• Maggie MacAlpine
• August 28, 2025
• No Comments

Based on reporting from Cybersecurity Dive, August 21, 2025.

In a newly disclosed campaign attributed to threat actor UNC6395, multiple Salesforce instances were breached through the compromise of OAuth tokens used by a third-party app, Drift. The attackers exploited these trusted tokens to harvest sensitive data from connected environments—including passwords, AWS keys, and Snowflake credentials—without ever triggering traditional malware detection or authentication alerts.

This breach underscores a growing blind spot in cloud-first architectures: the misuse of trusted integrations to bypass perimeter defenses. No vulnerability existed in Salesforce itself, but the abuse of OAuth tokens granted attackers access as if they were authorized users.

Token Abuse: A Threat to Cloud and IoT-Connected Enterprises

For enterprises and the MSPs that support them, this attack highlights a recurring problem: credentials and identity tokens are becoming the most valuable keys to the kingdom.

Modern business platforms rely on a growing web of third-party connectors, especially in cloud CRMs, marketing tools, and IoT platforms. With this interconnectedness comes increased risk:

• OAuth tokens often bypass multi-factor authentication (MFA), making them a prime target for attackers.
  
• Revocation and visibility are limited. If a token is abused, many security tools fail to flag it—especially if the attacker’s actions appear similar to legitimate behavior.
  
• Cloud misconfigurations multiply exposure, especially when the same credentials access multiple environments or are hardcoded into automated workflows.
  

This type of threat isn’t theoretical. It’s happening in real time—and it doesn’t take a zero-day exploit to cause damage.

Who’s at Risk—and What Should They Do?

According to researchers, any organization using Drift within their Salesforce environment should assume data compromise. Immediate recommendations include:

• Revoking all API keys associated with Drift and connected third-party apps.
  
• Rotating OAuth credentials and access tokens across Salesforce and any connected services.
  
• Hardening access controls, including scope limitations for third-party integrations.
  
• Auditing user behavior for signs of unauthorized data access or lateral movement.
  

This isn’t just a technical issue—it’s a governance challenge. Enterprises must consider how to secure cloud-native identity infrastructure as stringently as they protect network perimeters.

The Bigger Picture: Identity and Automation in the SOC

As threats increasingly bypass traditional defenses, Security Operations Centers (SOCs) are under pressure to evolve. Manual investigation of token misuse is time-consuming and often too slow to stop real damage.

That’s why organizations are looking toward:

• AI-driven SOC automation to detect behavioral anomalies tied to tokens or app activity.
  
• Cloud and IoT security platforms that can parse context from cloud logs, OAuth behaviors, and application data—not just endpoint alerts.
  
• Cost-effective cybersecurity solutions that reduce analyst workload through automated detection, alert triage, and response orchestration.
  
• Compliance reporting capabilities that ensure security posture aligns with HIPAA, PCI-DSS, CMMC, and NIST requirements—especially important if credentials tied to sensitive systems are affected.
  

Final Thoughts: Cloud Identity Is the New Front Line

The Salesforce-Drift token breach is a cautionary tale. Even platforms built with strong security can be compromised when identity sprawl, integration risk, and limited token visibility go unchecked.

For enterprises and MSPs alike, the lesson is clear: identity protection must become a central pillar of cybersecurity strategy.

At Seceon, we’re focused on delivering a platform that does just that—offering behavioral analytics, automated threat detection, and real-time response across cloud, identity, and network domains. Because stopping tomorrow’s attacks means seeing what traditional tools miss today.

Let’s make sure your trusted connections stay that way.