11 aiohttp/3.12.15
The hacker executed queries to retrieve information associated with various Salesforce objects, including Cases, Accounts, Users, and Opportunities.
Here are two sample queries, but Salesloft stresses that this in not an exhaustive list:
- Crawl of common fields for Case objects:
SELECT Id, Description, Subject, Comments FROM Case WHERE CreatedDate >= :x ORDER BY CreatedDate DESC NULLS FIRST LIMIT 2000 - Mining a field in Case objects for known secret patterns:
SELECT Id FROM Case WHERE SuppliedEmail LIKE :x LIMIT 1000
The threat actor ran this sequence of queries to get a unique count from each of the associated Salesforce objects:
What to Do if Compromised
Google recommends that organizations using Drift integrated with Salesforce should consider their Salesforce data compromised and take immediate remediation steps.
Organizations that have been impacted should search for sensitive information and secrets contained within Salesforce objects and take appropriate action, like revoking API keys, rotating credentials, and performing further investigation to find out if the threat actor abused the secrets.
Harden access controls by reviewing and restricting connected app scopes, making sure that applications have the minimum necessary permissions – and avoiding overly permissive scopes like full access.
Enforce IP restrictions on the connected app by setting the ‘IP Relaxation’ policy to ‘Enforce IP restrictions’ in the app’s settings.
On user profiles, define IP ranges to only allow access from trusted networks.
Remove the ‘API Enabled’ permission from profiles and only grant it to authorized users through a Permission Set.
Final Thoughts
It appears to be another hacking campaign targeting Salesforce customers. Similar to the Data Loader incidents, Salesforce stresses that the issue did not stem from a vulnerability within the core Salesforce platform. In this instance, it came from “a compromise of the app’s connection”.
At this point, it seems fair to say that security should be at the forefront of every Salesforce Administrator’s mind right now.
