OSINT - Widespread Data Theft Targets Salesforce Instances via Salesloft Drift
OSINT - Widespread Data Theft Targets Salesforce Instances via Salesloft Drift
AI Analysis
Technical Summary
This threat intelligence report highlights a widespread data theft campaign targeting Salesforce instances through exploitation involving Salesloft and Drift platforms. The attack leverages cloud-specific techniques, notably the abuse of the cloud instance metadata API (MITRE ATT&CK T1552.005) and the acquisition of additional cloud credentials (T1098.001). These tactics suggest attackers are exploiting misconfigurations or vulnerabilities in cloud environments hosting Salesforce integrations or related services, enabling them to access sensitive data stored within Salesforce instances. The involvement of Salesloft and Drift indicates that attackers may be using these third-party sales engagement and conversational marketing tools as vectors or pivot points to infiltrate Salesforce environments. The metadata API abuse typically involves querying cloud instance metadata endpoints to retrieve temporary credentials or tokens, which can then be used to escalate privileges or move laterally within the cloud infrastructure. The absence of a patch and known exploits in the wild implies this is an emerging threat, possibly relying on configuration weaknesses or chained exploits rather than a single software vulnerability. The medium severity rating and 50% certainty reflect that while the threat is credible and potentially impactful, full technical details and exploitation scope remain partially unconfirmed. The attack falls under categories of network activity and payload delivery, indicating that attackers may be delivering malicious payloads or commands through network channels, possibly exploiting API integrations or cloud service misconfigurations. Overall, this threat underscores the risks of cloud environment misconfigurations, third-party integration vulnerabilities, and the critical need for robust cloud credential management and monitoring in Salesforce ecosystems integrated with Salesloft and Drift.
Potential Impact
For European organizations, the impact of this threat could be significant given the widespread use of Salesforce as a CRM platform and the increasing adoption of Salesloft and Drift for sales and marketing automation. Data theft from Salesforce instances can lead to exposure of sensitive customer data, intellectual property, and business-critical information, potentially violating GDPR and other data protection regulations, resulting in legal penalties and reputational damage. The compromise of cloud credentials and metadata APIs can also enable attackers to move laterally within cloud environments, escalating privileges and accessing additional resources beyond Salesforce, thereby amplifying the breach impact. This could disrupt business operations, lead to financial losses, and undermine customer trust. Organizations relying heavily on cloud infrastructure and third-party integrations are particularly at risk, as attackers exploit the complex interdependencies and potential misconfigurations. The medium severity suggests that while the threat is not currently exploited at scale, the potential for damage is substantial if attackers successfully execute these techniques. European companies in sectors such as finance, healthcare, and technology, which handle sensitive data and rely on Salesforce ecosystems, may face heightened risks and regulatory scrutiny.
Mitigation Recommendations
To mitigate this threat, European organizations should implement the following specific measures: 1) Conduct thorough audits of cloud instance metadata API access controls to ensure that only authorized services and users can query metadata endpoints, applying the principle of least privilege. 2) Enforce strict credential management policies, including regular rotation of cloud credentials, use of short-lived tokens, and monitoring for anomalous credential usage patterns. 3) Review and harden configurations of Salesloft and Drift integrations with Salesforce, ensuring secure API authentication mechanisms and limiting data access scopes. 4) Deploy continuous monitoring and alerting for unusual network activity related to cloud metadata API calls and credential usage, leveraging cloud-native security tools and SIEM solutions. 5) Implement multi-factor authentication (MFA) and conditional access policies for Salesforce and associated cloud services to reduce the risk of unauthorized access. 6) Conduct regular penetration testing and security assessments focusing on cloud environment configurations and third-party integrations. 7) Educate security and DevOps teams about the risks of metadata API abuse and credential theft to improve detection and response capabilities. 8) Maintain an incident response plan that includes scenarios involving cloud credential compromise and data exfiltration via third-party integrations.
Affected Countries
United Kingdom, Germany, France, Netherlands, Sweden, Ireland
Indicators of Compromise
- ip: 208.68.36.90
- ip: 44.215.108.109
- user-agent: python-requests/2.32.4
- user-agent: Python/3.11 aiohttp/3.12.15
- user-agent: Salesforce-Multi-Org-Fetcher/1.0
- user-agent: Salesforce-CLI/1.0
- ip: 154.41.95.2
- ip: 176.65.149.100
- ip: 179.43.159.198
- ip: 185.130.47.58
- ip: 185.207.107.130
- ip: 185.220.101.133
- ip: 185.220.101.143
- ip: 185.220.101.164
- ip: 185.220.101.167
- ip: 185.220.101.169
- ip: 185.220.101.180
- ip: 185.220.101.185
- ip: 185.220.101.33
- ip: 192.42.116.179
- ip: 192.42.116.20
- ip: 194.15.36.117
- ip: 195.47.238.178
- ip: 195.47.238.83
- link: https://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesforce-instances-via-salesloft-drift
- text: Google Threat Intelligence Group (GTIG) is issuing an advisory to alert organizations about a widespread data theft campaign, carried out by the actor tracked as UNC6395. Beginning as early as Aug. 8, 2025 through at least Aug. 18, 2025, the actor targeted Salesforce customer instances through compromised OAuth tokens associated with the Salesloft Drift third-party application. The actor systematically exported large volumes of data from numerous corporate Salesforce instances. GTIG assesses the primary intent of the threat actor is to harvest credentials. After the data was exfiltrated, the actor searched through the data to look for secrets that could be potentially used to compromise victim environments. GTIG observed UNC6395 targeting sensitive credentials such as Amazon Web Services (AWS) access keys (AKIA), passwords, and Snowflake-related access tokens. UNC6395 demonstrated operational security awareness by deleting query jobs, however logs were not impacted and organizations should still review relevant logs for evidence of data exposure. Based on data available at the time, Salesloft indicated that customers that do not integrate with Salesforce are not impacted by this campaign. On Aug. 20, 2025 Salesloft, in collaboration with Salesforce, revoked all active access and refresh tokens with the Drift application. In addition, Salesforce removed the Drift application from the Salesforce AppExchange until further notice pending further investigation. This issue does not stem from a vulnerability within the core Salesforce platform. GTIG, Salesforce, and Salesloft have notified impacted organizations.
- text: Widespread Data Theft Targets Salesforce Instances via Salesloft Drift
- text: Blog
OSINT - Widespread Data Theft Targets Salesforce Instances via Salesloft Drift
Description
OSINT - Widespread Data Theft Targets Salesforce Instances via Salesloft Drift
AI-Powered Analysis
Technical Analysis
This threat intelligence report highlights a widespread data theft campaign targeting Salesforce instances through exploitation involving Salesloft and Drift platforms. The attack leverages cloud-specific techniques, notably the abuse of the cloud instance metadata API (MITRE ATT&CK T1552.005) and the acquisition of additional cloud credentials (T1098.001). These tactics suggest attackers are exploiting misconfigurations or vulnerabilities in cloud environments hosting Salesforce integrations or related services, enabling them to access sensitive data stored within Salesforce instances. The involvement of Salesloft and Drift indicates that attackers may be using these third-party sales engagement and conversational marketing tools as vectors or pivot points to infiltrate Salesforce environments. The metadata API abuse typically involves querying cloud instance metadata endpoints to retrieve temporary credentials or tokens, which can then be used to escalate privileges or move laterally within the cloud infrastructure. The absence of a patch and known exploits in the wild implies this is an emerging threat, possibly relying on configuration weaknesses or chained exploits rather than a single software vulnerability. The medium severity rating and 50% certainty reflect that while the threat is credible and potentially impactful, full technical details and exploitation scope remain partially unconfirmed. The attack falls under categories of network activity and payload delivery, indicating that attackers may be delivering malicious payloads or commands through network channels, possibly exploiting API integrations or cloud service misconfigurations. Overall, this threat underscores the risks of cloud environment misconfigurations, third-party integration vulnerabilities, and the critical need for robust cloud credential management and monitoring in Salesforce ecosystems integrated with Salesloft and Drift.
Potential Impact
For European organizations, the impact of this threat could be significant given the widespread use of Salesforce as a CRM platform and the increasing adoption of Salesloft and Drift for sales and marketing automation. Data theft from Salesforce instances can lead to exposure of sensitive customer data, intellectual property, and business-critical information, potentially violating GDPR and other data protection regulations, resulting in legal penalties and reputational damage. The compromise of cloud credentials and metadata APIs can also enable attackers to move laterally within cloud environments, escalating privileges and accessing additional resources beyond Salesforce, thereby amplifying the breach impact. This could disrupt business operations, lead to financial losses, and undermine customer trust. Organizations relying heavily on cloud infrastructure and third-party integrations are particularly at risk, as attackers exploit the complex interdependencies and potential misconfigurations. The medium severity suggests that while the threat is not currently exploited at scale, the potential for damage is substantial if attackers successfully execute these techniques. European companies in sectors such as finance, healthcare, and technology, which handle sensitive data and rely on Salesforce ecosystems, may face heightened risks and regulatory scrutiny.
Mitigation Recommendations
To mitigate this threat, European organizations should implement the following specific measures: 1) Conduct thorough audits of cloud instance metadata API access controls to ensure that only authorized services and users can query metadata endpoints, applying the principle of least privilege. 2) Enforce strict credential management policies, including regular rotation of cloud credentials, use of short-lived tokens, and monitoring for anomalous credential usage patterns. 3) Review and harden configurations of Salesloft and Drift integrations with Salesforce, ensuring secure API authentication mechanisms and limiting data access scopes. 4) Deploy continuous monitoring and alerting for unusual network activity related to cloud metadata API calls and credential usage, leveraging cloud-native security tools and SIEM solutions. 5) Implement multi-factor authentication (MFA) and conditional access policies for Salesforce and associated cloud services to reduce the risk of unauthorized access. 6) Conduct regular penetration testing and security assessments focusing on cloud environment configurations and third-party integrations. 7) Educate security and DevOps teams about the risks of metadata API abuse and credential theft to improve detection and response capabilities. 8) Maintain an incident response plan that includes scenarios involving cloud credential compromise and data exfiltration via third-party integrations.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Uuid
- de0e2e6b-18d8-4237-a852-5877b3ddab58
- Original Timestamp
- 1757072192
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip208.68.36.90 | DigitalOcean | |
ip44.215.108.109 | Amazon Web Services | |
ip154.41.95.2 | Tor exit node | |
ip176.65.149.100 | Tor exit node | |
ip179.43.159.198 | Tor exit node | |
ip185.130.47.58 | Tor exit node | |
ip185.207.107.130 | Tor exit node | |
ip185.220.101.133 | Tor exit node | |
ip185.220.101.143 | Tor exit node | |
ip185.220.101.164 | Tor exit node | |
ip185.220.101.167 | Tor exit node | |
ip185.220.101.169 | Tor exit node | |
ip185.220.101.180 | Tor exit node | |
ip185.220.101.185 | Tor exit node | |
ip185.220.101.33 | Tor exit node | |
ip192.42.116.179 | Tor exit node | |
ip192.42.116.20 | Tor exit node | |
ip194.15.36.117 | Tor exit node | |
ip195.47.238.178 | Tor exit node | |
ip195.47.238.83 | Tor exit node |
User agent
| Value | Description | Copy |
|---|---|---|
user-agentpython-requests/2.32.4 | risk of FP - weak indicator | |
user-agentPython/3.11 aiohttp/3.12.15 | risk of FP - weak indicator | |
user-agentSalesforce-Multi-Org-Fetcher/1.0 | Malicious User-Agent string | |
user-agentSalesforce-CLI/1.0 | Malicious User-Agent string |
Link
| Value | Description | Copy |
|---|---|---|
linkhttps://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesforce-instances-via-salesloft-drift | — |
Text
| Value | Description | Copy |
|---|---|---|
textGoogle Threat Intelligence Group (GTIG) is issuing an advisory to alert organizations about a widespread data theft campaign, carried out by the actor tracked as UNC6395. Beginning as early as Aug. 8, 2025 through at least Aug. 18, 2025, the actor targeted Salesforce customer instances through compromised OAuth tokens associated with the Salesloft Drift third-party application.
The actor systematically exported large volumes of data from numerous corporate Salesforce instances. GTIG assesses the primary intent of the threat actor is to harvest credentials. After the data was exfiltrated, the actor searched through the data to look for secrets that could be potentially used to compromise victim environments. GTIG observed UNC6395 targeting sensitive credentials such as Amazon Web Services (AWS) access keys (AKIA), passwords, and Snowflake-related access tokens. UNC6395 demonstrated operational security awareness by deleting query jobs, however logs were not impacted and organizations should still review relevant logs for evidence of data exposure.
Based on data available at the time, Salesloft indicated that customers that do not integrate with Salesforce are not impacted by this campaign.
On Aug. 20, 2025 Salesloft, in collaboration with Salesforce, revoked all active access and refresh tokens with the Drift application. In addition, Salesforce removed the Drift application from the Salesforce AppExchange until further notice pending further investigation. This issue does not stem from a vulnerability within the core Salesforce platform.
GTIG, Salesforce, and Salesloft have notified impacted organizations. | — | |
textWidespread Data Theft Targets Salesforce Instances via Salesloft Drift | — | |
textBlog | — |
Threat ID: 68bafb9b919d4c0e2d82ec6c
Added to database: 9/5/2025, 3:02:51 PM
Last enriched: 9/5/2025, 3:03:25 PM
Last updated: 9/5/2025, 11:57:25 PM
Views: 4
Related Threats
Actions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.