CyberHappenings logo

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

UNC6395 Exploits Salesloft OAuth Tokens to Exfiltrate Salesforce Data

First reported
Last updated
📰 4 unique sources, 10 articles

Summary

Hide ▲

UNC6395 exploited Salesloft OAuth tokens to exfiltrate data from Salesforce instances. The campaign, active from August 8 to 18, 2025, targeted over 700 organizations, exporting credentials and sensitive information. Zscaler, Palo Alto Networks, Cloudflare, Google, PagerDuty, Proofpoint, SpyCloud, Tanium, and Workiva were impacted by the breach, exposing customer information. Salesloft and Salesforce have taken remediation steps, and the threat actor demonstrated operational security awareness. The breach involved exporting large volumes of data from Salesforce instances, including AWS access keys, passwords, and Snowflake tokens. The actor deleted query jobs to cover tracks. Salesloft has revoked connections and advised customers to re-authenticate Salesforce integrations. The campaign may indicate a broader supply chain attack strategy. Salesloft has engaged Mandiant and Coalition for investigation and remediation. Drift customers are urged to update API keys for connected integrations. Salesforce removed the Drift application from the Salesforce AppExchange until further notice. Google has revealed that the campaign impacts all integrations, including Google Workspace email accounts, and has taken steps to mitigate the risk. Salesloft is temporarily taking Drift offline to review the application and build additional security measures. Okta successfully prevented a breach of its Salesforce instance by enforcing inbound IP restrictions, securing tokens with DPoP, and using the IPSIE framework. Okta recommends that organizations demand IPSIE integration from application vendors and implement an identity security fabric unified across applications.

Timeline

  1. 04.09.2025 19:52 📰 1 articles · ⏱ 12d ago

    Okta Prevents Salesforce Instance Breach with Enhanced Security Measures

    Okta successfully prevented a breach of its Salesforce instance by enforcing inbound IP restrictions, securing tokens with DPoP, and using the IPSIE framework. Okta recommends that organizations demand IPSIE integration from application vendors and implement an identity security fabric unified across applications. Okta suggests that every SaaS vendor should support the ability to constrain the use of an access token by IP and by client to reduce the value of a stolen access token to an attacker. Okta advises that SaaS vendors should consider whether the permissions available for machine-to-machine integrations are granular enough to reduce the total loss of data arising from the theft of tokens.

    Show sources
  2. 03.09.2025 19:40 📰 2 articles · ⏱ 13d ago

    Workiva impacted by Salesforce data breach

    The article reiterates that Workiva, a cloud-based SaaS provider, was impacted by the Salesforce data breach. The attackers exfiltrated a limited set of business contact information from Workiva, including names, email addresses, phone numbers, and support ticket content. The breach, part of the ongoing Salesforce data theft campaign linked to the ShinyHunters extortion group, resulted in the exfiltration of a limited set of business contact information from Workiva. The incident highlights the broader impact of the Salesforce data breaches, affecting numerous high-profile companies and emphasizing the need for vigilance against potential spear-phishing attacks.

    Show sources
  3. 03.09.2025 06:53 📰 2 articles · ⏱ 13d ago

    Salesloft Temporarily Takes Drift Offline for Security Review

    The article reiterates that Salesloft is temporarily taking Drift offline to comprehensively review the application and build additional security measures. The company is working with cybersecurity partners Mandiant and Coalition for incident response.

    Show sources
  4. 02.09.2025 22:54 📰 3 articles · ⏱ 14d ago

    Cloudflare Confirms Data Breach in Salesloft Drift Supply Chain Attack

    The article reiterates that the threat actor used Salesloft integration credentials to access Cloudflare's Salesforce instance, ran queries for several days for reconnaissance, and launched a Salesforce Bulk API 2.0 job on August 17 to exfiltrate a database in roughly three minutes.

    Show sources
  5. 01.09.2025 20:00 📰 3 articles · ⏱ 15d ago

    UNC6395 Campaign Linked to ShinyHunters Extortion Group

    The article reiterates that ShinyHunters has been targeting Salesforce customers in data theft attacks using voice phishing (vishing) since the start of the year. The extortion group has shifted to using stolen OAuth tokens for Salesloft's Drift AI chat integration with Salesforce to gain access to customer Salesforce instances. The threat actor extracted sensitive information, such as passwords, AWS access keys, and Snowflake tokens, from customer messages and support tickets.

    Show sources
  6. 29.08.2025 10:24 📰 3 articles · ⏱ 18d ago

    Google Workspace Email Accounts Accessed by UNC6395

    The article reiterates that the Salesloft supply-chain attack impacted Drift Email, which is used to manage email replies and organize CRM and marketing automation databases. Attackers used stolen OAuth tokens to access Google Workspace email accounts and read emails as part of this breach. Google and Salesforce have temporarily disabled their Drift integrations pending the completion of an investigation.

    Show sources
  7. 27.08.2025 22:05 📰 4 articles · ⏱ 20d ago

    UNC6395 Campaign Unrelated to Previous ShinyHunters Vishing Attacks

    The article reiterates that Google has not seen any compelling evidence connecting the Salesloft supply chain attacks to the ShinyHunters extortion group.

    Show sources
  8. 27.08.2025 12:39 📰 9 articles · ⏱ 20d ago

    UNC6395 Exploits Salesloft OAuth Tokens to Exfiltrate Salesforce Data

    Workiva, a cloud-based SaaS provider, was impacted by the Salesforce data breach. The attackers exfiltrated a limited set of business contact information from Workiva, including names, email addresses, phone numbers, and support ticket content. The breach, part of the ongoing Salesforce data theft campaign linked to the ShinyHunters extortion group, resulted in the exfiltration of a limited set of business contact information from Workiva. The incident highlights the broader impact of the Salesforce data breaches, affecting numerous high-profile companies and emphasizing the need for vigilance against potential spear-phishing attacks.

    Show sources

Information Snippets

Similar Happenings

SlopAds Fraud Ring Exploits 224 Android Apps to Drive 2.3 Billion Daily Ad Bids

A fraudulent ad operation, SlopAds, has been identified, exploiting 224 Android apps to generate 2.3 billion ad bids daily. The apps, collectively downloaded 38 million times across 228 countries, use steganography and hidden WebViews to create fraudulent ad impressions and clicks. The operation was disrupted after Google removed the offending apps from the Play Store. The SlopAds campaign is notable for its sophisticated tactics, including conditional fraud execution and the use of AI-themed services for command and control. The fraudulent behavior is triggered only when apps are downloaded via ad clicks, making detection more challenging. The campaign's infrastructure includes multiple domains and a complex feedback loop designed to evade security researchers. The campaign's highest concentration of ad impressions originated from the United States (30%), followed by India (10%) and Brazil (7%).

Supply Chain Attack Targeting npm Registry Compromises 40 Packages

A supply chain attack targeting the npm registry has compromised over 187 packages maintained by multiple developers. The attack uses a malicious script (bundle.js) to steal credentials from developer machines. The compromised packages include various npm modules used in different projects. The attack is capable of targeting both Windows and Linux systems. The malicious script scans for secrets using TruffleHog's credential scanner and transmits them to an external server controlled by the attackers. Developers are advised to audit their environments and rotate credentials if the affected packages are present.

UNC6040 and UNC6395 Target Salesforce Platforms in Data Theft Campaigns

The FBI has issued an alert about two cybercriminal groups, UNC6040 and UNC6395, targeting Salesforce platforms for data theft and extortion. UNC6395 exploited compromised OAuth tokens for the Salesloft Drift application, while UNC6040 used vishing campaigns and modified Salesforce tools to breach Salesforce instances. Both groups have been active since at least October 2024, impacting multiple organizations. UNC6040 has been linked to extortion activities, with Google attributing these to a separate cluster, UNC6240, which has claimed to be the ShinyHunters group. The ShinyHunters group, along with Scattered Spider and LAPSUS$, recently announced they are going dark, but experts warn that the threat persists. UNC6040 impersonated corporate IT support personnel to gain access to Salesforce environments and used modified versions of Salesforce's Data Loader to exfiltrate data. Salesforce re-enabled integrations with Salesloft technologies, except for the Drift app, which remains disabled.

Salesloft Disables Drift Following OAuth Token Theft

Salesloft has taken Drift offline due to a security incident involving the theft of OAuth tokens and unauthorized access to Salesforce data. The breach began with the compromise of Salesloft's GitHub account, affecting multiple major tech companies, including Cloudflare, Google Workspace, PagerDuty, Palo Alto Networks, Proofpoint, SpyCloud, Tanium, Tenable, Zscaler, Tenable, Qualys, Rubrik, Spycloud, BeyondTrust, CyberArk, Elastic, Dynatrace, Cato Networks, and BugCrowd. The incident was attributed to a threat cluster tracked as UNC6395 and GRUB1. The breach occurred on September 5, 2025, affecting the marketing software-as-a-service product Drift. The attackers exploited vulnerabilities to steal authentication tokens, leading to unauthorized access to sensitive data. Salesloft has temporarily disabled Drift to conduct a comprehensive review and enhance security measures. The ShinyHunters extortion gang and threat actors claiming to be Scattered Spider were involved in the Salesloft Drift attacks, in addition to the previous Salesforce data theft attacks. The threat actors primarily focused on stealing support cases from Salesforce instances, which were then used to harvest credentials, authentication tokens, and other secrets shared in the support tickets. The threat actors' primary objective was to steal credentials, specifically focusing on sensitive information like AWS access keys, passwords, and Snowflake-related access tokens. The number of impacted companies has been updated to 29. Cloudflare disclosed that some customer support cases stored in Salesforce included configuration settings and 104 Cloudflare API tokens. Salesforce restored integration with the Salesloft platform, except for the Drift app, which remains disabled until further notice. The breach also affected Qantas, where executives had their short-term compensation reduced by 15% due to a data breach that impacted approximately 5.7 million passengers.

Model Namespace Reuse Attack Demonstrated Against Google, Microsoft, and Open Source Projects

A new AI supply chain attack method, Model Namespace Reuse, has been demonstrated against Google, Microsoft, and open source projects. This method involves threat actors registering names associated with deleted or transferred models on platforms like Hugging Face, enabling them to deploy malicious AI models and achieve arbitrary code execution. The attack was successfully demonstrated on Google’s Vertex AI and Microsoft’s Azure AI Foundry platforms, as well as on thousands of open source repositories. The attack exploits the fact that developers reference models by name, allowing attackers to register the names of deleted or transferred models and deploy malicious versions. This can lead to unauthorized access to underlying infrastructure and initial access points into user environments. Google, Microsoft, and Hugging Face have been notified, and Google has started daily scans to mitigate the risk. However, the core issue remains a threat to any organization that pulls models by name alone.