Google Threat Intelligence Group reported a widespread data theft campaign by UNC6395 that compromised over 700 Salesforce customers between August 8-18. The attackers exploited stolen OAuth tokens from Salesloft Drift, a third-party AI agent, to exfiltrate large volumes of data, specifically targeting cloud and VPN credentials from customer instances. While access was revoked by August 20, halting the attacks, this incident underscores the critical vulnerability of cloud-to-cloud integrations and third-party app access, prompting advisories for impacted organizations to rotate credentials and investigate data compromise.
A widespread, automated data theft campaign has impacted over 700 Salesforce (CRM) customers, exposing a critical vulnerability in the third-party application ecosystem. The attack, attributed by Google (GOOGL) to the group UNC6395, was not due to a flaw in Salesforce's core platform but was executed by compromising Salesloft Drift, an AI chat agent, and stealing OAuth tokens. This allowed the attackers to methodically exfiltrate data from customer instances between August 8 and August 18, specifically searching for credentials to other high-value systems like Amazon Web Services (AMZN) and Snowflake (SNOW). While access was revoked on August 20, halting the campaign, the event underscores significant systemic risk associated with cloud-to-cloud integrations. The negative sentiment score (-0.6 for CRM) reflects the reputational damage and erosion of customer trust, even with Salesforce asserting its core platform integrity. The sophistication and scale of the operation, using automated tools and targeting secondary credentials, elevates this beyond a minor incident and serves as a material warning about supply-chain risk within the broader SaaS industry.
AI-powered research, real-time alerts, and portfolio analytics for institutional investors.
Request a DemoOverall Sentiment
strongly negative
Sentiment Score
-0.65
Ticker Sentiment
