Google warns of ‘widespread data theft’ targeting Salesforce customers

Threat actors exploiting tokens via Salesloft drift integration

Google’s Threat Intelligence Group (GTIG) has linked a newly identified hacking group to a data breach campaign that exposed sensitive Salesforce customer information earlier this month.

The actor, tracked as UNC6395, is believed to have exploited OAuth tokens issued through Salesloft Drift integrations to gain access to Salesforce environments. Salesloft is a revenue orchestration platform that integrates with Salesforce. According to Google, the campaign began on 8th August and continued until at least 18th August 2025.

Once inside, attackers ran targeted queries against Salesforce databases, extracting user records, account profiles, case logs and other personal information. Analysts believe the aim was to harvest login credentials and cloud access keys for further exploitation.

Drift removed from the Salesforce AppExchange

Salesloft confirmed that organisations not using its Salesforce integration were unaffected. In response, Salesloft and Salesforce jointly revoked all affected access and refresh tokens, while Drift was temporarily removed from the Salesforce AppExchange pending further investigation.

GTIG has published a list of indicators of compromise (IOCs) tied to the campaign. These include suspicious User-Agent strings such as Salesforce-Multi-Org-Fetcher/1.0 and IP addresses linked to the activity, including 208.68.36.90, 44.215.108.109 and 185.220.101.133. Organisations spotting matches in their logs are urged to carry out immediate investigations.

To reduce exposure, GTIG advises Salesforce users to:

• Audit Salesforce and Salesloft logs for unusual activity

• Reset user credentials and revoke unknown keys

• Enforce stricter access controls, such as IP-based login restrictions

• Report suspected breaches directly to Salesforce

Google’s researchers noted that the incident highlights how attackers are increasingly abusing trusted authentication methods such as OAuth to bypass enterprise security controls.

“Organisations need to treat OAuth token security as a priority, or risk leaving open doors for groups like UNC6395,” GTIG warned.