OSINT - Widespread Data Theft Targets Salesforce Instances via Salesloft Drift
OSINT - Widespread Data Theft Targets Salesforce Instances via Salesloft Drift
AI Analysis
Technical Summary
This threat concerns widespread data theft campaigns targeting Salesforce instances by exploiting vulnerabilities or misconfigurations in Salesloft and Drift integrations. Attackers leverage cloud instance metadata APIs (MITRE ATT&CK T1552.005) and techniques to acquire additional cloud credentials (T1098.001), enabling unauthorized access to sensitive data stored within Salesforce environments. The metadata API is commonly used in cloud platforms to provide instance-specific information and credentials; if improperly secured, it can be abused to escalate privileges or move laterally within cloud environments. Salesloft and Drift are popular sales engagement and conversational marketing platforms that integrate tightly with Salesforce, potentially exposing additional attack surfaces if their authentication or API access is compromised. The threat is based on OSINT with a 50% certainty rating, indicating moderate confidence in the observed activity. No patches or direct fixes are available, and no known exploits in the wild have been confirmed, suggesting the threat may rely on configuration weaknesses or social engineering. The attack could lead to significant data exfiltration, impacting confidentiality and potentially integrity of customer and business data. The lack of detailed technical indicators limits precise detection, but the use of cloud metadata API abuse and credential theft patterns are key technical hallmarks. Organizations relying on Salesforce with Salesloft and Drift integrations should assume risk and enhance monitoring and access controls accordingly.
Potential Impact
For European organizations, this threat poses a risk of unauthorized data access and theft from Salesforce instances, which often contain sensitive customer, financial, and operational data. Compromise of cloud credentials via metadata API abuse can lead to broader cloud environment infiltration, affecting availability and integrity of services. The integration of Salesloft and Drift expands the attack surface, potentially allowing attackers to bypass traditional Salesforce security controls. Data theft can result in regulatory violations under GDPR, leading to significant fines and reputational damage. The medium severity reflects moderate ease of exploitation combined with potentially high impact on confidentiality and business operations. Organizations with extensive cloud deployments and third-party integrations are particularly vulnerable. The threat could disrupt sales and marketing operations, degrade customer trust, and expose intellectual property or personal data. The absence of known exploits suggests the threat may currently be opportunistic or in early stages, but the potential for escalation remains significant.
Mitigation Recommendations
1. Enforce strict access controls and least privilege principles for cloud metadata API access, ensuring only authorized services and users can query instance metadata. 2. Regularly audit and rotate cloud credentials, especially those accessible via third-party integrations like Salesloft and Drift. 3. Implement robust monitoring and alerting for unusual API calls or credential usage patterns indicative of abuse. 4. Harden Salesforce integrations by reviewing OAuth scopes, API permissions, and ensuring secure authentication flows with Salesloft and Drift. 5. Use network segmentation and zero trust principles to limit lateral movement within cloud environments. 6. Conduct regular security assessments and penetration tests focusing on cloud metadata API exposure and third-party integration security. 7. Educate staff on phishing and social engineering risks that could facilitate credential theft. 8. Collaborate with Salesloft, Drift, and Salesforce support to stay informed about security updates and best practices. 9. Employ data loss prevention (DLP) tools to detect and block unauthorized data exfiltration attempts. 10. Maintain incident response plans tailored to cloud and SaaS compromise scenarios.
Affected Countries
United Kingdom, Germany, France, Netherlands, Sweden
Indicators of Compromise
- ip: 208.68.36.90
- ip: 44.215.108.109
- user-agent: python-requests/2.32.4
- user-agent: Python/3.11 aiohttp/3.12.15
- user-agent: Salesforce-Multi-Org-Fetcher/1.0
- user-agent: Salesforce-CLI/1.0
- ip: 154.41.95.2
- ip: 176.65.149.100
- ip: 179.43.159.198
- ip: 185.130.47.58
- ip: 185.207.107.130
- ip: 185.220.101.133
- ip: 185.220.101.143
- ip: 185.220.101.164
- ip: 185.220.101.167
- ip: 185.220.101.169
- ip: 185.220.101.180
- ip: 185.220.101.185
- ip: 185.220.101.33
- ip: 192.42.116.179
- ip: 192.42.116.20
- ip: 194.15.36.117
- ip: 195.47.238.178
- ip: 195.47.238.83
- link: https://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesforce-instances-via-salesloft-drift
- text: Google Threat Intelligence Group (GTIG) is issuing an advisory to alert organizations about a widespread data theft campaign, carried out by the actor tracked as UNC6395. Beginning as early as Aug. 8, 2025 through at least Aug. 18, 2025, the actor targeted Salesforce customer instances through compromised OAuth tokens associated with the Salesloft Drift third-party application. The actor systematically exported large volumes of data from numerous corporate Salesforce instances. GTIG assesses the primary intent of the threat actor is to harvest credentials. After the data was exfiltrated, the actor searched through the data to look for secrets that could be potentially used to compromise victim environments. GTIG observed UNC6395 targeting sensitive credentials such as Amazon Web Services (AWS) access keys (AKIA), passwords, and Snowflake-related access tokens. UNC6395 demonstrated operational security awareness by deleting query jobs, however logs were not impacted and organizations should still review relevant logs for evidence of data exposure. Based on data available at the time, Salesloft indicated that customers that do not integrate with Salesforce are not impacted by this campaign. On Aug. 20, 2025 Salesloft, in collaboration with Salesforce, revoked all active access and refresh tokens with the Drift application. In addition, Salesforce removed the Drift application from the Salesforce AppExchange until further notice pending further investigation. This issue does not stem from a vulnerability within the core Salesforce platform. GTIG, Salesforce, and Salesloft have notified impacted organizations.
- text: Widespread Data Theft Targets Salesforce Instances via Salesloft Drift
- text: Blog
OSINT - Widespread Data Theft Targets Salesforce Instances via Salesloft Drift
Description
OSINT - Widespread Data Theft Targets Salesforce Instances via Salesloft Drift
AI-Powered Analysis
Technical Analysis
This threat concerns widespread data theft campaigns targeting Salesforce instances by exploiting vulnerabilities or misconfigurations in Salesloft and Drift integrations. Attackers leverage cloud instance metadata APIs (MITRE ATT&CK T1552.005) and techniques to acquire additional cloud credentials (T1098.001), enabling unauthorized access to sensitive data stored within Salesforce environments. The metadata API is commonly used in cloud platforms to provide instance-specific information and credentials; if improperly secured, it can be abused to escalate privileges or move laterally within cloud environments. Salesloft and Drift are popular sales engagement and conversational marketing platforms that integrate tightly with Salesforce, potentially exposing additional attack surfaces if their authentication or API access is compromised. The threat is based on OSINT with a 50% certainty rating, indicating moderate confidence in the observed activity. No patches or direct fixes are available, and no known exploits in the wild have been confirmed, suggesting the threat may rely on configuration weaknesses or social engineering. The attack could lead to significant data exfiltration, impacting confidentiality and potentially integrity of customer and business data. The lack of detailed technical indicators limits precise detection, but the use of cloud metadata API abuse and credential theft patterns are key technical hallmarks. Organizations relying on Salesforce with Salesloft and Drift integrations should assume risk and enhance monitoring and access controls accordingly.
Potential Impact
For European organizations, this threat poses a risk of unauthorized data access and theft from Salesforce instances, which often contain sensitive customer, financial, and operational data. Compromise of cloud credentials via metadata API abuse can lead to broader cloud environment infiltration, affecting availability and integrity of services. The integration of Salesloft and Drift expands the attack surface, potentially allowing attackers to bypass traditional Salesforce security controls. Data theft can result in regulatory violations under GDPR, leading to significant fines and reputational damage. The medium severity reflects moderate ease of exploitation combined with potentially high impact on confidentiality and business operations. Organizations with extensive cloud deployments and third-party integrations are particularly vulnerable. The threat could disrupt sales and marketing operations, degrade customer trust, and expose intellectual property or personal data. The absence of known exploits suggests the threat may currently be opportunistic or in early stages, but the potential for escalation remains significant.
Mitigation Recommendations
1. Enforce strict access controls and least privilege principles for cloud metadata API access, ensuring only authorized services and users can query instance metadata. 2. Regularly audit and rotate cloud credentials, especially those accessible via third-party integrations like Salesloft and Drift. 3. Implement robust monitoring and alerting for unusual API calls or credential usage patterns indicative of abuse. 4. Harden Salesforce integrations by reviewing OAuth scopes, API permissions, and ensuring secure authentication flows with Salesloft and Drift. 5. Use network segmentation and zero trust principles to limit lateral movement within cloud environments. 6. Conduct regular security assessments and penetration tests focusing on cloud metadata API exposure and third-party integration security. 7. Educate staff on phishing and social engineering risks that could facilitate credential theft. 8. Collaborate with Salesloft, Drift, and Salesforce support to stay informed about security updates and best practices. 9. Employ data loss prevention (DLP) tools to detect and block unauthorized data exfiltration attempts. 10. Maintain incident response plans tailored to cloud and SaaS compromise scenarios.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Uuid
- de0e2e6b-18d8-4237-a852-5877b3ddab58
- Original Timestamp
- 1757072192
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip208.68.36.90 | DigitalOcean | |
ip44.215.108.109 | Amazon Web Services | |
ip154.41.95.2 | Tor exit node | |
ip176.65.149.100 | Tor exit node | |
ip179.43.159.198 | Tor exit node | |
ip185.130.47.58 | Tor exit node | |
ip185.207.107.130 | Tor exit node | |
ip185.220.101.133 | Tor exit node | |
ip185.220.101.143 | Tor exit node | |
ip185.220.101.164 | Tor exit node | |
ip185.220.101.167 | Tor exit node | |
ip185.220.101.169 | Tor exit node | |
ip185.220.101.180 | Tor exit node | |
ip185.220.101.185 | Tor exit node | |
ip185.220.101.33 | Tor exit node | |
ip192.42.116.179 | Tor exit node | |
ip192.42.116.20 | Tor exit node | |
ip194.15.36.117 | Tor exit node | |
ip195.47.238.178 | Tor exit node | |
ip195.47.238.83 | Tor exit node |
User agent
| Value | Description | Copy |
|---|---|---|
user-agentpython-requests/2.32.4 | risk of FP - weak indicator | |
user-agentPython/3.11 aiohttp/3.12.15 | risk of FP - weak indicator | |
user-agentSalesforce-Multi-Org-Fetcher/1.0 | Malicious User-Agent string | |
user-agentSalesforce-CLI/1.0 | Malicious User-Agent string |
Link
| Value | Description | Copy |
|---|---|---|
linkhttps://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesforce-instances-via-salesloft-drift | — |
Text
| Value | Description | Copy |
|---|---|---|
textGoogle Threat Intelligence Group (GTIG) is issuing an advisory to alert organizations about a widespread data theft campaign, carried out by the actor tracked as UNC6395. Beginning as early as Aug. 8, 2025 through at least Aug. 18, 2025, the actor targeted Salesforce customer instances through compromised OAuth tokens associated with the Salesloft Drift third-party application.
The actor systematically exported large volumes of data from numerous corporate Salesforce instances. GTIG assesses the primary intent of the threat actor is to harvest credentials. After the data was exfiltrated, the actor searched through the data to look for secrets that could be potentially used to compromise victim environments. GTIG observed UNC6395 targeting sensitive credentials such as Amazon Web Services (AWS) access keys (AKIA), passwords, and Snowflake-related access tokens. UNC6395 demonstrated operational security awareness by deleting query jobs, however logs were not impacted and organizations should still review relevant logs for evidence of data exposure.
Based on data available at the time, Salesloft indicated that customers that do not integrate with Salesforce are not impacted by this campaign.
On Aug. 20, 2025 Salesloft, in collaboration with Salesforce, revoked all active access and refresh tokens with the Drift application. In addition, Salesforce removed the Drift application from the Salesforce AppExchange until further notice pending further investigation. This issue does not stem from a vulnerability within the core Salesforce platform.
GTIG, Salesforce, and Salesloft have notified impacted organizations. | — | |
textWidespread Data Theft Targets Salesforce Instances via Salesloft Drift | — | |
textBlog | — |
Threat ID: 68bafb9b919d4c0e2d82ec6c
Added to database: 9/5/2025, 3:02:51 PM
Last enriched: 10/13/2025, 12:41:37 AM
Last updated: 10/19/2025, 9:09:55 PM
Views: 97
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.