Hundreds of Salesforce Customers Hit by Widespread Data Theft Campaign

Hackers stole data from hundreds of Salesforce customer instances in a widespread campaign earlier this month, Google Threat Intelligence Group (GTIG) warns.

The attacks did not exploit a vulnerability within the core Salesforce platform, but relied on compromised OAuth tokens for Salesloft Drift, a third-party AI chat bot.

The campaign, GTIG says, was carried out by a threat actor tracked as UNC6395 between August 8 and August 18, 2025.

“The actor systematically exported large volumes of data from numerous corporate Salesforce instances. GTIG assesses the primary intent of the threat actor is to harvest credentials,” Google’s threat intelligence unit says.

UNC6395 was seen searching the stolen information for secrets and sensitive information, including AWS access keys, passwords, and Snowflake-related access tokens.

Salesloft, which shared indicators of compromise (IOCs) to help customers identify potential compromises, has pointed out that only organizations integrating Drift with Salesforce have been affected by the ...