{
	"id": "0ab95bcd-2c2a-46fc-9ed4-a2772aed1534",
	"created_at": "2026-04-06T00:09:46.166167Z",
	"updated_at": "2026-04-10T03:34:28.324779Z",
	"deleted_at": null,
	"sha1_hash": "99ae3b80c67ccc6c0aca3f85494425bfcdf9cbf7",
	"title": "Widespread Data Theft Targets Salesforce Instances via Salesloft Drift",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 70688,
	"plain_text": "Widespread Data Theft Targets Salesforce Instances via Salesloft\r\nDrift\r\nBy Google Threat Intelligence Group, Mandiant\r\nPublished: 2025-08-26 · Archived: 2026-04-05 13:28:34 UTC\r\nWritten by: Austin Larsen, Matt Lin, Tyler McLellan, Omar ElAhdan\r\nUpdate (August 28)\r\nBased on new information identified by GTIG, the scope of this compromise is not exclusive to the Salesforce\r\nintegration with Salesloft Drift and impacts other integrations. We now advise all Salesloft Drift customers to\r\ntreat any and all authentication tokens stored in or connected to the Drift platform as potentially\r\ncompromised.\r\nOn August 28, 2025, our investigation confirmed that the actor also compromised OAuth tokens for the \"Drift\r\nEmail\" integration. On August 9, 2025, a threat actor used these tokens to access email from a very small number\r\nof Google Workspace accounts. The only accounts that were potentially accessed were those that had been\r\nspecifically configured to integrate with Salesloft Drift; the actor would not have been able to access any other\r\naccounts on a customer's Workspace domain.\r\nIn response to these findings and to protect our customers, Google identified the impacted users, revoked the\r\nspecific OAuth tokens granted to the Drift Email application, and disabled the integration functionality between\r\nGoogle Workspace and Salesloft Drift pending further investigation. We are notifying all impacted Google\r\nWorkspace administrators.\r\nTo be clear, there has been no compromise of Google Workspace or Alphabet itself. Google has not been a\r\nSalesloft Drift customer, and therefore is not impacted. Any inquiries regarding potential breach impact should be\r\ndirected to Salesloft or its customers.\r\nWe recommend organizations take immediate action to review all third-party integrations connected to their Drift\r\ninstance, revoke and rotate credentials for those applications, and investigate all connected systems for signs of\r\nunauthorized access. \r\nSalesloft has now engaged Mandiant to assist in their investigation. See Salesloft’s updated advisory for more\r\ndetails.\r\nIntroduction \r\nGoogle Threat Intelligence Group (GTIG) is issuing an advisory to alert organizations about a widespread data\r\ntheft campaign, carried out by the actor tracked as UNC6395. Beginning as early as Aug. 8, 2025 through at least\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesforce-instances-via-salesloft-drift\r\nPage 1 of 6\n\nAug. 18, 2025, the actor targeted Salesforce customer instances through compromised OAuth tokens associated\r\nwith the Salesloft Drift third-party application.\r\nThe actor systematically exported large volumes of data from numerous corporate Salesforce instances. GTIG\r\nassesses the primary intent of the threat actor is to harvest credentials. After the data was exfiltrated, the actor\r\nsearched through the data to look for secrets that could be potentially used to compromise victim environments.\r\nGTIG observed UNC6395 targeting sensitive credentials such as Amazon Web Services (AWS) access keys\r\n(AKIA), passwords, and Snowflake-related access tokens. UNC6395 demonstrated operational security awareness\r\nby deleting query jobs, however logs were not impacted and organizations should still review relevant logs for\r\nevidence of data exposure.\r\nBased on data available at the time, Salesloft indicated that customers that do not integrate with Salesforce are not\r\nimpacted by this campaign.\r\nOn Aug. 20, 2025 Salesloft, in collaboration with Salesforce, revoked all active access and refresh tokens with the\r\nDrift application. In addition, Salesforce removed the Drift application from the Salesforce AppExchange until\r\nfurther notice pending further investigation. This issue does not stem from a vulnerability within the core\r\nSalesforce platform.\r\nGTIG, Salesforce, and Salesloft have notified impacted organizations.\r\nThreat Detail \r\nThe threat actor executed queries to retrieve information associated with Salesforce objects such as Cases,\r\nAccounts, Users, and Opportunities. For example, the threat actor ran the following sequence of queries to get a\r\nunique count from each of the associated Salesforce objects.\r\nSELECT COUNT() FROM Account;\r\nSELECT COUNT() FROM Opportunity;\r\nSELECT COUNT() FROM User;\r\nSELECT COUNT() FROM Case;\r\nQuery to Retrieve User Data\r\nSELECT Id, Username, Email, FirstName, LastName, Name, Title, CompanyName,\r\nDepartment, Division, Phone, MobilePhone, IsActive, LastLoginDate,\r\nCreatedDate, LastModifiedDate, TimeZoneSidKey, LocaleSidKey,\r\nLanguageLocaleKey, EmailEncodingKey\r\nFROM User\r\nWHERE IsActive = true\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesforce-instances-via-salesloft-drift\r\nPage 2 of 6\n\nORDER BY LastLoginDate DESC NULLS LAST\r\nLIMIT 20\r\nQuery to Retrieve Case Data\r\nSELECT Id, IsDeleted, MasterRecordId, CaseNumber \u003csnip\u003e\r\nFROM Case\r\nLIMIT 10000\r\nRecommendations\r\nGiven GTIG's observations of data exfiltration associated with the campaign, organizations using Salesloft Drift to\r\nintegrate with third-party platforms (including but not limited to Salesforce) should consider their data\r\ncompromised and are urged to take immediate remediation steps.\r\nImpacted organizations should search for sensitive information and secrets contained within the integrated\r\nplatforms and take appropriate action, such as revoking API keys, rotating credentials, and performing further\r\ninvestigation to determine if the secrets were abused by the threat actor.\r\nInvestigate for Compromise and Scan for Exposed Secrets\r\nReview all third-party integrations associated with an organization's Drift instance (accessible within the\r\nDrift Admin settings page).\r\nWithin each integrated third-party application, search for the IP addresses and User-Agent strings provided\r\nin the IOCs section below. While this list includes IPs from the Tor network that have been observed to\r\ndate, Mandiant recommends a broader search for any activity originating from Tor exit nodes.\r\nReview Salesforce Event Monitoring logs for unusual activity associated with the Drift connection user.\r\nReview authentication activity from the Drift Connected App.\r\nReview UniqueQuery events that log executed SOQL queries.\r\nOpen a Salesforce support case to obtain specific queries used by the threat actor.\r\nSearch Salesforce objects for potential secrets, such as:\r\nAKIA for long-term AWS access key identifiers\r\nSnowflake or snowflakecomputing.com for Snowflake credentials\r\npassword , secret,key to find potential references to credential material\r\nStrings related to organization-specific login URLs, such as VPN or SSO login pages\r\nRun tools like Trufflehog to find secrets and hardcoded credentials.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesforce-instances-via-salesloft-drift\r\nPage 3 of 6\n\nRevoke and Rotate Credentials\r\nWithin each integrated third-party application, revoke and rotate API keys, credentials. and authentication\r\ntokens associated with third-party application integrations with a Drift instance.\r\nImmediately revoke and rotate any discovered keys or secrets.\r\nReset passwords for associated user accounts.\r\nFor Salesforce integrations, configure session timeout values in Session Settings to limit the lifespan of a\r\ncompromised session.\r\nHarden Access Controls\r\nReview and Restrict Connected App Scopes: Ensure that applications have the minimum necessary\r\npermissions and avoid overly permissive scopes like full access.\r\nEnforce IP Restrictions on the Connected App: In the app's settings, set the \"IP Relaxation\" policy to\r\n\"Enforce IP restrictions.\"\r\nDefine Login IP Ranges: On user profiles, define IP ranges to only allow access from trusted networks.\r\nRemove the \"API Enabled\" Permission: Remove the \"API Enabled\" permission from profiles and grant it\r\nonly to authorized users via a Permission Set.\r\nAdditional instructions and updates are available on the Salesloft Trust Center and Salesforce advisory. \r\nAcknowledgments \r\nWe would like to thank Salesforce, Salesloft, and other trusted partners for their collaboration and assistance in\r\nresponding to this threat.\r\nIOCs \r\nThe following indicators of compromise are available in a Google Threat Intelligence (GTI) collection for\r\nregistered users.\r\nIndicator Value Description\r\nSalesforce-Multi-Org-Fetcher/1.0 Malicious User-Agent string\r\nSalesforce-CLI/1.0 Malicious User-Agent string\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesforce-instances-via-salesloft-drift\r\nPage 4 of 6\n\npython-requests/2.32.4 User-Agent string\r\nPython/3.11 aiohttp/3.12.15 User-Agent string\r\n208.68.36.90 DigitalOcean\r\n44.215.108.109 Amazon Web Services\r\n154.41.95.2 Tor exit node\r\n176.65.149.100 Tor exit node\r\n179.43.159.198 Tor exit node\r\n185.130.47.58 Tor exit node\r\n185.207.107.130 Tor exit node\r\n185.220.101.133 Tor exit node\r\n185.220.101.143 Tor exit node\r\n185.220.101.164 Tor exit node\r\n185.220.101.167 Tor exit node\r\n185.220.101.169 Tor exit node\r\n185.220.101.180 Tor exit node\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesforce-instances-via-salesloft-drift\r\nPage 5 of 6\n\n185.220.101.185 Tor exit node\r\n185.220.101.33 Tor exit node\r\n192.42.116.179 Tor exit node\r\n192.42.116.20 Tor exit node\r\n194.15.36.117 Tor exit node\r\n195.47.238.178 Tor exit node\r\n195.47.238.83 Tor exit node\r\nPosted in\r\nThreat Intelligence\r\nSource: https://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesforce-instances-via-salesloft-drift\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesforce-instances-via-salesloft-drift\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesforce-instances-via-salesloft-drift"
	],
	"report_names": [
		"data-theft-salesforce-instances-via-salesloft-drift"
	],
	"threat_actors": [
		{
			"id": "009750b9-c282-49ea-a734-cfdc8e05548c",
			"created_at": "2025-09-06T02:00:03.716038Z",
			"updated_at": "2026-04-10T02:00:03.887986Z",
			"deleted_at": null,
			"main_name": "UNC6395",
			"aliases": [],
			"source_name": "MISPGALAXY:UNC6395",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434186,
	"ts_updated_at": 1775792068,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/99ae3b80c67ccc6c0aca3f85494425bfcdf9cbf7.pdf",
		"text": "https://archive.orkl.eu/99ae3b80c67ccc6c0aca3f85494425bfcdf9cbf7.txt",
		"img": "https://archive.orkl.eu/99ae3b80c67ccc6c0aca3f85494425bfcdf9cbf7.jpg"
	}
}