A widespread data breach in **Salesforce** was uncovered by Google’s Threat Intelligence Group (GTIG) and Mandiant, orchestrated by the threat actor **UNC6395** between **August 8–18, 2025**. The attackers exploited **stolen OAuth tokens** from the **Salesloft Drift** third-party application, bypassing **Multi-Factor Authentication (MFA)** by abusing non-human identities (NHIs). This allowed them to **systematically exfiltrate large volumes of data** from corporate Salesforce accounts, focusing on **customer accounts, user details, and high-value secrets**—including **AWS access keys, Snowflake tokens, and other credentials**. The breach targeted **sensitive customer data**, with attackers deleting query logs to obscure their activity. While **Google Cloud customers were unaffected**, Salesforce and Salesloft responded by **revoking all Drift app tokens** and temporarily removing the app from the **AppExchange** during investigations. The incident highlights a growing trend of **NHI-based attacks**, where persistent, high-privilege non-human identities are exploited to **steal credentials and escalate access**. Organizations were urged to **harden access controls, rotate compromised keys, and enforce IP restrictions** to mitigate future risks. The breach underscores critical gaps in **identity governance**, as many firms lack even basic inventories of NHIs, leaving them vulnerable to such **covert, high-impact exfiltration campaigns**.
Source: https://hackread.com/google-unc639s-oauth-token-theft-salesforce-breach/
TPRM report: https://www.rankiteo.com/company/salesforce
"id": "sal729082725",
"linkid": "salesforce",
"type": "Breach",
"date": "8/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Multiple corporate Salesforce '
'accounts (exact number '
'undisclosed)',
'industry': 'Technology',
'location': 'Global',
'name': 'Salesforce',
'size': 'Large Enterprise',
'type': 'Cloud CRM Platform'},
{'industry': 'Sales Engagement',
'location': 'Global',
'name': 'Salesloft (Drift application)',
'type': 'Third-Party SaaS Provider'},
{'industry': 'Various',
'location': 'Global',
'name': 'Multiple Unnamed Organizations',
'type': ['Corporate', 'Enterprise']}],
'attack_vector': ['OAuth Token Abuse',
'Non-Human Identity (NHI) Exploitation',
'Bypassing MFA'],
'customer_advisories': ['Recommendations for credential rotation and access '
'control hardening'],
'data_breach': {'data_exfiltration': True,
'sensitivity_of_data': 'High (includes cloud infrastructure '
'keys and authentication tokens)',
'type_of_data_compromised': ['Customer account data',
'User data',
'Opportunities data',
'Credentials',
'AWS access keys',
'Snowflake tokens',
'High-value secrets']},
'date_detected': '2025-08-18',
'date_publicly_disclosed': '2025-08-20',
'date_resolved': '2025-08-20',
'description': 'A widespread data theft campaign targeting Salesforce was '
'carried out by threat actor UNC6395 between August 8 and '
'August 18, 2025. The attackers bypassed MFA by compromising '
'OAuth tokens from the Salesloft Drift third-party '
'application, exporting large volumes of data from corporate '
'Salesforce accounts. Their primary goal was to harvest '
"credentials and high-value 'secrets' like AWS access keys and "
'Snowflake tokens. The breach was detected and mitigated '
'through revocation of access tokens and removal of the Drift '
'app from Salesforce’s AppExchange.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'unauthorized data access and '
'credential theft',
'data_compromised': ['Customer account data',
'User data',
'Opportunities data',
'AWS access keys',
'Snowflake tokens',
'High-value secrets'],
'identity_theft_risk': 'High (due to stolen credentials and '
'secrets)',
'operational_impact': ['Temporary removal of Drift app from '
'Salesforce AppExchange',
'Revocation of active access tokens'],
'systems_affected': ['Salesforce corporate accounts',
'Salesloft Drift application']},
'initial_access_broker': {'entry_point': 'Compromised OAuth tokens from '
'Salesloft Drift application',
'high_value_targets': ['AWS access keys',
'Snowflake tokens',
'Customer/opportunity data'],
'reconnaissance_period': 'Likely conducted prior to '
'August 8, 2025 (exact '
'duration undisclosed)'},
'investigation_status': 'Ongoing (as of August 20, 2025)',
'lessons_learned': ['Non-human identities (NHIs) are persistent, '
'high-privilege targets for attackers.',
'OAuth token abuse can bypass MFA, highlighting the need '
'for stricter access controls.',
'Organizations often lack visibility into NHIs, '
'increasing risk of exploitation.',
'Proactive measures (e.g., IP restrictions, secret '
'scanning) are critical to mitigate NHI-based attacks.'],
'motivation': ['Data Exfiltration',
'Credential Harvesting',
'High-Value Secrets Theft (e.g., AWS keys, Snowflake tokens)'],
'post_incident_analysis': {'corrective_actions': ['Revoke and rotate '
'compromised OAuth tokens.',
'Enforce IP restrictions '
'and User-Agent monitoring.',
'Audit and secure exposed '
'secrets in Salesforce '
'environments.',
'Implement inventory and '
'governance for NHIs.'],
'root_causes': ['Overprivileged non-human '
'identities (NHIs) with persistent '
'access.',
'Lack of visibility/management of '
'OAuth tokens and connected apps.',
'Insufficient restrictions on '
'Connected App scopes in '
'Salesforce.']},
'ransomware': {'data_exfiltration': True},
'recommendations': ['Hardening access controls by restricting Connected App '
'scopes in Salesforce.',
'Conducting audits to identify and secure exposed secrets '
'within Salesforce data.',
'Rotating compromised credentials and enforcing '
'least-privilege access for NHIs.',
'Implementing IP restrictions to limit access to trusted '
'locations.',
'Monitoring for suspicious IP addresses/User-Agent '
'strings associated with attackers.',
'Creating an inventory of non-human identities (NHIs) to '
'improve visibility and security.'],
'references': [{'date_accessed': '2025-08-20',
'source': 'Google Threat Intelligence Group (GTIG) and '
'Mandiant Advisory'},
{'date_accessed': '2025-08-20',
'source': 'Astrix Security Blog Post'},
{'date_accessed': '2025-08-20',
'source': 'Hackread.com (Jonathan Sander interview)',
'url': 'https://hackread.com'}],
'regulatory_compliance': {'regulatory_notifications': ['Notifications sent to '
'affected '
'organizations '
'(details '
'undisclosed)']},
'response': {'communication_strategy': ['Advisories issued by GTIG/Mandiant',
'Notifications to affected '
'organizations',
'Public blog post by Astrix Security'],
'containment_measures': ['Revoked all active access tokens for '
'Drift app (August 20, 2025)',
'Temporarily removed Drift from '
'Salesforce AppExchange'],
'enhanced_monitoring': ['Checking for specific IP '
'addresses/User-Agent strings linked to '
'attackers'],
'incident_response_plan_activated': True,
'remediation_measures': ['Restricting Connected App scopes',
'Searching for exposed secrets in '
'Salesforce data',
'Rotating compromised credentials',
'Enforcing IP restrictions'],
'third_party_assistance': ['Google Threat Intelligence Group '
'(GTIG)',
'Mandiant',
'Astrix Security']},
'stakeholder_advisories': ['GTIG/Mandiant advisory',
'Salesforce/Salesloft notifications to affected '
'organizations'],
'threat_actor': 'UNC6395',
'title': 'Widespread Data Breach in Salesforce via OAuth Token Abuse by '
'UNC6395',
'type': ['Data Breach', 'Credential Theft', 'Unauthorized Access'],
'vulnerability_exploited': 'Compromised OAuth tokens from Salesloft Drift '
'third-party application (no core Salesforce '
'vulnerability)'}