The second half of the year came with several waves of Salesforce-related breach incidents. Starting in August, researchers first linked the threat actors UNC6395/ShinyHunters. They were conducting a widespread campaign that targeted Salesforce environments by using compromised OAuth tokens linked to Salesloft’s Drift AI customer-engagement integration. The second wave can be considered more of a silent expansion; threat actors quietly pivoted across additional Salesforce environments and connected SaaS tools. Finally, in November, there was a third wave. A new breach surfaced involving Gainsight’s Salesforce-integrated apps, showing unauthorized API activity from non-approved IPs.
First Wave
Diving deeper into the initial compromise wave in early August, the breach did not exploit a flaw in the Salesforce itself, rather it exploited third the third-party integrations that had broad permissions, the Drift (Salesloft) integration. The threat actors abused stolen OAuth tokens from Drift. Using automated Python tooling, the threat actor (UNC6395 per Google TAG) accessed hundreds of Salesforce customer orgs, pulling stored credentials, API keys, and sensitive CRM records. The attackers targeted credentials and other ‘secrets,’ including access keys, passwords, and cloud-service tokens (e.g., AWS, Snowflake) stored inside Salesforce. Many companies kept these sensitive secrets in their CRM, which allowed the attackers to harvest high-value data at scale through legitimate-looking API calls. It was first assessed to have around 700 potentially impacted organizations. The victims spanned from large enterprises to small organizations. The activity ran from August 8 to August 18 before Salesloft revoked all Drift tokens and Salesforce removed the app from AppExchange. This first wave highlighted how SaaS supply-chain integrations, not platform vulnerabilities, can create organization-wide exposure when widely trusted OAuth connections are compromised.
Second Wave
Following the initial phase of the Drift integration exploitation, there was a wave of residual activity. Investigators noticed continued unauthorized Salesforce API activity even after the original Drift tokens were revoked. This activity indicated that the attackers had already collected additional OAuth and connected-app tokens during the initial intrusion and were quietly reusing them across multiple customer environments. The activity blended into normal Salesforce API traffic since all the requests came through previously authorized integrations. No failed logins or behavioral anomalies were detected, which allowed the threat actors to steal CRM data without detection. This silent wave demonstrated that the exposure extended well beyond a single vendor integration and that stolen OAuth credentials provided attackers with a durable, low-visibility foothold across the broader Salesforce ecosystem.
Third Wave
In November, Salesforce disclosed another breach, with a separate third-party vendor, Gainsight. Attackers leveraged previously stolen OAuth tokens and app-level credentials to impersonate Gainsight’s integrations and issue legitimate-looking API requests from non-approved IP ranges. Salesforce detected unauthorized API activity prompting an immediate revocation of all Gainsight-related access and refresh tokens and the temporary removal of the apps from AppExchange. According to Salesforce, the same threat actors maintained covert access for weeks by abusing these OAuth relationships until anomalous API activity triggered detection. Once inside, the attackers could access the CRM data and support-case information that Gainsight apps were authorized to read, enabling broad exposure depending on each customer’s granted scopes. Public reporting estimates that more than 200 Salesforce customer organizations were affected, though the true number may be higher due to the silent pivoting that occurred in the second wave between August and November. Similar to the initial wave, the November breach underscored the systemic risk created when SaaS ecosystems rely on deeply privileged third-party OAuth integrations. This shows how a single compromised vendor connection can cascade across hundreds of organizations.
Leave a Reply