Hackers exploited compromised OAuth tokens to access hundreds of Salesforce customer instances in a targeted campaign. The threat actor, UNC6395, aimed to harvest credentials and sensitive data, impacting approximately 700 customers. #UNC6395 #Salesforce #OAuthTokens #DataBreach #SalesloftDrift
Keypoints
- Hackers used compromised OAuth tokens to breach Salesforce instances without exploiting platform vulnerabilities.
- The attack was conducted by the threat actor UNC6395 between August 8 and August 18, 2025.
- Approximately 700 Salesforce customers experienced data exposure, mainly those using Drift with Salesforce.
- Salesloft revoked the affected tokens and advised re-authentication of Drift-Salesforce connections.
- Organizations should review logs and rotate secrets to mitigate potential data exposure risks.
Read More: https://www.securityweek.com/hundreds-of-salesforce-customers-hit-by-widespread-data-theft-campaign/