Salesforce Surges 2.63% on $1.62B Trading Volume as UNC6395 Cyberattack Exposes Third-Party Integration Risks

Generated by AI AgentAinvest Market Brief
Wednesday, Aug 27, 2025 10:33 pm ET1min read
CRM
--
Aime RobotAime Summary

- Salesforce (CRM) surged 2.63% on August 27 amid a $1.62B trading volume following a security breach involving Salesloft Drift integrations.

- UNC6395 attackers exploited compromised OAuth tokens to exfiltrate AWS keys, Snowflake tokens, and passwords from multiple Salesforce instances between August 8-18.

- Salesforce revoked Drift's AppExchange access while Salesloft suspended tokens, urging affected customers to reauthenticate integrations and scan for exposed secrets.

- Experts highlighted risks of third-party CRM integrations, recommending stricter access controls like limiting app permissions and IP ranges to prevent credential harvesting.

On August 27, 2025,

Salesforce
(CRM) rose 2.63% with a trading volume of $1.62 billion, ranking 36th in market activity. The stock’s performance followed a security incident involving compromised OAuth tokens linked to the third-party Salesloft Drift application. Google’s Threat Intelligence Group (GTIG) identified the threat actor as UNC6395, which exploited Salesloft Drift integrations to exfiltrate large volumes of data from multiple Salesforce instances between August 8 and 18. The campaign targeted sensitive credentials, including AWS access keys,
Snowflake
tokens, and passwords, with attackers systematically querying Salesforce objects like Cases, Accounts, and Users to harvest secrets.

Salesloft and Salesforce responded by revoking all active tokens for the Drift application on August 20, while Salesforce removed Drift from its AppExchange pending investigation. Salesloft noted that non-Drift-integrated customers were unaffected and hired a third-party DFIR firm to address the breach. GTIG advised affected organizations to review logs, rotate credentials, and enforce stricter access controls, such as limiting app permissions and IP ranges. Despite no direct impact on Google Cloud customers, the incident highlights ongoing risks for enterprises relying on third-party integrations for

CRM
platforms.

GTIG emphasized that the breach did not stem from a Salesforce platform vulnerability but rather from compromised app connections. The threat actor demonstrated operational discipline by deleting query jobs, though logs remained intact. Experts noted the campaign’s scale and methodical execution, suggesting potential state-sponsored involvement due to its coordination and focus on non-human identities. Salesforce customers using Drift were urged to assume data compromise and take immediate remediation steps, including reauthenticating integrations and scanning for exposed secrets.

Between August 8 and 18, UNC6395 exploited OAuth tokens from Salesloft Drift to exfiltrate data from Salesforce instances, targeting AWS keys, Snowflake tokens, and passwords. Salesloft revoked all tokens, and Salesforce removed the app from its AppExchange. Affected organizations were advised to review logs, rotate credentials, and enforce stricter access controls. The breach underscores the risks of third-party integrations in enterprise security frameworks.

Comments



Add a public comment...
No comments

No comments yet