Salesforce-Drift Breach Shows SaaS Platforms Are ‘High-Value Targets,’ A Head Hacker Says

Organizations need to change their security perspective about SaaS platforms, he urges.

Salesforce customer instances were targeted in a “widespread” data theft attack, from around Aug. 8 to Aug. 18.

The security alert came from the Google Threat Intelligence Group (GTIG) via a post on Tuesday. The threat actor, known as “UNC6395,” “exported large volumes of data from numerous corporate Salesforce instances,” with the primary motive being to steal credentials, GTIG said.

The hack was carried out through compromised OAuth tokens used for access to the Salesloft Drift third-party application. Salesforce integrates with Drift.

In response, Salesforce and Drift revoked all access and refresh tokens for the compromised app, notified affected customers, and are conducting an investigation, both companies said in an online post on Tuesday.

One ethical hacker weighed in on the breach, noting that organizations need to change their security perspective about SaaS platforms.

“Organizations need to start treating SaaS platforms like Salesforce, Drift, Salesloft, and Workday as high-value targets,” said Matt Mullins, head hacker at Reveal Security, in an email shared with MES Computing.

If organizations are not seeing their SaaS systems as high value, cybercriminals certainly are, Mullins said.

“It’s not just CRM records at risk; it’s the pricing data, customer contacts, employee PII, AWS keys, even Snowflake tokens that can be leveraged to escalate further. Defenders need visibility into what’s happening after authentication — into the normal-looking API calls and data transfers — because that’s where the real game is being played now,” he said.

Although deemed by GTIG as a “widespread” attack, Salesforce said the incident only affected “a small number of customers’ orgs data via the app's connection to Salesforce,” in its official statement on the breach it shared with MES Computing.

However widespread, Mullins said that the tools used for the breach, in his estimation, were surprisingly simple.

“The reporting shows the attackers exfiltrated data from numerous corporate Salesforce instances. To me, that suggests they may have tapped into something deeper on the backend where credentials and tokens were bouncing around in ways defenders couldn’t see. And once they were in, they didn’t use flashy malware or custom tooling. The user agent strings were clean, the chain of activity looked normal, and they stuck to ‘live off the land’ tools,” Mullins said.

Salesforce has stated that the incident “did not stem from a vulnerability within the core Salesforce platform.”

GTIG offers some remediation guidance for organizations that were affected, including directions on how to investigate for this comprise. The organization also advised rotating credentials and hardening access controls.