In 2025, the cybersecurity community faced a watershedmoment in SaaS supply chain security. A sequence of coordinated and overlappingbreaches against Salesforce environments demonstrated just how fragile trust incloud integrations has become.

The first major incident emerged in June 2025, when Google confirmed a breachof its corporate Salesforce instance via a sophisticated vishing-extortioncampaign attributed to threat groups UNC6040 and UNC6240, affiliates of theShinyHunters collective (“The Com”). Attackers convinced employees to authorizemalicious OAuth apps, then used custom Python scripts to bulk export Salesforcedata while hiding their activity behind VPN and Tor infrastructure. Though nopasswords were stolen, business contact data of thousands of SMB customers wascompromised, raising compliance and trust concerns.

Only months later, in August 2025, the breach escalated to global scale throughthe Salesloft Drift supply chain compromise. The threat actor UNC6395(designated GRUB1 by Cloudflare) obtained OAuth tokens associated with Drift’sSalesforce integration and used them as skeleton keys to bypass MFA,exfiltrating data from over 700 organizations worldwide. Confirmed victimsinclude Cloudflare, Zscaler, Palo Alto Networks, Tenable, JFrog, Proofpoint,Rubrik, and Google Workspace accounts linked via Drift Email. The attackerswere not content with customer contact data alone—they systematically searchedSalesforce cases for secrets such as AWS keys, Snowflake tokens, and API keys,highlighting how SaaS misconfigurations can create massive credential exposure.

Cloudflare’s disclosure provided an unprecedented forensic timeline of thecampaign: attackers enumerated objects, fingerprinted workflows, measured APIlimits, performed dry-run queries, and finally executed a three-minute Bulk APIexfiltration of case text fields before deleting their jobs to cover tracks.Unit 42 and Google’s GTIG corroborated these findings, observing systematicexfiltration, credential hunting, and widespread abuse of Tor exit nodes.

Together, these incidents reveal a fundamental paradigm shift in cyberattacks:Exploiting identity and trust relationships instead of infrastructurevulnerabilities; using OAuth tokens as skeleton keys that bypass MFA andperimeter defenses; leveraging social engineering (vishing) as the first-stageintrusion vector; and exposing the risks of AI-driven SaaS integrations, wherechatbots like Drift query and store enterprise data across multiple platforms.

Introduction

The SaaS ecosystem has become the backbone of enterpriseoperations, with Salesforce, Google Workspace, Slack, and countless otherplatforms powering mission-critical workflows. These tools are deeplyinterconnected, relying on OAuth-based integrations to automate data flows.While convenient, this architecture introduces a new attack surface: eachintegration is a potential supply chain backdoor.

In 2025, this risk moved from theory to reality. The Google Salesforce breachhighlighted how attackers exploit the human element—using vishing calls totrick employees into authorizing rogue OAuth apps. The Salesloft Drift breachwent further, showing how compromise of a single SaaS integration could cascadeinto hundreds of enterprises simultaneously. Cloudflare’s case study revealedjust how surgical and disciplined these adversaries were, executing queries incarefully sequenced phases, exfiltrating secrets in minutes, and erasingevidence.

The implications are profound. Identity, not infrastructure, is the newperimeter. OAuth tokens, not passwords, are the new skeleton keys. AI SaaSagents, not just humans, are now attack pivots. Organizations that continue totreat SaaS applications as trusted black boxes will face systemic risk. Thispaper unpacks the full details of these campaigns.

Attack Campaigns

1. Google Salesforce Breach (June2025 – UNC6040/UNC6240, ShinyHunters “The Com”)

• Vector: Vishing phone calls impersonating Google IT staff.
• Execution: Convinced employees to approve malicious OAuth apps, enabling API access.
• Tools: Custom Python scripts emulating Salesforce DataLoader.
• Infrastructure: Calls routed via Mullvad VPN, exfiltration via Tor exit nodes.
• Impact: SMB customer data including names, emails, phone numbers, and notes.
• Attribution: UNC6040/6240, affiliates of ShinyHunters, linked to extortion and SIM-swapping collectives.

2. Salesloft Drift Breach (August2025 – UNC6395/GRUB1)

• Vector: Theft of OAuth tokens from Drift Salesforce chatbot integration.
• Execution: Attackers enumerated objects, fingerprinted environments, then executed Bulk API queries to exfiltrate cases, accounts, opportunities, and users.
• Impact: >700 organizations impacted. Secrets such as AWS keys, Snowflake tokens, and API keys exposed in case text fields.
• Victims: Cloudflare, Zscaler, Palo Alto Networks, Tenable, JFrog, Proofpoint, Rubrik, Qualys, CyberArk, Tanium, SpyCloud, BeyondTrust, Bugcrowd, Google Workspace (via Drift Email), among others.
• Attribution: UNC6395 (GRUB1). GTIG and Unit 42 confirmed focus on credential harvesting.

3. Cloudflare Case Study(UNC6395/GRUB1)

Cloudflare’s incidentreconstruction shows the phased tradecraft of UNC6395:

• Aug 9: Reconnaissance with Trufflehog, testing leaked API tokens.
• Aug 12: Access gained via stolen OAuth credential (Salesloft Drift). Enumerated all objects.
• Aug 13–14: Ran schema discovery and reconnaissance queries, counted accounts/users, mapped workflows, fingerprinted environment, measured API limits.
• Aug 16: Dry-run count of case records.
• Aug 17: Full Bulk API exfiltration of case text fields in 3 minutes. Job deleted afterward to hide evidence.
• Aug 20: Salesloft revoked Drift connections.
• Aug 23: Cloudflare notified by vendors.
• Aug 25+: Cloudflare launched IR, rotated 104 API tokens, disconnected all Salesforce integrations, notified customers.

Timeline of Events

Confirmed Victims of the Salesforce / Drift Breaches

Threat Detail

Attackers executed highlyspecific SOQL queries:

Counting Objects

Enumerating Users

Exfiltrating Case Data

This shows their intent to map, fingerprint, andthen harvest credentials buried in free-text fields.

Indicators of Compromise (IOCs)

Indicators of Attack (IOAs)

• Unauthorized OAuth app installs.
• Abnormal SOQL queries (COUNT, describe, case dumps).
• Bulk API 2.0 jobs run and deleted.
• Logins from Tor/Mullvad.
• Secrets present in case text.

Strategic Analysis

• Supply Chain Fragility: One SaaS integration (Drift) cascaded into 700+ victims.
• OAuth as Skeleton Key: Tokens bypass MFA and perimeter controls.
• Credential Hygiene Failure: Support cases became credential vaults.
• Social Engineering Renaissance: Vishing proved decisive at Google.
• AI SaaS Amplification: Drift wasn’t passive—AI-driven integrations magnify risk.

Recommendations

All organizations leveragingDrift integrations with third-party platforms (including but not limited toSalesforce) should operate under the assumption that their data may becompromised. Immediate remediation steps are strongly advised.

1. Investigate for Compromise andIdentify Exposed Secrets

• Audit Integrations: Review all third-party integrations configured with your Drift instance (via Drift Admin settings).
• Search Logs for Suspicious Activity:
• Inspect each integrated application for the IP addresses and User-Agent strings listed in the IOC section.
• Extend searches beyond the provided list to cover Tor exit nodes more broadly, as attackers frequently leverage Tor infrastructure.
• Salesforce Monitoring:
• Examine Salesforce Event Monitoring logs for anomalous actions linked to the Drift connection user.
• Review authentication activity tied to the Drift Connected App.
• Investigate UniqueQuery events to identify SOQL queries executed by the attacker.
• If necessary, open a Salesforce support case to obtain exact queries used.
• Search for Secrets in Salesforce Objects: Look for sensitive information such as:
• AKIA patterns for AWS access key identifiers.
• Snowflake or snowflakecomputing.com credentials.
• Generic keywords: password, secret, key.
• Strings referencing VPN or SSO login URLs.
• Use Automated Tools: Run secret scanning tools (e.g., Trufflehog, GitLeaks) to identify and remediate hardcoded or leaked credentials.

2. Revoke and Rotate Credentials

• Revoke and rotate all API keys, credentials, and OAuth tokens associated with Drift integrations across every connected application.
• Immediately revoke and replace any keys or secrets identified during investigation.
• Reset user account passwords where relevant.
• For Salesforce integrations, configure shorter session timeout values to reduce exposure from compromised sessions.

3. Harden Access Controls

• Review and Restrict Connected App Scopes: Apply the principle of least privilege—remove broad scopes such as “full access.”
• Enforce IP Restrictions: Within app settings, configure the “IP Relaxation” policy to “Enforce IP restrictions.”
• Define Login IP Ranges: Set IP ranges on user profiles to restrict logins to trusted corporate networks.
• Limit API Permissions: Remove the “API Enabled” permission from general user profiles and grant it only via controlled Permission Sets for authorized personnel.

4. Stay Updated

Additional instructions andevolving advisories are available on the Salesloft Trust Center andthrough Salesforce’s official security advisories. Organizations shouldcontinue to monitor updates and adjust their defenses accordingly.