Widespread Data Theft Targets Salesforce Instances via Salesloft Drift - Hunting pulse

Description

A widespread data theft campaign, conducted by UNC6395, targeted Salesforce customer instances through compromised OAuth tokens associated with the Salesloft Drift application. The actor systematically exported large volumes of data from numerous corporate Salesforce instances, focusing on harvesting credentials and sensitive information. The campaign ran from August 8 to August 18, 2025, affecting various Salesforce objects such as Cases, Accounts, Users, and Opportunities. The actor demonstrated operational security awareness by deleting query jobs. Salesloft and Salesforce have taken measures to revoke access tokens and remove the Drift application from the Salesforce AppExchange. Impacted organizations are urged to take immediate remediation steps, including investigating for compromise, scanning for exposed secrets, and hardening access controls. The IPs provided are confirmed as malicious, but some may generate noise since they are associated with Tor exit nodes.