Summary

In early August, a threat actor tracked by Google Threat Intelligence Group as UNC6395 abused compromised OAuth tokens from the Salesloft Drift app's Salesforce integration to exfiltrate large volumes of data out of company Salesforce tenants. Using the stolen OAuth credentials, the threat actor bypassed normal authentication (including MFA) and exfiltrated large volumes of Salesforce data from hundreds of organizations. The attackers also took steps to cover their tracks by deleting Salesforce query job records after data exports. The activity focused on finding credentials within the exfiltrated Salesforce data, specifically AWS access keys, passwords, and Snowflake tokens.

‍

This campaign comes after a series of data theft attacks conducted by ShinyHunters to target Salesforce instances by using voice phishing and tricking employees into connecting a malicious OAuth integration with Salesforce tenants that affected companies such as Google, Cisco, Farmers Insurance, Workday, Adidas, Qantas, Allianz Life, and LVMH among others.

‍

As of today there is not enough evidence to link both campaigns to the same threat actor.

‍

Scope of Impact

Using our unique SaaS Supply chain visibility and reviewing vendors that are both Salesforce and Drift customers, we estimate that more than 750 SaaS vendors could have been affected by this incident. As of September 2nd, the following companies have confirmed that they were affected:

• Cloudflare
• Zscaler
• Palo Alto Networks
• Pagerduty
• Tanium
• Spycloud

Check out our Salesloft Drift Breach Tracker for real-time updates on companies affected.

‍

Timeline of Events

On Aug 20, Salesloft (Drift) announced it had “detected a security issue in the Drift application.” That same day, in collaboration with Salesforce, Salesloft revoked all active OAuth access and refresh tokens for the Drift integration and urged customers to re-authenticate to invalidate any stolen tokens. Salesforce also pulled the Drift app from its AppExchange marketplace and emphasized that the incident was not due to any vulnerability in Salesforce’s core platform.

‍

On August 28, Salesforce went further and disabled all integrations between Salesforce and Salesloft technologies, including Slack and Pardot, while investigations continue.

‍

On August 28, Google disclosed that the actor also compromised OAuth tokens for the "Drift Email" integration for Google Workspace. At this point, it is recommended to conduct a full review of every application integrated with Drift, rotate and revoke credentials, and inspect all linked environments for potential compromise, not just the Salesforce integration. This includes API key-based integrations with the Drift platform and not just OAuth integrations.

‍

Recommendations

• Inventory and revoke all third-party integrations connected to Drift instances.
• Scan for exposed secrets and credentials in Salesforce and other SaaS apps and for secrets and credentials in tickets, notes, comments, attachments and support cases like API Keys, AWS Keys, passwords, webhooks and other tokens. The threat actor was particularly searching for Snowflake credentials.
• Centralize SaaS apps logs and alert on suspicious behavior.
• Implement IP restriction for integrations in Salesforce: In the Salesforce Connected App settings for Drift (and other high‑risk apps), set IP Relaxation = Enforce IP restrictions and limit to your corporate egress ranges.
• Right‑size access for connected apps: Remove API Enabled from broad profiles. Grant it only via granular Permission Sets. Avoid “full access” OAuth scopes, choose the minimum that still lets the app work.
• Limit data access: limit which objects, attributes, and records an integration identity can see.
• Implement session timeout for integrations in Salesforce
• Complete a forensic analysis of authentication activity from the Drift integrations and search for activity from TOR exit nodes and unexpected cloud infrastructure.
• Search for deleted jobs or queries in Salesforce
• Conduct connected‑app reviews across SaaS applications: Inventory every app connected to your SaaS ecosystem and inventory owners, business justification and scope reviews on a periodic basis.
• Implement SSPM capabilities to control and monitor SaaS configuration and integrations.
• Monitor for Salesforce data export and suspicious SOQL queries such as the ones reported by Drift and Google:
  ‍SELECT Id, Description, Subject, Comments FROM Case WHERE CreatedDate >= :x ORDER BY CreatedDate DESC NULLS FIRST LIMIT 2000
SELECT Id FROM Case WHERE SuppliedEmail LIKE :x LIMIT 1000


• Search for Salesforce requests using the following user agents:
  ‍Salesforce-Multi-Org-Fetcher/1.0
Salesforce-CLI/1.0
python-requests/2.32.4
Python/3.11 aiohttp/3.12.15
  

‍

The Takeaway: Sensitive data lives in SaaS but security monitoring often lags behind

Incidents like this keep proving the same point: most organizations don’t actually know every marketplace app, API integration, or OAuth integration that is connected to their SaaS data. If you can’t enumerate your connected apps, you can’t defend them. The risky patterns are familiar:

• Persistent OAuth: Long‑lived tokens create quiet, durable access.
• Over‑permissive scopes: “Full access” becomes the default because it’s convenient.
• Blind spots: Event logs from SaaS platforms are often not centralized or monitored.
• Secrets in business data: Sensitive credentials stored in tickets, notes, descriptions, and attachments turbocharge impact when data is exfiltrated.

Today, most corporate crown jewels like customer data, source code, IP and credentials live in SaaS environments. Yet, compared to network, endpoint or cloud infrastructure monitoring, SaaS security monitoring and management are too often overlooked.

‍

Organizations often struggle to answer basic questions:

• Which apps are connected to Salesforce right now and how?
• What data do they have access to?
• Who granted this access? For what reason?
• Are old OAuth tokens still active?

This lack of visibility and control creates the blind spots attackers look for. And as this event demonstrates, adversaries know exactly how to exploit them.

‍

How Nudge Security helps

At Nudge Security, we help organizations take back control of their SaaS supply chains with a simple 5-minute setup. Here’s how:

‍

🔍 Discover & inventory SaaS and AI apps →

Instantly see every SaaS and AI tool your workforce is using, including shadow IT and unsanctioned integrations.

‍

📊 Vendor security profiles & breach alerts →

Get mapped views of your SaaS supply chain, with vendor profiles that surface risks and alert you to breaches like the Drift campaign—before they impact you.

‍

‍

🛡️ Manage risky OAuth grants & integrations →

Identify and revoke overly permissive or unnecessary OAuth grants to business-critical apps like Salesforce. Lock down your integrations before attackers exploit them.

‍

‍

🔍 Lock down your critical SaaS apps →

Continually monitor security posture for your connected apps, get alerted to configuration drift, and use automated workflows to correct variances from security best practices.

‍

‍

It’s time to act

This recent breach is not an isolated event, it’s a preview of the future. Attackers will continue targeting the SaaS supply chain because it works.

‍

Security teams must respond by monitoring, managing, and defending their SaaS ecosystems with the same rigor they apply to endpoints and infrastructure.

‍

With Nudge Security, you can finally gain the visibility and control you need to secure your SaaS supply chain and prevent the next Drift-style attack.

‍

👉 See how Nudge Security can protect your SaaS supply chain