I’m thrilled to sit down with Rupert Marais, our in-house security specialist with a wealth of experience in endpoint and device security, cybersecurity strategies, and network management. Today, we’re diving into a recent, alarming data theft campaign targeting hundreds of Salesforce customers, uncovering how hackers exploited third-party integrations, the nature of the stolen data, and what businesses can do to safeguard themselves. This conversation will explore the intricacies of the attack, the response from involved parties, and critical steps for protecting corporate data in the wake of such incidents.
How did this recent data theft campaign targeting Salesforce customers come to light, and what’s the scale of the impact?
Thanks for having me, Helen. This campaign was first flagged by threat intelligence experts earlier this month, specifically between August 8 and August 18, 2025. It’s a significant incident, with reports indicating that around 700 Salesforce customers had their data compromised. That’s a substantial number of organizations, many of which likely hold sensitive business information, making this a wake-up call for anyone using cloud-based platforms with third-party integrations.
Can you walk us through how the attackers managed to pull off this data theft without exploiting a flaw in Salesforce’s core platform?
Absolutely. The hackers didn’t target Salesforce directly; instead, they exploited compromised OAuth tokens tied to a third-party AI chatbot tool called Drift, which integrates with Salesforce through Salesloft. Essentially, these tokens acted as a backdoor, granting the attackers access to corporate Salesforce instances without needing to breach the platform’s security itself. It’s a classic case of the weakest link being a third-party connection rather than the primary system.
What can you tell us about the group behind these attacks and their primary motivations?
The threat actor responsible is tracked as UNC6395, a group that appears to be highly organized and focused on data harvesting. According to threat intelligence reports, their main goal was to steal credentials—think passwords, access keys, and other sensitive tokens. They weren’t just grabbing data randomly; they were systematically searching for secrets that could be leveraged for further attacks or sold on the dark web.
What specific types of data were these attackers after, and why is that particularly concerning?
The hackers zeroed in on high-value information like AWS access keys, passwords, and even Snowflake-related tokens. This kind of data is a goldmine for cybercriminals because it can unlock access to other systems, cloud environments, or databases. The concern here is not just the immediate loss of data but the potential for cascading breaches—imagine an attacker using stolen AWS keys to infiltrate an entire infrastructure.
How did the companies involved respond once this breach was discovered?
Both Salesloft and Salesforce moved quickly once the issue came to light. Salesloft revoked the compromised tokens for Drift on August 20, which effectively cut off the attackers’ access through that integration. They also shared indicators of compromise to help affected customers spot any signs of intrusion. Salesforce, on their part, removed Drift from their AppExchange marketplace and notified the impacted customers—though they’ve stated that only a small number of instances were accessed compared to the broader estimates.
For businesses using Drift with Salesforce, what are the immediate risks they’re facing right now?
The risk is very specific to organizations that have integrated Drift with Salesforce via Salesloft. If you’re not using that particular setup, you’re likely in the clear for this incident. However, for those who are, there’s a strong chance their Salesforce data could have been exposed. The advice from threat intelligence is to assume compromise and act accordingly, rather than waiting for confirmation of a breach.
What practical steps should companies take to protect themselves if they’ve been using this integration?
First and foremost, companies need to review their Salesforce logs for any unusual activity or signs of data export during the attack window. They should also rotate all credentials and secrets stored in Salesforce—passwords, access keys, anything sensitive. Beyond that, it’s critical to re-authenticate any Drift-Salesforce connections since the tokens were revoked. This isn’t just about cleaning up after this incident; it’s about preventing future access through stale or stolen credentials.
I understand the attackers tried to cover their tracks—how did they do that, and is there still a way for companies to detect if they’ve been hit?
Yes, UNC6395 showed some operational savvy by deleting query jobs to hide their activity. However, they didn’t manage to tamper with the logs, which is a silver lining. Companies can still dig into their Salesforce logs to look for evidence of unauthorized access or data exposure. It’s a bit of detective work, but those records are key to understanding if and what was taken.
Looking ahead, what is your forecast for the evolving landscape of threats targeting cloud platforms and third-party integrations?
I think we’re going to see more of these attacks exploiting third-party integrations as companies increasingly rely on interconnected tools to streamline operations. Cloud platforms like Salesforce are generally secure at their core, but the ecosystem around them—plugins, apps, and integrations—often creates vulnerabilities that attackers can exploit. My forecast is that threat actors will continue to target these weaker links, and businesses will need to prioritize vetting third-party tools and enforcing strict access controls to stay ahead of the game. We’re also likely to see more emphasis on real-time monitoring and automated threat detection to catch these incidents before they spiral out of control.
