OSINT - Widespread Data Theft Targets Salesforce Instances via Salesloft Drift
OSINT - Widespread Data Theft Targets Salesforce Instances via Salesloft Drift
AI Analysis
Technical Summary
This threat involves widespread data theft targeting Salesforce instances by exploiting vulnerabilities in integrations with Salesloft and Drift platforms. Attackers leverage techniques associated with the MITRE ATT&CK patterns T1552.005 (Cloud Instance Metadata API) and T1098.001 (Additional Cloud Credentials) to access sensitive credentials and data. The cloud instance metadata API is a known vector for attackers to retrieve temporary credentials or tokens assigned to cloud instances, which can then be used to escalate privileges or move laterally within cloud environments. By compromising Salesloft and Drift integrations, attackers can gain unauthorized access to Salesforce data, potentially extracting customer information, business intelligence, and other sensitive data. The threat is currently classified as medium severity with a 50% certainty, indicating moderate confidence in the intelligence. No patches or direct fixes are available, and no confirmed exploits have been observed in the wild, suggesting this is an emerging or potential threat rather than an active widespread campaign. The attack does not require user interaction once the initial access is gained, and it exploits cloud-native features and third-party integrations, making detection challenging without proper monitoring. The threat is tagged with references to Google Cloud blog sources and involves network activity and payload delivery, indicating that attackers may use network-based methods to exfiltrate data after credential compromise.
Potential Impact
For European organizations, the impact of this threat could be significant, especially for those heavily reliant on Salesforce CRM integrated with Salesloft and Drift. Unauthorized access to Salesforce data can lead to loss of confidentiality of sensitive customer and business information, potential regulatory violations under GDPR, and reputational damage. The theft of cloud credentials can enable attackers to move laterally within cloud environments, potentially compromising additional services and data. This could disrupt business operations if critical data is exfiltrated or manipulated. The threat also increases the risk of further attacks such as phishing or fraud using stolen data. Given the widespread use of Salesforce and cloud services in Europe, the potential scope of affected systems is large. The ease of exploiting cloud metadata APIs without requiring user interaction or authentication elevates the risk profile. Organizations may face compliance and legal consequences if data breaches occur, amplifying the operational and financial impact.
Mitigation Recommendations
European organizations should implement strict access controls and least privilege principles for cloud metadata APIs and third-party integrations like Salesloft and Drift. Regularly audit and monitor cloud instance metadata API access logs for anomalous or unauthorized requests. Employ network segmentation and micro-segmentation to limit lateral movement within cloud environments. Use strong authentication and authorization mechanisms for all integrated applications and rotate credentials frequently. Implement anomaly detection systems to identify unusual data access or exfiltration patterns. Review and restrict permissions granted to Salesloft and Drift integrations to only what is necessary. Conduct regular security assessments and penetration testing focused on cloud integrations and metadata API exposure. Educate security teams on the risks associated with cloud metadata APIs and credential theft techniques. Prepare incident response plans specifically addressing cloud credential compromise and data exfiltration scenarios. Consider deploying cloud security posture management (CSPM) tools to continuously assess and remediate configuration risks.
Affected Countries
United Kingdom, Germany, France, Netherlands, Sweden, Ireland
Indicators of Compromise
- ip: 208.68.36.90
- ip: 44.215.108.109
- user-agent: python-requests/2.32.4
- user-agent: Python/3.11 aiohttp/3.12.15
- user-agent: Salesforce-Multi-Org-Fetcher/1.0
- user-agent: Salesforce-CLI/1.0
- ip: 154.41.95.2
- ip: 176.65.149.100
- ip: 179.43.159.198
- ip: 185.130.47.58
- ip: 185.207.107.130
- ip: 185.220.101.133
- ip: 185.220.101.143
- ip: 185.220.101.164
- ip: 185.220.101.167
- ip: 185.220.101.169
- ip: 185.220.101.180
- ip: 185.220.101.185
- ip: 185.220.101.33
- ip: 192.42.116.179
- ip: 192.42.116.20
- ip: 194.15.36.117
- ip: 195.47.238.178
- ip: 195.47.238.83
- link: https://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesforce-instances-via-salesloft-drift
- text: Google Threat Intelligence Group (GTIG) is issuing an advisory to alert organizations about a widespread data theft campaign, carried out by the actor tracked as UNC6395. Beginning as early as Aug. 8, 2025 through at least Aug. 18, 2025, the actor targeted Salesforce customer instances through compromised OAuth tokens associated with the Salesloft Drift third-party application. The actor systematically exported large volumes of data from numerous corporate Salesforce instances. GTIG assesses the primary intent of the threat actor is to harvest credentials. After the data was exfiltrated, the actor searched through the data to look for secrets that could be potentially used to compromise victim environments. GTIG observed UNC6395 targeting sensitive credentials such as Amazon Web Services (AWS) access keys (AKIA), passwords, and Snowflake-related access tokens. UNC6395 demonstrated operational security awareness by deleting query jobs, however logs were not impacted and organizations should still review relevant logs for evidence of data exposure. Based on data available at the time, Salesloft indicated that customers that do not integrate with Salesforce are not impacted by this campaign. On Aug. 20, 2025 Salesloft, in collaboration with Salesforce, revoked all active access and refresh tokens with the Drift application. In addition, Salesforce removed the Drift application from the Salesforce AppExchange until further notice pending further investigation. This issue does not stem from a vulnerability within the core Salesforce platform. GTIG, Salesforce, and Salesloft have notified impacted organizations.
- text: Widespread Data Theft Targets Salesforce Instances via Salesloft Drift
- text: Blog
OSINT - Widespread Data Theft Targets Salesforce Instances via Salesloft Drift
Description
OSINT - Widespread Data Theft Targets Salesforce Instances via Salesloft Drift
AI-Powered Analysis
Technical Analysis
This threat involves widespread data theft targeting Salesforce instances by exploiting vulnerabilities in integrations with Salesloft and Drift platforms. Attackers leverage techniques associated with the MITRE ATT&CK patterns T1552.005 (Cloud Instance Metadata API) and T1098.001 (Additional Cloud Credentials) to access sensitive credentials and data. The cloud instance metadata API is a known vector for attackers to retrieve temporary credentials or tokens assigned to cloud instances, which can then be used to escalate privileges or move laterally within cloud environments. By compromising Salesloft and Drift integrations, attackers can gain unauthorized access to Salesforce data, potentially extracting customer information, business intelligence, and other sensitive data. The threat is currently classified as medium severity with a 50% certainty, indicating moderate confidence in the intelligence. No patches or direct fixes are available, and no confirmed exploits have been observed in the wild, suggesting this is an emerging or potential threat rather than an active widespread campaign. The attack does not require user interaction once the initial access is gained, and it exploits cloud-native features and third-party integrations, making detection challenging without proper monitoring. The threat is tagged with references to Google Cloud blog sources and involves network activity and payload delivery, indicating that attackers may use network-based methods to exfiltrate data after credential compromise.
Potential Impact
For European organizations, the impact of this threat could be significant, especially for those heavily reliant on Salesforce CRM integrated with Salesloft and Drift. Unauthorized access to Salesforce data can lead to loss of confidentiality of sensitive customer and business information, potential regulatory violations under GDPR, and reputational damage. The theft of cloud credentials can enable attackers to move laterally within cloud environments, potentially compromising additional services and data. This could disrupt business operations if critical data is exfiltrated or manipulated. The threat also increases the risk of further attacks such as phishing or fraud using stolen data. Given the widespread use of Salesforce and cloud services in Europe, the potential scope of affected systems is large. The ease of exploiting cloud metadata APIs without requiring user interaction or authentication elevates the risk profile. Organizations may face compliance and legal consequences if data breaches occur, amplifying the operational and financial impact.
Mitigation Recommendations
European organizations should implement strict access controls and least privilege principles for cloud metadata APIs and third-party integrations like Salesloft and Drift. Regularly audit and monitor cloud instance metadata API access logs for anomalous or unauthorized requests. Employ network segmentation and micro-segmentation to limit lateral movement within cloud environments. Use strong authentication and authorization mechanisms for all integrated applications and rotate credentials frequently. Implement anomaly detection systems to identify unusual data access or exfiltration patterns. Review and restrict permissions granted to Salesloft and Drift integrations to only what is necessary. Conduct regular security assessments and penetration testing focused on cloud integrations and metadata API exposure. Educate security teams on the risks associated with cloud metadata APIs and credential theft techniques. Prepare incident response plans specifically addressing cloud credential compromise and data exfiltration scenarios. Consider deploying cloud security posture management (CSPM) tools to continuously assess and remediate configuration risks.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Uuid
- de0e2e6b-18d8-4237-a852-5877b3ddab58
- Original Timestamp
- 1757072192
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip208.68.36.90 | DigitalOcean | |
ip44.215.108.109 | Amazon Web Services | |
ip154.41.95.2 | Tor exit node | |
ip176.65.149.100 | Tor exit node | |
ip179.43.159.198 | Tor exit node | |
ip185.130.47.58 | Tor exit node | |
ip185.207.107.130 | Tor exit node | |
ip185.220.101.133 | Tor exit node | |
ip185.220.101.143 | Tor exit node | |
ip185.220.101.164 | Tor exit node | |
ip185.220.101.167 | Tor exit node | |
ip185.220.101.169 | Tor exit node | |
ip185.220.101.180 | Tor exit node | |
ip185.220.101.185 | Tor exit node | |
ip185.220.101.33 | Tor exit node | |
ip192.42.116.179 | Tor exit node | |
ip192.42.116.20 | Tor exit node | |
ip194.15.36.117 | Tor exit node | |
ip195.47.238.178 | Tor exit node | |
ip195.47.238.83 | Tor exit node |
User agent
| Value | Description | Copy |
|---|---|---|
user-agentpython-requests/2.32.4 | risk of FP - weak indicator | |
user-agentPython/3.11 aiohttp/3.12.15 | risk of FP - weak indicator | |
user-agentSalesforce-Multi-Org-Fetcher/1.0 | Malicious User-Agent string | |
user-agentSalesforce-CLI/1.0 | Malicious User-Agent string |
Link
| Value | Description | Copy |
|---|---|---|
linkhttps://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesforce-instances-via-salesloft-drift | — |
Text
| Value | Description | Copy |
|---|---|---|
textGoogle Threat Intelligence Group (GTIG) is issuing an advisory to alert organizations about a widespread data theft campaign, carried out by the actor tracked as UNC6395. Beginning as early as Aug. 8, 2025 through at least Aug. 18, 2025, the actor targeted Salesforce customer instances through compromised OAuth tokens associated with the Salesloft Drift third-party application.
The actor systematically exported large volumes of data from numerous corporate Salesforce instances. GTIG assesses the primary intent of the threat actor is to harvest credentials. After the data was exfiltrated, the actor searched through the data to look for secrets that could be potentially used to compromise victim environments. GTIG observed UNC6395 targeting sensitive credentials such as Amazon Web Services (AWS) access keys (AKIA), passwords, and Snowflake-related access tokens. UNC6395 demonstrated operational security awareness by deleting query jobs, however logs were not impacted and organizations should still review relevant logs for evidence of data exposure.
Based on data available at the time, Salesloft indicated that customers that do not integrate with Salesforce are not impacted by this campaign.
On Aug. 20, 2025 Salesloft, in collaboration with Salesforce, revoked all active access and refresh tokens with the Drift application. In addition, Salesforce removed the Drift application from the Salesforce AppExchange until further notice pending further investigation. This issue does not stem from a vulnerability within the core Salesforce platform.
GTIG, Salesforce, and Salesloft have notified impacted organizations. | — | |
textWidespread Data Theft Targets Salesforce Instances via Salesloft Drift | — | |
textBlog | — |
Threat ID: 68bafb9b919d4c0e2d82ec6c
Added to database: 9/5/2025, 3:02:51 PM
Last enriched: 11/25/2025, 9:55:40 AM
Last updated: 12/2/2025, 1:21:30 AM
Views: 162
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
ThreatFox IOCs for 2025-12-01
MediumThreatFox IOCs for 2025-11-30
MediumThreatFox IOCs for 2025-11-29
MediumSha1-Hulud - November 2025
MediumSalesforce Gainsight Security Advisory - Nov 2025
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.