{"id":2508,"date":"2025-08-27T08:53:39","date_gmt":"2025-08-27T08:53:39","guid":{"rendered":"https:\/\/ft365.org\/index.php\/2025\/08\/27\/new-data-theft-campaign-targets-salesforce-via-salesloft-app\/"},"modified":"2025-08-27T08:53:39","modified_gmt":"2025-08-27T08:53:39","slug":"new-data-theft-campaign-targets-salesforce-via-salesloft-app","status":"publish","type":"post","link":"https:\/\/ft365.org\/index.php\/2025\/08\/27\/new-data-theft-campaign-targets-salesforce-via-salesloft-app\/","title":{"rendered":"New Data Theft Campaign Targets Salesforce via Salesloft App"},"content":{"rendered":"
\n

\"Photo<\/p>\n<\/div>\n

\n
\n

Salesforce customers have again been targeted in a \u201cwidespread data theft campaign,\u201d this time via compromised OAuth tokens associated with the\u00a0third-party Salesloft Drift application.<\/p>\n

Salesloft Drift integrates with Salesforce to help sales and marketing teams collaborate on projects. Salesloft issued a security alert on August 20 revealing it had detected a security issue and \u201cproactively revoked connections between Drift and Salesforce.\u201d<\/p>\n

However, the firm had little more to say on the matter until Google Threat Intelligence Group (GTIG) lifted the lid on Tuesday August 26.<\/p>\n

It said a threat actor tracked as UNC6395 had targeted \u201cnumerous\u201d Salesforce customer instances between August 8 and August 18, systematically exfiltrating large volumes of data. Some experts have suggested that \u201chundreds\u201d\u00a0of customers may have been impacted.<\/p>\n

\u201cGTIG assesses the primary intent of the threat actor is to harvest credentials. After the data was exfiltrated, the actor searched through the data to look for secrets that could be potentially used to compromise victim environments,\u201d Google explained.<\/p>\n

\u201cGTIG observed UNC6395 targeting sensitive credentials such as Amazon Web Services (AWS) access keys (AKIA), passwords, and Snowflake-related access tokens. UNC6395 demonstrated operational security awareness by deleting query jobs, however logs were not impacted and organizations should still review relevant logs for evidence of data exposure.\u201d<\/p>\n

Read more on Salesforce attacks: Allianz Life Data Breach Exposes Personal Data of 1.1 Million Customers<\/em><\/p>\n

Google warned any Salesforce customers using Drift to assume their Salesforce data is now compromised and to take immediate steps to remediate.<\/p>\n

\u201cImpacted organizations should search for sensitive information and secrets contained within Salesforce objects and take appropriate action, such as revoking API keys, rotating credentials, and performing further investigation to determine if the secrets were abused by the threat actor,\u201d it added.<\/p>\n

Because Salesloft revoked all active access and refresh tokens for the Drift app, admins will need to reauthenticate their Salesforce connection, Salesloft clarified\u00a0in an update yesterday. The firm has hired an incident response specialist to carry out an investigation.<\/p>\n

Salesforce has removed the Drift app from its Salesforce AppExchange while an investigation is underway.<\/p>\n

The news comes as more victim names emerge from a parallel data extortion campaign targeting Salesforce instances via vishing attacks. Reports suggest the latest company to fall victim to the ShinyHunters group is US insurer Farmers Insurance, whose website was offline at the time of writing.<\/p>\n

Experts Suspect State Actor<\/h2>\n

Cory Michal, CSO of AppOmni, argued that the Salesloft attacks could be the work of a nation state, given the scale of the compromise and the coordinated nature of the campaign.<\/p>\n

\u201cWhat\u2019s most noteworthy about the UNC6395 attacks is both the scale and the discipline. This wasn\u2019t a one-off compromise; hundreds of Salesforce tenants of specific organizations of interest were targeted using stolen OAuth tokens, and the attacker methodically queried and exported data across many environments,\u201d he explained.<\/p>\n

\u201cThey demonstrated a high level of operational discipline, running structured queries, searching specifically for credentials\u00a0and even attempting to cover their tracks by deleting jobs. The combination of scale, focus\u00a0and tradecraft makes this campaign stand out.\u201d<\/p>\n

Jonathan Sander, field CTO at Astrix Security, added that the campaign highlights the challenge of protecting non-human identities (NHIs).<\/p>\n

\u201cThe Salesloft Drift token breach is a classic NHI attack. Steal things humans won\u2019t notice because humans don\u2019t use them, and operate in the shadows for as long as you can. And then they use that to steal even more NHI assets to do it again and again,\u201d Sander argued.<\/p>\n

\u201cSadly, most of the time what we see is that people don\u2019t know what they don\u2019t know about their NHIs. They haven\u2019t even built a basic inventory of what these bad guys are going after.\u201d<\/p>\n<\/p><\/div>\n

Image\u00a0credit: Tada Images \/ Shutterstock.com<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"

Salesforce customers have again been targeted in a \u201cwidespread data theft campaign,\u201d this time via compromised OAuth tokens associated with the\u00a0third-party Salesloft Drift application. Salesloft Drift integrates with Salesforce to help sales and marketing teams collaborate on projects. Salesloft issued a security alert on August 20 revealing it had detected a security issue and \u201cproactively<\/p>\n","protected":false},"author":2,"featured_media":2509,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-2508","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2508-5e8c704d-198d-44de-980e-700ffe6d1d1e.jpg",300,300,false],"thumbnail":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2508-5e8c704d-198d-44de-980e-700ffe6d1d1e-150x150.jpg",150,150,true],"medium":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2508-5e8c704d-198d-44de-980e-700ffe6d1d1e.jpg",300,300,false],"medium_large":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2508-5e8c704d-198d-44de-980e-700ffe6d1d1e.jpg",300,300,false],"large":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2508-5e8c704d-198d-44de-980e-700ffe6d1d1e.jpg",300,300,false],"1536x1536":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2508-5e8c704d-198d-44de-980e-700ffe6d1d1e.jpg",300,300,false],"2048x2048":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2508-5e8c704d-198d-44de-980e-700ffe6d1d1e.jpg",300,300,false],"morenews-featured":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2508-5e8c704d-198d-44de-980e-700ffe6d1d1e.jpg",300,300,false],"morenews-large":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2508-5e8c704d-198d-44de-980e-700ffe6d1d1e.jpg",300,300,false],"morenews-medium":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2508-5e8c704d-198d-44de-980e-700ffe6d1d1e.jpg",300,300,false],"crawlomatic_preview_image":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2508-5e8c704d-198d-44de-980e-700ffe6d1d1e-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"https:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/2508","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=2508"}],"version-history":[{"count":0,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/2508\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/2509"}],"wp:attachment":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=2508"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=2508"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=2508"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}