"A previously unidentified threat actor, UNC6395, has been linked to a recent breach campaign that exposed Salesforce customer data. The activity, which occurred between early and mid-August, involved the misuse of OAuth tokens issued through Salesloft Drift integration. Google Threat Intelligence Group (GTIG) identified the threat actor in an Aug. 26 post and noted the "widespread data theft" started as early as Aug. 8, 2025 and ran through at least Aug. 18, 2025."
"UNC6395 used targeted database queries to extract records containing personal user data, account profiles, case logs, and similar sensitive information. After pulling the data, the group exported the results in an apparent effort to collect login credentials and cloud access keys. According to Salesloft, users that haven't yet integrated with Salesforce were not affected by the attack. In a joint effort, Salesloft and Salesforce revoked active access and refresh tokens associated with Drift."
UNC6395 was linked to a breach that exposed Salesforce customer data between Aug. 8 and Aug. 18, 2025, with disclosure on Aug. 26, 2025. The actor abused OAuth tokens issued through the Salesloft–Drift integration to access Salesforce organizations. The threat actor executed targeted database queries to extract personal user data, account profiles, case logs, login credentials, and cloud access keys, then exported the results. Users who had not integrated Salesloft with Salesforce were not affected. Salesloft and Salesforce revoked active and refresh tokens associated with Drift and removed the app from the Salesforce AppExchange. Known IOCs include specific User-Agent strings.
Read at TechRepublic
Unable to calculate read time
Collection
[
|
...
]