Hackers steal data from Salesforce instances in widespread campaign | Cybersecurity Dive

Google researchers have linked a large-scale credential theft campaign to hackers exploiting compromised OAuth tokens from Salesloft’s Drift AI chat agent, impacting more than 700 Salesforce customers. The attackers, tracked as UNC6395, automated data theft from Salesforce instances between Aug. 8 and 18, seeking sensitive credentials such as AWS keys and Snowflake tokens. While Salesforce itself was not vulnerable, Salesloft and Salesforce revoked Drift tokens and removed the app from AppExchange as part of remediation. Security experts, including Mandiant, advise affected organizations to treat their Salesforce data as compromised, revoke API keys, rotate credentials, and strengthen access controls.