Google Reveals UNC6395’s OAuth Token Theft in Salesforce Breach

A new advisory from Google and Mandiant reveals a widespread data breach in Salesforce. Learn how UNC6395 bypassed MFA using stolen OAuth tokens and what organizations can do to secure non-human identities.

A recent advisory issued by the Google Threat Intelligence Group (GTIG) and Mandiant has revealed a widespread data theft campaign targeting Salesforce. The campaign, which took place from as early as August 8 through at least August 18, 2025, was carried out by a threat actor known as UNC6395.

As per GTIG’s advisory, in this case, the attackers didn’t exploit a vulnerability in the core Salesforce platform; instead, they compromised OAuth tokens from the Salesloft Drift third-party application.

For your information, OAuth tokens are like a special digital key that grants access to a user’s account without needing a password. Because the attackers abused these non-human identities (NHIs), they could completely bypass traditional security measures like Multi-Factor Authentication (MFA), which protects against simple password theft.

Once inside, UNC6395 systematically exported large volumes of data from numerous corporate Salesforce accounts. Their primary goal was to harvest credentials and search for high-value “secrets” that could be used for further attacks.

The threat actor specifically targeted data from customer accounts, users, and opportunities, looking for sensitive information such as AWS access keys and Snowflake tokens.

The advisory noted that Google Cloud customers were not directly impacted by this campaign.

The attackers showed an awareness of security, deleting their query jobs to cover their tracks. However, their activity was still logged, providing a trail for security teams to follow.

In a swift response, Salesloft, in collaboration with Salesforce, revoked all active access tokens for the Drift app on August 20, 2025. Also, Salesforce temporarily removed the Drift application from its AppExchange platform while the investigation continues.

Both companies and GTIG have notified the organizations affected by the breach.

Reflecting upon this incident, Astrix Security shared its observations in a separate blog post, revealing that exploiting NHIs is a growing trend for attackers because these identities are persistent and often have high-level privileges.

Astrix dubs this campaign a textbook example of this trend, where attackers gain a direct, trusted path to exfiltrate data and hunt for even more high-value NHIs, like cloud infrastructure keys.

Therefore, organizations must adopt proactive security measures. GTIG suggests hardening access controls by restricting Connected App scopes, searching for exposed secrets within their Salesforce data, rotate compromised credentials, checking for specific IP addresses/User-Agent strings, and enforcing IP restrictions to limit future risk.

Jonathan Sander, Field CTO at Astrix Security, stated in a comment shared with Hackread.com that the breach was a “classic NHI attack.” He explained that attackers steal things that “humans won’t notice” and operate in the shadows to steal more and more.

“Sadly, most of the time what we see is that people don’t know what they don’t know about their NHIs,” he said, highlighting that many organizations have not even created a basic inventory of these non-human identities.