Google Identifies ‘Widespread Data Theft’ Impacting Salesforce-Salesloft Drift Users

A previously unidentified threat actor, UNC6395, has been linked to a recent breach campaign that exposed Salesforce customer data. The activity, which occurred between early and mid-August, involved the misuse of OAuth tokens issued through Salesloft Drift integration.

Google Threat Intelligence Group (GTIG) identified the threat actor in an Aug. 26 post and noted the “widespread data theft” started as early as Aug. 8, 2025 and ran through at least Aug. 18, 2025.

Understanding the threat

UNC6395 used targeted database queries to extract records containing personal user data, account profiles, case logs, and similar sensitive information. After pulling the data, the group exported the results in an apparent effort to collect login credentials and cloud access keys.

According to Salesloft, users that haven’t yet integrated with Salesforce were not affected by the attack. In a joint effort, Salesloft and Salesforce revoked active access and refresh tokens associated with Drift. The app was also pulled from the Salesforce AppExchange while the investigation remains ongoing.

Determining if your system is compromised

GTIG has published a list of known indicators of compromise (IOCs) involving the recent attacks. These include:

• User-Agent strings: Salesforce-Multi-Org-Fetcher/1.0, Salesforce-CLI/1.0, python-requests/2.32.4, and Python/3.11 aiohttp/3.12.15.
• IP addresses: 208.68.36.90, 44.215.108.109, 154.41.95.2, 176.65.149.100, 179.43.159.198, 185.130.47.58, 185.207.107.130, 185.220.101.133, 185.220.101.143, 185.220.101.164, 185.220.101.167, 185.220.101.169, 185.220.101.180, 185.220.101.185, 185.220.101.33, 192.42.116.179, 192.42.116.20, 194.15.36.117, 195.47.238.178, and 195.47.238.83.

Any match with these IOCs in your logs may point to a compromise and should prompt immediate investigation.

Protecting your system

If you believe your system has been compromised, or if you want to proactively protect your system from UNC6395, consider the following recommendations from GTIG:

• Review logs within Salesforce and Salesloft.
• Reset user passwords and revoke any unknown keys.
• Strengthen access controls and permissions by enforcing IP restrictions and defining login IP ranges.
• Open a case with Salesforce support if you suspect that your system has been compromised.

These recommendations can all go a long way in safeguarding your system from UNC6395 and other, similar threats whether you’ve been compromised or not.

Staying ahead of UNC6395 and other threat actors

UNC6395’s exploitation of OAuth tokens shows how easily attackers can leverage trusted authentication mechanisms to bypass modern cyberdefenses. The sooner organizations treat OAuth token security as a top priority, the sooner they can close a door that attackers like UNC6395 are all too eager to exploit.

What is keeping cybersecurity experts up at night? TechnologyAdvice’s Matt Gonzales reported from Black Hat 2025 the answers to that question.