Google Cloud Blog
Follow
Widespread Data Theft Targets Salesforce Instances via Salesloft Drift
Google Threat Intelligence Group (GTIG) has issued an advisory regarding a widespread data theft campaign by actor UNC6395. The campaign, active from August 8th to August 18th, 2025, targeted Salesforce customer instances. UNC6395 exploited compromised OAuth tokens associated with the Salesloft Drift third-party application. The actor systematically exported large volumes of data, primarily aiming to harvest credentials. Specifically, UNC6395 searched for sensitive information like AWS access keys, passwords, and Snowflake tokens. While UNC6395 attempted to cover its tracks by deleting query jobs, logs remain available for forensic analysis. Salesloft has revoked all active tokens for the Drift application and removed it from the Salesforce AppExchange. This incident does not stem from a vulnerability within the core Salesforce platform. GTIG recommends that organizations using Drift with Salesforce consider their data compromised and take immediate remediation steps. These steps include searching for and rotating any discovered secrets, resetting passwords, and hardening access controls for connected applications.