Hundreds of Salesforce customer orgs hit in clever attack with potentially huge blast radius

A threat group Google tracks as UNC6395 has pilfered troves of data from Salesforce corporate instances, in search of credentials that can be used to compromise those organizations’ environments.

“[Google Threat Intelligence Group] observed UNC6395 targeting sensitive credentials such as Amazon Web Services (AWS) access keys (AKIA), passwords, and Snowflake-related access tokens,” the company’s incident responders shared.

How did UNC6395 access Salesforce instances?

Salesforce is a cloud-based customer relationship management platform.

To access the targeted organizations’ Salesforce instances, the threat actor first compromised OAuth (access) tokens associated with the Salesloft Drift, an AI-driven live chat tool integrated into the Salesloft revenue orchestration platform.

How the attackers got their hands on the OAuth tokens is currently unknown. What is known at the moment is that, from August 8 to August 18, 2025, they used them to exfiltrate data.

“The threat actor executed queries to retrieve information associated with various Salesforce objects, including Cases, Accounts, Users, and Opportunities,” Salesloft stated on Tuesday. “We have determined that this incident did not impact customers who do not use our Drift-Salesforce integration.”

Those who did should consider their Salesforce data compromised and have been urged to investigate and take remediation steps.

What to do?

“On Aug. 20, 2025 Salesloft, in collaboration with Salesforce, revoked all active access and refresh tokens with the Drift application. In addition, Salesforce removed the Drift application from the Salesforce AppExchange until further notice pending further investigation. This issue does not stem from a vulnerability within the core Salesforce platform,” GTIG researchers added.

Affected organizations have apparently been notified, and both Google and Salesloft have shared indicators of compromise (user-agent strings and IP addresses) organizations can check for.

GTIG has shared additional specific steps victims can take to unearth evidence of these attackers having achieved access to their Salesforce instance.

“UNC6395 demonstrated operational security awareness by deleting query jobs, however logs were not impacted and organizations should still review relevant logs for evidence of data exposure,” they noted.

Organizations that have discovered evidence of compromise should check which secrets Salesforce objects contained, and revoke all API keys and rotate all credentials that have been stashed there.

They should also check whether each of those secrets has been abused in further attacks, i.e., they should look for evidence that the group used them to pivot to other cloud/SaaS systems.

Who’s behind the attack?

“What’s most noteworthy about the UNC6395 attacks is both the scale and the discipline. This wasn’t a one-off compromise; hundreds of Salesforce tenants of specific organizations of interest were targeted using stolen OAuth tokens, and the attacker methodically queried and exported data across many environments. They demonstrated a high level of operational discipline, running structured queries, searching specifically for credentials, and even attempting to cover their tracks by deleting jobs,” Cory Michal, CSO of SaaS application security firm AppOmni, told Help Net Security.

These characteristics may point to a state-sponsored adversary pursuing a broader mission, especially when it’s known that many of the compromised organizations were security and technology companies, he pointed out.

“That makes this not just an isolated SaaS compromise, but potentially the foundation for a much larger campaign aimed at exploiting the trust relationships that exist across the technology supply chain.”

He advised organizations to take a proactive approach to securing their OAuth2 and SaaS-to-SaaS integrations, by assessing which apps are connected and which permission they have and by tightening/removing those that are overly broad.

“On the detection side, companies should be ingesting SaaS audit logs, monitoring for unusual query activity or large-scale data exports, and enriching those logs with threat intelligence to spot activity tied to malicious IPs or User-Agent strings. Combining proactive integration governance with continuous monitoring and anomaly detection gives organizations the best chance to catch these campaigns early and minimize impact,” he concluded.

Salesforce instances have been compromised left and right this year. The ShinyHunters hackers – a threat group with apparent ties to the Scattered Spider group/collective – have been mounting voice phishing attacks against many high-profile businesses (including Google) and convincing employees into granting a malicious app access to the targeted orgs’ Salesforce instances.

But whether those and these latest attacks are connected in any way is currently unknown.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!