Hackers stole data from hundreds of Salesforce customer instances in a widespread campaign earlier this month, Google Threat Intelligence Group (GTIG) warns.
The attacks did not exploit a vulnerability within the core Salesforce platform, but relied on compromised OAuth tokens for Salesloft Drift, a third-party AI chat bot.
The campaign, GTIG says, was carried out by a threat actor tracked as UNC6395 between August 8 and August 18, 2025.
“The actor systematically exported large volumes of data from numerous corporate Salesforce instances. GTIG assesses the primary intent of the threat actor is to harvest credentials,” Google’s threat intelligence unit says.
UNC6395 was seen searching the stolen information for secrets and sensitive information, including AWS access keys, passwords, and Snowflake-related access tokens.
“The threat actor used a python tool to automate the data theft process for each organization that was targeted,” GTIG principal threat analyst Austin Larsen told SecurityWeek.
Salesloft, which shared indicators of compromise (IOCs) to help customers identify potential compromises, has pointed out that only organizations integrating Drift with Salesforce have been affected by the incident.
Working with Salesforce, Salesloft revoked the tokens for Drift on August 20. Thus, all Drift-Salesforce connections need to be re-authenticated to re-enable the integration.
“We have determined that this incident did not impact customers who do not use our Drift-Salesforce integration. Based on our ongoing investigation, we do not see evidence of ongoing malicious activity related to this incident,” Salesloft said on Tuesday.
According to GTIG, hundreds of organizations were compromised in these attacks, but Salesforce, which has removed Drift from AppExchange, says the hackers only accessed a small number of customer instances via the Drift connection to the platform and that all the affected customers were notified.
Organizations integrating Drift with Salesforce should consider their Salesforce data compromised, GTIG says, advising them to hunt for signs of compromise and rotate all credentials and secrets contained within Salesforce objects.
“UNC6395 demonstrated operational security awareness by deleting query jobs, however logs were not impacted and organizations should still review relevant logs for evidence of data exposure,” GTIG notes.
*Updated with additional information from GTIG.
Related: Docker Desktop Vulnerability Leads to Host Compromise
Related: Chinese Silk Typhoon Hackers Targeting Multiple Industries in North America
Related: AWS Trusted Advisor Tricked Into Showing Unprotected S3 Buckets as Secure
