216.73.217.80

Widespread Data Theft Targets Salesforce Instances via Salesloft Drift - Hunting pulse

· Published 08/09/2025 10:16 · Modified 08/09/2025 11:33

Export JSON

Essential information

Published
08/09/2025 10:16
Modified
08/09/2025 11:33
Tags
2025-09-08 credential harvesting data theft oauth tokens salesforce salesloft drift supply-chain
Related entities
1 vulnerabilities (cve), 8 observables, 1 intrusion sets (apt), 6 techniques (mitre)

Description

A widespread campaign, conducted by UNC6395, targeted customer instances through compromised associated with the application. The actor systematically exported large volumes of data from numerous corporate instances, focusing on harvesting credentials and sensitive information. The campaign ran from August 8 to August 18, 2025, affecting various objects such as Cases, Accounts, Users, and Opportunities. The actor demonstrated operational security awareness by deleting query jobs. Salesloft and have taken measures to revoke access tokens and remove the Drift application from the AppExchange. Impacted organizations are urged to take immediate remediation steps, including investigating for compromise, scanning for exposed secrets, and hardening access controls. The IPs provided are confirmed as malicious, but some may generate noise since they are associated with Tor exit nodes.

External references