Salesforce Advisory

Posted September 4, 2025

by Sarah

Executive summary

• Hackers recently broke into Salesloft’s Drift integration with Salesforce and stole login tokens that allowed them to connect to customer Salesforce systems.
• Using these tokens, the attackers accessed Salesforce data between August 8 and 18, 2025, and focused on stealing credentials such as AWS keys, Snowflake access tokens, and passwords stored in support cases.
• Salesloft and Salesforce quickly revoked all affected tokens and asked customers using the Drift integration to re-authenticate.
• A third-party security firm is helping with the investigation, and so far, there is no evidence of ongoing attacker activity.
• This attack is part of a wider campaign by cybercriminals targeting Salesforce through third-party apps and social engineering.
• It shows how risks from integrations can expose sensitive data. Customers are advised to rotate credentials, review logs for unusual activity, and apply tighter controls on connected apps to reduce future exposure.

Incident Update

• From August 8 to August 18, 2025, attackers stole OAuth and refresh tokens from Salesloft’s Drift integration with Salesforce.
• Using these tokens, the threat actor accessed customer Salesforce environments and ran targeted queries to collect sensitive credentials such as AWS access keys, Snowflake tokens, and passwords stored in support cases.
• The Salesloft and Salesforce revoked all Drift OAuth tokens, requiring customers to re-authenticate their Salesforce connections.
• A third-party digital forensics and incident response (DFIR) firm has been engaged to investigate and confirm remediation actions.
• The incident has been linked to a broader wave of Salesforce data theft campaigns carried out by the threat group UNC6395, with possible overlap to ShinyHunters/Scattered Spider.
• These actors are known to use social engineering and malicious OAuth apps to gain access to corporate Salesforce environments and exfiltrate data for extortion.
• At this time, findings show that only organizations using the Drift–Salesforce integration were affected, and there is no evidence of ongoing malicious activity.
• In coordination with Salesforce, Salesloft revoked all active OAuth and refresh tokens for the Drift application.
• As a result, customers must re-authenticate their Salesforce connection by navigating to Settings > Integrations > Salesforce, disconnecting the Drift integration, and reconnecting with valid Salesforce credentials.
• According to Google’s Threat Intelligence team (Mandiant), the threat actor — tracked as UNC6395 — used the stolen OAuth tokens to access Salesforce environments. Once inside, the actor executed SOQL queries to extract sensitive data, including:
  • AWS access keys (AKIA identifiers)
  • Passwords and authentication secrets
  •  Snowflake-related access tokens

•  The attackers demonstrated operational security awareness by deleting query jobs after execution to reduce visibility. However, Salesforce logs were not deleted, and organizations are advised to review relevant logs for evidence of data exposure.
• To mask their infrastructure, the attackers leveraged Tor networks and cloud hosting providers such as AWS and DigitalOcean.
• Known attacker User-Agent strings include:
  • python-requests/2.32.4
  • Python/3.11 aiohttp/3.12.15
  • Salesforce-Multi-Org-Fetcher/1.0
  • Salesforce-CLI/1.0

 

Threat & Attack Vectors

Threat vector

• The compromise originated from stolen OAuth and refresh tokens associated with the Drift–Salesforce integration.
• These tokens acted as the initial entry point, giving attackers legitimate access to Salesforce environments without requiring user credentials or MFA.
• The trust placed in the Drift application by customers’ Salesforce instances made this an effective delivery channel for the threat.

Attack Vector

• Using the stolen tokens, the adversary authenticated to Salesforce APIs as if they were the Drift app.
• They executed SOQL queries to extract sensitive information (AWS access keys, Snowflake tokens, passwords, and other secrets) embedded in Salesforce support cases and objects.
• To evade detection, the attackers:
  • Deleted query jobs after execution.
  • Used Tor nodes and cloud providers (AWS, DigitalOcean) for infrastructure.
  • Spoofed activity with custom tools and User-Agent strings (python-requests, Salesforce-Multi-Org-Fetcher, etc.).

Mitigation & Response Actions

Organizations should take immediate steps to reduce risk and prevent further

compromise:

• Re-authenticate Drift–Salesforce Integration
  • Navigate to Settings > Integrations > Salesforce.
  • Disconnect the Drift integration.
  • Reconnect using valid Salesforce credentials.
• Revoke Tokens & Sessions
  • Ensure all Drift-related OAuth and refresh tokens have been revoked.
  • In Salesforce, terminate any suspicious or unrecognized active sessions.
• Rotate Credentials
  • Reset all AWS access keys (AKIA), Snowflake tokens, and other authentication material potentially exposed.
  • Rotate Salesforce user passwords and API keys.
• Harden Access Policies
  • Apply least privilege principles to API integrations.
  • Enforce MFA for all administrative and API accounts.

Recommendations

1. Re-authenticate Drift–Salesforce integration (per Salesforce instructions).
2. Rotate credentials (AWS, Snowflake, DB, API keys) if stored in Salesforce cases/records.
3. Apply least privilege to third-party connected apps.
4. Periodically review and revoke unused OAuth tokens.
5. Enforce policies against storing plaintext credentials in Salesforce records.

References

• BleepingComputer – Salesloft breached for OAuth token theft

• Cybersecurity Dive – Hackers steal data from Salesforce instances

• CSO Online – Salesforce data theft advisory

• Salesforce+Security+Notification

 

Click here to view Salesforce IOCs