OSINT - Widespread Data Theft Targets Salesforce Instances via Salesloft Drift
OSINT - Widespread Data Theft Targets Salesforce Instances via Salesloft Drift
AI Analysis
Technical Summary
This threat concerns a widespread data theft campaign targeting Salesforce instances by exploiting integrations with Salesloft and Drift platforms. Attackers leverage cloud instance metadata APIs (MITRE ATT&CK T1552.005) and additional cloud credentials (T1098.001) to gain unauthorized access to sensitive data stored within Salesforce environments. The metadata API is a cloud service feature that provides instance-specific information, including temporary credentials, which can be abused if improperly secured. By compromising these credentials, attackers can escalate privileges and exfiltrate data from Salesforce instances connected to Salesloft and Drift. The threat is identified through OSINT with a 50% certainty level, indicating moderate confidence but no confirmed active exploitation. No patches or fixes are currently available, and no known exploits have been observed in the wild. The attack vector relies on cloud infrastructure misconfigurations or weak credential management rather than software vulnerabilities. The integration points between Salesforce and Salesloft/Drift represent a critical attack surface, especially for organizations heavily using these SaaS tools in cloud environments. The campaign highlights the risk of cloud metadata API abuse and the importance of securing cloud credentials to prevent lateral movement and data theft. The threat is tagged with network activity and payload delivery, suggesting attackers may use these methods to infiltrate and extract data. The lack of CVSS score necessitates a severity assessment based on impact and exploitability.
Potential Impact
For European organizations, this threat poses significant risks to the confidentiality and integrity of customer and business data stored in Salesforce instances. Successful exploitation could lead to large-scale data breaches, exposing sensitive personal and corporate information, which may result in regulatory penalties under GDPR and damage to reputation. The theft of cloud credentials can enable attackers to move laterally within cloud environments, potentially compromising additional services beyond Salesforce. Organizations relying on Salesloft and Drift integrations are particularly vulnerable, as these platforms may provide additional attack vectors. The disruption to business operations could be moderate if attackers manipulate or delete data, though availability impact appears limited. Given the widespread use of Salesforce across Europe, the threat could affect multiple sectors including finance, healthcare, and retail. The medium severity rating reflects the moderate certainty and current lack of active exploitation, but the potential for significant damage if exploited is high. The threat underscores the need for enhanced cloud security posture management and integration security reviews.
Mitigation Recommendations
European organizations should implement strict access controls and enforce the principle of least privilege for all cloud credentials, especially those accessible via metadata APIs. Regularly audit and monitor cloud instance metadata API usage to detect anomalous or unauthorized access patterns. Segregate duties and limit the scope of credentials accessible to Salesloft, Drift, and other third-party integrations. Employ multi-factor authentication and conditional access policies for cloud management consoles and SaaS platforms. Conduct thorough security assessments of Salesforce integrations to identify and remediate misconfigurations. Use cloud security posture management (CSPM) tools to continuously evaluate and enforce secure configurations. Implement logging and alerting on suspicious credential usage or data exfiltration attempts. Educate IT and security teams on the risks associated with cloud metadata APIs and credential theft. Prepare incident response plans specifically addressing cloud credential compromise and data theft scenarios. Engage with vendors to track updates or patches related to this threat and apply them promptly once available.
Affected Countries
United Kingdom, Germany, France, Netherlands, Sweden, Ireland
Indicators of Compromise
- ip: 208.68.36.90
- ip: 44.215.108.109
- user-agent: python-requests/2.32.4
- user-agent: Python/3.11 aiohttp/3.12.15
- user-agent: Salesforce-Multi-Org-Fetcher/1.0
- user-agent: Salesforce-CLI/1.0
- ip: 154.41.95.2
- ip: 176.65.149.100
- ip: 179.43.159.198
- ip: 185.130.47.58
- ip: 185.207.107.130
- ip: 185.220.101.133
- ip: 185.220.101.143
- ip: 185.220.101.164
- ip: 185.220.101.167
- ip: 185.220.101.169
- ip: 185.220.101.180
- ip: 185.220.101.185
- ip: 185.220.101.33
- ip: 192.42.116.179
- ip: 192.42.116.20
- ip: 194.15.36.117
- ip: 195.47.238.178
- ip: 195.47.238.83
- link: https://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesforce-instances-via-salesloft-drift
- text: Google Threat Intelligence Group (GTIG) is issuing an advisory to alert organizations about a widespread data theft campaign, carried out by the actor tracked as UNC6395. Beginning as early as Aug. 8, 2025 through at least Aug. 18, 2025, the actor targeted Salesforce customer instances through compromised OAuth tokens associated with the Salesloft Drift third-party application. The actor systematically exported large volumes of data from numerous corporate Salesforce instances. GTIG assesses the primary intent of the threat actor is to harvest credentials. After the data was exfiltrated, the actor searched through the data to look for secrets that could be potentially used to compromise victim environments. GTIG observed UNC6395 targeting sensitive credentials such as Amazon Web Services (AWS) access keys (AKIA), passwords, and Snowflake-related access tokens. UNC6395 demonstrated operational security awareness by deleting query jobs, however logs were not impacted and organizations should still review relevant logs for evidence of data exposure. Based on data available at the time, Salesloft indicated that customers that do not integrate with Salesforce are not impacted by this campaign. On Aug. 20, 2025 Salesloft, in collaboration with Salesforce, revoked all active access and refresh tokens with the Drift application. In addition, Salesforce removed the Drift application from the Salesforce AppExchange until further notice pending further investigation. This issue does not stem from a vulnerability within the core Salesforce platform. GTIG, Salesforce, and Salesloft have notified impacted organizations.
- text: Widespread Data Theft Targets Salesforce Instances via Salesloft Drift
- text: Blog
OSINT - Widespread Data Theft Targets Salesforce Instances via Salesloft Drift
Description
OSINT - Widespread Data Theft Targets Salesforce Instances via Salesloft Drift
AI-Powered Analysis
Technical Analysis
This threat concerns a widespread data theft campaign targeting Salesforce instances by exploiting integrations with Salesloft and Drift platforms. Attackers leverage cloud instance metadata APIs (MITRE ATT&CK T1552.005) and additional cloud credentials (T1098.001) to gain unauthorized access to sensitive data stored within Salesforce environments. The metadata API is a cloud service feature that provides instance-specific information, including temporary credentials, which can be abused if improperly secured. By compromising these credentials, attackers can escalate privileges and exfiltrate data from Salesforce instances connected to Salesloft and Drift. The threat is identified through OSINT with a 50% certainty level, indicating moderate confidence but no confirmed active exploitation. No patches or fixes are currently available, and no known exploits have been observed in the wild. The attack vector relies on cloud infrastructure misconfigurations or weak credential management rather than software vulnerabilities. The integration points between Salesforce and Salesloft/Drift represent a critical attack surface, especially for organizations heavily using these SaaS tools in cloud environments. The campaign highlights the risk of cloud metadata API abuse and the importance of securing cloud credentials to prevent lateral movement and data theft. The threat is tagged with network activity and payload delivery, suggesting attackers may use these methods to infiltrate and extract data. The lack of CVSS score necessitates a severity assessment based on impact and exploitability.
Potential Impact
For European organizations, this threat poses significant risks to the confidentiality and integrity of customer and business data stored in Salesforce instances. Successful exploitation could lead to large-scale data breaches, exposing sensitive personal and corporate information, which may result in regulatory penalties under GDPR and damage to reputation. The theft of cloud credentials can enable attackers to move laterally within cloud environments, potentially compromising additional services beyond Salesforce. Organizations relying on Salesloft and Drift integrations are particularly vulnerable, as these platforms may provide additional attack vectors. The disruption to business operations could be moderate if attackers manipulate or delete data, though availability impact appears limited. Given the widespread use of Salesforce across Europe, the threat could affect multiple sectors including finance, healthcare, and retail. The medium severity rating reflects the moderate certainty and current lack of active exploitation, but the potential for significant damage if exploited is high. The threat underscores the need for enhanced cloud security posture management and integration security reviews.
Mitigation Recommendations
European organizations should implement strict access controls and enforce the principle of least privilege for all cloud credentials, especially those accessible via metadata APIs. Regularly audit and monitor cloud instance metadata API usage to detect anomalous or unauthorized access patterns. Segregate duties and limit the scope of credentials accessible to Salesloft, Drift, and other third-party integrations. Employ multi-factor authentication and conditional access policies for cloud management consoles and SaaS platforms. Conduct thorough security assessments of Salesforce integrations to identify and remediate misconfigurations. Use cloud security posture management (CSPM) tools to continuously evaluate and enforce secure configurations. Implement logging and alerting on suspicious credential usage or data exfiltration attempts. Educate IT and security teams on the risks associated with cloud metadata APIs and credential theft. Prepare incident response plans specifically addressing cloud credential compromise and data theft scenarios. Engage with vendors to track updates or patches related to this threat and apply them promptly once available.
Affected Countries
Technical Details
- Uuid
- de0e2e6b-18d8-4237-a852-5877b3ddab58
- Original Timestamp
- 1757072192
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip208.68.36.90 | DigitalOcean | |
ip44.215.108.109 | Amazon Web Services | |
ip154.41.95.2 | Tor exit node | |
ip176.65.149.100 | Tor exit node | |
ip179.43.159.198 | Tor exit node | |
ip185.130.47.58 | Tor exit node | |
ip185.207.107.130 | Tor exit node | |
ip185.220.101.133 | Tor exit node | |
ip185.220.101.143 | Tor exit node | |
ip185.220.101.164 | Tor exit node | |
ip185.220.101.167 | Tor exit node | |
ip185.220.101.169 | Tor exit node | |
ip185.220.101.180 | Tor exit node | |
ip185.220.101.185 | Tor exit node | |
ip185.220.101.33 | Tor exit node | |
ip192.42.116.179 | Tor exit node | |
ip192.42.116.20 | Tor exit node | |
ip194.15.36.117 | Tor exit node | |
ip195.47.238.178 | Tor exit node | |
ip195.47.238.83 | Tor exit node |
User agent
| Value | Description | Copy |
|---|---|---|
user-agentpython-requests/2.32.4 | risk of FP - weak indicator | |
user-agentPython/3.11 aiohttp/3.12.15 | risk of FP - weak indicator | |
user-agentSalesforce-Multi-Org-Fetcher/1.0 | Malicious User-Agent string | |
user-agentSalesforce-CLI/1.0 | Malicious User-Agent string |
Link
| Value | Description | Copy |
|---|---|---|
linkhttps://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesforce-instances-via-salesloft-drift | — |
Text
| Value | Description | Copy |
|---|---|---|
textGoogle Threat Intelligence Group (GTIG) is issuing an advisory to alert organizations about a widespread data theft campaign, carried out by the actor tracked as UNC6395. Beginning as early as Aug. 8, 2025 through at least Aug. 18, 2025, the actor targeted Salesforce customer instances through compromised OAuth tokens associated with the Salesloft Drift third-party application.
The actor systematically exported large volumes of data from numerous corporate Salesforce instances. GTIG assesses the primary intent of the threat actor is to harvest credentials. After the data was exfiltrated, the actor searched through the data to look for secrets that could be potentially used to compromise victim environments. GTIG observed UNC6395 targeting sensitive credentials such as Amazon Web Services (AWS) access keys (AKIA), passwords, and Snowflake-related access tokens. UNC6395 demonstrated operational security awareness by deleting query jobs, however logs were not impacted and organizations should still review relevant logs for evidence of data exposure.
Based on data available at the time, Salesloft indicated that customers that do not integrate with Salesforce are not impacted by this campaign.
On Aug. 20, 2025 Salesloft, in collaboration with Salesforce, revoked all active access and refresh tokens with the Drift application. In addition, Salesforce removed the Drift application from the Salesforce AppExchange until further notice pending further investigation. This issue does not stem from a vulnerability within the core Salesforce platform.
GTIG, Salesforce, and Salesloft have notified impacted organizations. | — | |
textWidespread Data Theft Targets Salesforce Instances via Salesloft Drift | — | |
textBlog | — |
Threat ID: 68bafb9b919d4c0e2d82ec6c
Added to database: 9/5/2025, 3:02:51 PM
Last enriched: 12/2/2025, 2:55:51 PM
Last updated: 1/18/2026, 11:08:45 PM
Views: 239
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.