FBI Warns: Salesforce Hackers UNC6040 & UNC6395 Targeted

FBI Warns: Salesforce Hackers UNC6040 & UNC6395 Targeted

September 14, 2025 Lisa Park - Tech Editor Tech

Summary of the Salesloft/Drift Data breach & Supply Chain Attack

This text‍ details‌ a significant supply chain attack impacting numerous companies through compromised‍ credentials ​within the Salesloft and Drift ecosystems. Here’s a breakdown‌ of the key ⁣data:

What ‌happened:

* Initial compromise (March): ​ Attackers gained access too Salesloft’s GitHub repositories.
* Token Theft: This access allowed⁤ them to⁢ steal Drift OAuth and refresh tokens.
* ⁤ Salesforce Breaches (August): These stolen tokens‌ were used to breach⁣ Salesforce instances of Salesloft customers. ‌The attackers targeted support case information.
* data exfiltration: Attackers extracted sensitive data from support cases, including AWS keys, passwords, and Snowflake tokens. This ⁣allowed potential access to other cloud environments.
* Drift Email access: The attackers also stole Drift Email tokens, gaining access to emails for a limited number of Google Workspace ‌accounts.
* Remediation: ⁢Salesloft ⁣revoked compromised Drift tokens and⁣ required reauthentication.

Who⁢ was impacted:

A ⁤ large number of companies⁢ were ​affected, including:

* directly‍ Mentioned victims: Dior, Tiffany & ​Co., Cloudflare, zscaler, Tenable, Cyberark, Elastic, BeyondTrust, Proofpoint, JFrog, Nutanix, ​Qualys,‌ Rubrik. (the list is incomplete as the text ends mid-sentence).
* Salesloft Customers: Any company using Salesloft integrated with Drift ⁤and salesforce was possibly at risk.

Attribution:

* The​ activity is tracked as UNC6395.

Key Takeaways:

* Supply Chain Risk: ‌This incident highlights the significant risk posed by vulnerabilities in third-party vendors (a supply chain attack).
* ⁤ OAuth ​Token Security: The compromise of OAuth tokens ​proved to be a ‍critical entry point for attackers.
* Support ​Case Data: Support case information ‍within Salesforce contained valuable credentials that were exploited.
* Lateral Movement: ⁤The ⁤stolen credentials enabled ‍attackers to move laterally to​ other cloud ‍environments.

This was a complex and ⁢widespread attack with potentially serious consequences for the affected organizations. The‌ incident underscores the importance of robust security practices, including ⁣strong vendor risk management, ⁣secure credential storage, and proactive monitoring for suspicious activity.