FBI Warns: Salesforce Hackers UNC6040 & UNC6395 Targeted - News Directory 3

FBI Warns: Salesforce Hackers UNC6040 & UNC6395 Targeted

September 14, 2025 Lisa Park Tech
News Context
At a glance
  • This text‍ details a significant supply chain attack impacting numerous companies through compromised‍ credentials within the Salesloft and Drift ecosystems.
  • * Initial compromise (March): Attackers gained access too Salesloft's GitHub repositories.
  • * directly‍ Mentioned victims: Dior, Tiffany & Co., Cloudflare, zscaler, Tenable, Cyberark, Elastic, BeyondTrust, Proofpoint, JFrog, Nutanix, Qualys, Rubrik.
Original source: bleepingcomputer.com

Summary of the Salesloft/Drift Data breach & Supply Chain Attack

This text‍ details a significant supply chain attack impacting numerous companies through compromised‍ credentials within the Salesloft and Drift ecosystems. Here’s a breakdown of the key ⁣data:

What happened:

* Initial compromise (March): Attackers gained access too Salesloft’s GitHub repositories.
* Token Theft: This access allowed⁤ them to⁢ steal Drift OAuth and refresh tokens.
* ⁤ Salesforce Breaches (August): These stolen tokens were used to breach⁣ Salesforce instances of Salesloft customers. The attackers targeted support case information.
* data exfiltration: Attackers extracted sensitive data from support cases, including AWS keys, passwords, and Snowflake tokens. This ⁣allowed potential access to other cloud environments.
* Drift Email access: The attackers also stole Drift Email tokens, gaining access to emails for a limited number of Google Workspace accounts.
* Remediation: ⁢Salesloft ⁣revoked compromised Drift tokens and⁣ required reauthentication.

Who⁢ was impacted:

A ⁤ large number of companies⁢ were affected, including:

* directly‍ Mentioned victims: Dior, Tiffany & Co., Cloudflare, zscaler, Tenable, Cyberark, Elastic, BeyondTrust, Proofpoint, JFrog, Nutanix, Qualys, Rubrik. (the list is incomplete as the text ends mid-sentence).
* Salesloft Customers: Any company using Salesloft integrated with Drift ⁤and salesforce was possibly at risk.

Attribution:

* The activity is tracked as UNC6395.

Key Takeaways:

* Supply Chain Risk: This incident highlights the significant risk posed by vulnerabilities in third-party vendors (a supply chain attack).
* ⁤ OAuth Token Security: The compromise of OAuth tokens proved to be a ‍critical entry point for attackers.
* Support Case Data: Support case information ‍within Salesforce contained valuable credentials that were exploited.
* Lateral Movement: ⁤The ⁤stolen credentials enabled ‍attackers to move laterally to other cloud ‍environments.

This was a complex and ⁢widespread attack with potentially serious consequences for the affected organizations. The incident underscores the importance of robust security practices, including ⁣strong vendor risk management, ⁣secure credential storage, and proactive monitoring for suspicious activity.