Salesloft breached to steal OAuth tokens for Salesforce datatheft attacks
pSonicWall Firewall configs stolen for all cloud backup customersppNew FileFix attack uses cache smuggling to evade security softwareppHackers claim Discord breach exposed data of 55 million usersppGoogles new AI bug bounty program pays up to 30000 for flawsppHarvard investigating breach linked to Oracle zeroday exploitppThe 380 refurbished Surface Laptop 3 with i7 performance and 16GB RAMppFake Inflation Refund texts target New Yorkers in new scamppGet your first year of Sams Club membership for 15 MSRP 50ppHow to access the Dark Web using the Tor BrowserppHow to enable Kernelmode Hardwareenforced Stack Protection in Windows 11ppHow to use the Windows Registry EditorppHow to backup and restore the Windows RegistryppHow to start Windows in Safe ModeppHow to remove a Trojan Virus Worm or other MalwareppHow to show hidden files in Windows 7ppHow to see hidden files in WindowsppRemove the Theonlinesearchcom Search RedirectppRemove the Smartwebfindercom Search RedirectppHow to remove the PBlock adware browser extensionppRemove the Toksearchesxyz Search RedirectppRemove Security Tool and SecurityTool Uninstall GuideppHow to Remove WinFixer Virtumonde Msevents TrojanvundoppHow to remove Antivirus 2009 Uninstall InstructionsppHow to remove Google Redirects or the TDSS TDL3 or Alureon rootkit using TDSSKillerppLocky Ransomware Information Help Guide and FAQppCryptoLocker Ransomware Information Guide and FAQppCryptorBit and HowDecrypt Information Guide and FAQppCryptoDefense and HowDecrypt Ransomware Information Guide and FAQppQualys BrowserCheckppSTOPDecrypterppAuroraDecrypterppFilesLockerDecrypterppAdwCleanerppComboFixppRKillppJunkware Removal ToolppeLearningppIT Certification CoursesppGear GadgetsppSecurityppBest VPNsppHow to change IP addressppAccess the dark web safelyppBest VPN for YouTubeppppUpdate Story updated with further informationppHackers breached sales automation platform Salesloft to steal OAuth and refresh tokens from its Drift chat agent integration with Salesforce to pivot to customer environments and exfiltrate datappSaleslofts SalesDrift is a thirdparty platform that connects the Drift AI chat agent with a Salesforce instance allowing organizations to sync conversations leads and support cases into their CRM ppAccording to Salesloft threat actors obtained Drift OAuth and refresh tokens used for its Salesforce integration and used them to conduct a Salesforce data theft campaign between August 8 and August 18 2025ppInitial findings have shown that the actors primary objective was to steal credentials specifically focusing on sensitive information like AWS access keys passwords and Snowflakerelated access tokens reads a Salesloft advisoryppWe have determined that this incident did not impact customers who do not use our DriftSalesforce integration Based on our ongoing investigation we do not see evidence of ongoing malicious activity related to this incidentppIn coordination with Salesforce Salesloft revoked all active access and refresh tokens for the Drift application requiring customers to reauthenticate with their Salesforce instancesppTo reauthenticate admins should go to Settings Integrations Salesforce disconnect the integration and then reconnect with valid Salesforce credentialsppGoogles Threat Intelligence team Mandiant is tracking the threat actor as UNC6395 and states that once they gained access to a Salesforce instance they issued SOQL queries to extract case authentication tokens passwords and secrets from support cases allowing them to breach further platformsppGTIG observed UNC6395 targeting sensitive credentials such as Amazon Web Services AWS access keys AKIA passwords and Snowflakerelated access tokens reports GoogleppUNC6395 demonstrated operational security awareness by deleting query jobs however logs were not impacted and organizations should still review relevant logs for evidence of data exposureppTo hide their infrastructure the attackers used Tor as well as hosting providers such as AWS and DigitalOcean UserAgent strings associated with the data theft attacks include pythonrequests2324 Python311 aiohttp31215 and for custom tools using SalesforceMultiOrgFetcher10 and SalesforceCLI10ppGoogle has provided a list of IP addresses and user agents in its report to help administrators search Salesforce logs and determine if they were impacted by the attacksppAdmins of affected environments are advised to rotate credentials and then search Salesforce objects for additional secrets that may have been stolen These includeppWhile Google is tracking this activity under a new classifier UNC6395 the ShinyHunters extortion group initially told BleepingComputer they are behind this activityppWhen contacted a representative for the group told BleepingComputer No wonder things suddenly stopped working yesterdayppHowever Googles Threat Intelligence Team has not been able to link the extortion group to this attackppWeve not seen any compelling evidence connecting them at this time Austin Larsen Principal Threat Analyst Google Threat Intelligence Group told BleepingComputerppAfter the publishing of this story the threat actors told BleepingComputer that the incident described by Google is not linked to them as they are not targeting support casesppThe theft of Salesloft tokens is in addition to a wave of Salesforce data breaches linked to the ShinyHunters group who also claim to overlap with threat actors classified as Scattered SpiderppLike we have said repeatedly already ShinyHunters and Scattered Spider are one and the same ShinyHunters told BleepingComputerppThey provide us with initial access and we conduct the dump and exfiltration of the Salesforce CRM instances Just like we did with SnowflakeppSince the beginning of the year the threat actors have been conducting social engineering attacks to breach Salesforce instances and download datappDuring these attacks threat actors conduct voice phishing vishing to trick employees into linking a malicious OAuth app with their companys Salesforce instancesppOnce linked the threat actors used the connection to download and steal the databases which were then used to extort the company through emailppSince Google first reported the attacks in June numerous data breaches have been tied to the social engineering attacks including Google itself Cisco Farmers Insurance Workday Adidas Qantas Allianz Life and the LVMH subsidiaries Louis Vuitton Dior and Tiffany CoppWith these additional attacks threat actors have expanded their tactics to not only extort companies but to use stolen data to also breach downstream customers cloud services and infrastructureppUpdate 82625 Added statement from Google
Update 82625 Added further clarification regarding ShinyHunters involvement in the these attacksppJoin the Breach and Attack Simulation Summit and experience the future of security validation Hear from top experts and see how AIpowered BAS is transforming breach and attack simulationppDont miss the event that will shape the future of your security strategyppZscaler data breach exposes customer info after Salesloft Drift compromiseppSalesforce refuses to pay ransom over widespread data theft attacksppShinyHunters claims 15 billion Salesforce records stolen in Drift hacksppSaaS giant Workiva discloses data breach after Salesforce attackppSalesloft March GitHub repo breach led to Salesforce data theft attacksppNot a member yet Register NowppFBI takes down BreachForums portal used for Salesforce extortionppWindows 11 23H2 Home and Pro reach end of support in 30 daysppApple now offers 2 million for zeroclick RCE vulnerabilitiesppJoin Huntress to discuss all things tradecraft in a monthly meeting of the technical mindsppThe role of Artificial Intelligence in todays cybersecurity landscapeppSee how Material secures Gmail Drive with EDRstyle detection and rapid responseppRedefine security validation with Picus AIdriven Breach and Attack SimulationppMake the leapget certified with VMUG Advantage Start your career journey todayppTerms of Use Privacy Policy Ethics Statement Affiliate DisclosureppCopyright 2003 2025 Bleeping Computer LLC All Rights ReservedppNot a member yet Register NowppRead our posting guidelinese to learn what content is prohibitedp
Update 82625 Added further clarification regarding ShinyHunters involvement in the these attacksppJoin the Breach and Attack Simulation Summit and experience the future of security validation Hear from top experts and see how AIpowered BAS is transforming breach and attack simulationppDont miss the event that will shape the future of your security strategyppZscaler data breach exposes customer info after Salesloft Drift compromiseppSalesforce refuses to pay ransom over widespread data theft attacksppShinyHunters claims 15 billion Salesforce records stolen in Drift hacksppSaaS giant Workiva discloses data breach after Salesforce attackppSalesloft March GitHub repo breach led to Salesforce data theft attacksppNot a member yet Register NowppFBI takes down BreachForums portal used for Salesforce extortionppWindows 11 23H2 Home and Pro reach end of support in 30 daysppApple now offers 2 million for zeroclick RCE vulnerabilitiesppJoin Huntress to discuss all things tradecraft in a monthly meeting of the technical mindsppThe role of Artificial Intelligence in todays cybersecurity landscapeppSee how Material secures Gmail Drive with EDRstyle detection and rapid responseppRedefine security validation with Picus AIdriven Breach and Attack SimulationppMake the leapget certified with VMUG Advantage Start your career journey todayppTerms of Use Privacy Policy Ethics Statement Affiliate DisclosureppCopyright 2003 2025 Bleeping Computer LLC All Rights ReservedppNot a member yet Register NowppRead our posting guidelinese to learn what content is prohibitedp
