Google Reveals UNC6395’s OAuth Token Theft in Salesforce Breach

A new advisory from Google and Mandiant reveals a widespread data breach in Salesforce. Learn how UNC6395 bypassed MFA using stolen OAuth tokens and what organizations can do to secure non-human identities.

A recent advisory issued by the Google Threat Intelligence Group (GTIG) and Mandiant has revealed a widespread data theft campaign targeting Salesforce. The campaign, which took place from as early as August 8 through at least August 18, 2025, was carried out by a threat actor known as UNC6395.

Bypassing Security with a Digital Key

As per GTIG’s advisory, in this case, the attackers didn’t exploit a vulnerability in the core Salesforce platform; instead, they compromised OAuth tokens from the Salesloft Drift third-party application.

For your information, OAuth tokens are like a special digital key that grants access to a user’s account without needing a password. Because the attackers abused these non-human identities (NHIs), they ...