Hackers have launched a large-scale attack on Salesforce environments by abusing stolen access tokens. The breach, linked to the Salesloft Drift integration, highlights the growing risks of third-party apps in enterprise platforms.
How the Attack Unfolded
Between August 8 and August 18, 2025, a threat group known as UNC6395 used compromised OAuth tokens to access multiple Salesforce instances. The attackers employed automated queries to collect sensitive information and attempted to cover their tracks by deleting query jobs.
Despite this, system logs remained intact, allowing investigators to retrace the activity.
Data Targeted
The attackers sought to exfiltrate valuable credentials and secrets, including:
- AWS access keys
- Snowflake tokens
- Stored passwords and sensitive configuration details
This information could enable deeper breaches into cloud environments tied to affected Salesforce customers.
Response from Vendors
Salesloft and Salesforce quickly responded after uncovering the campaign. By August 20, 2025, they revoked all active Drift tokens and removed the app from the Salesforce AppExchange.
Security experts urged organizations to:
- Rotate credentials stored in Salesforce.
- Audit permissions of connected apps.
- Remove secrets from Salesforce objects where possible.
Mandiant and Google’s Threat Intelligence Group continue to monitor the situation.
Wider Implications
This incident underscores the overlooked risk of OAuth-based integrations. Once attackers compromise a third-party app, they can bypass multi-factor authentication and directly access enterprise platforms.
Crucially, Salesforce itself was not breached—the issue stemmed entirely from the compromised Salesloft Drift integration. Still, the attack serves as a reminder that every integration can become a weak point in security.
Conclusion
The Salesforce attack using stolen access tokens demonstrates how vulnerable third-party integrations can undermine enterprise defenses. Stronger monitoring, regular audits, and strict access control are essential to limit risks. For companies relying on SaaS platforms, the message is clear: security must extend beyond the core service to every connected app.
0 responses to “Salesforce Attack Exploits Stolen Access Tokens”