Hackers breached gross sales automation platform Salesloft to steal OAuth and refresh tokens from its Drift chat agent integration with Salesforce to pivot to buyer environments and exfiltrate information.
The ShinyHunters extortion group claims duty for these extra Salesforce assaults.
Salesloft’s SalesDrift is a third-party platform that connects the Drift AI chat agent with a Salesforce occasion, permitting organizations to sync conversations, leads, and assist circumstances into their CRM.
In keeping with Salesloft, menace actors obtained Drift OAuth and refresh tokens used for its Salesforce integration, and used them to conduct a Salesforce information theft marketing campaign between August 8 and August 18, 2025.
“Preliminary findings have proven that the actor’s major goal was to steal credentials, particularly specializing in delicate info like AWS entry keys, passwords, and Snowflake-related entry tokens,” reads a Salesloft advisory.
“We now have decided that this incident didn’t affect clients who don’t use our Drift-Salesforce integration. Based mostly on our ongoing investigation, we don’t see proof of ongoing malicious exercise associated to this incident.”
In coordination with Salesforce, Salesloft revoked all lively entry and refresh tokens for the Drift utility, requiring clients to re-authenticate with their Salesforce situations.
To reauthenticate, admins ought to go to Settings > Integrations > Salesforce, disconnect the combination, after which reconnect with legitimate Salesforce credentials.
Google’s Menace Intelligence crew (Mandiant) is monitoring the menace actor as UNC6395 and states that after they gained entry to a Salesforce occasion, they issued SOQL queries to extract case authentication tokens, passwords, and secrets and techniques from assist circumstances, permitting them to breach additional platforms.
“GTIG noticed UNC6395 concentrating on delicate credentials akin to Amazon Internet Companies (AWS) entry keys (AKIA), passwords, and Snowflake-related entry tokens,” reviews Google.
“UNC6395 demonstrated operational security consciousness by deleting question jobs, nevertheless logs weren’t impacted and organizations ought to nonetheless evaluate related logs for proof of knowledge publicity.”
To cover their infrastructure, the attackers used Tor, in addition to internet hosting suppliers akin to AWS and DigitalOcean. Consumer-Agent strings related to the info theft assaults embody ‘python-requests/2.32.4’, ‘Python/3.11 aiohttp/3.12.15’, and for customized instruments utilizing ‘Salesforce-Multi-Org-Fetcher/1.0’ and ‘Salesforce-CLI/1.0’
Google has offered an inventory of IP addresses and consumer brokers in its report to assist directors search Salesforce logs and decide in the event that they had been impacted by the assaults.
Admins of affected environments are suggested to rotate credentials after which search Salesforce objects for added secrets and techniques that will have been stolen. These embody:
- AKIA for long-term AWS entry key identifiers
- Snowflake or snowflakecomputing.com for Snowflake credentials
- password, secret, key to search out potential references to credential materials
- Strings associated to organization-specific login URLs, akin to VPN or SSO login pages
Whereas Google is monitoring this exercise beneath a brand new classifier, UNC6395, the ShinyHunters extortion group instructed BleepingComputer they’re behind this exercise.
When contacted, a consultant for the group instructed BleepingComputer, “No surprise issues out of the blue stopped working yesterday.”
Ongoing Salesforce assaults
The theft of Salesloft tokens is an element of a bigger wave of Salesforce data breaches linked to the ShinyHunters group, who additionally declare to overlap with menace actors labeled as Scattered Spider.
“Like we’ve got stated repeatedly already, ShinyHunters and Scattered Spider are one and the identical,” ShinyHunters instructed BleepingComputer.
“They supply us with preliminary entry and we conduct the dump and exfiltration of the Salesforce CRM situations. Similar to we did with Snowflake.”
For the reason that starting of the yr, the menace actors have been conducting social engineering assaults to breach Salesforce situations and obtain information.
Throughout these assaults, menace actors conduct voice phishing (vishing) to trick workers into linking a malicious OAuth app with their firm’s Salesforce situations.
As soon as linked, the menace actors used the connection to obtain and steal the databases, which had been then used to extort the corporate by means of e-mail.
Since Google first reported the assaults in June, quite a few data breaches have been tied to the social engineering assaults, together with Google itself, Cisco, Farmers Insurance coverage, Workday, Adidas, Qantas, Allianz Life, and the LVMH subsidiaries Louis Vuitton, Dior, and Tiffany & Co.
With these extra assaults, the menace actors have expanded their techniques to not solely extort corporations however to make use of stolen information to additionally breach downstream clients’ cloud companies and infrastructure.
46% of environments had passwords cracked, practically doubling from 25% final yr.
Get the Picus Blue Report 2025 now for a complete have a look at extra findings on prevention, detection, and information exfiltration tendencies.
