Chinese hackers breach 700+ companies through single Salesforce integration point
UNC6395's systematic exploitation of Salesloft Drift OAuth tokens reveals dangerous vulnerabilities in enterprise third-party integrations
In ten days, Chinese hackers did what most cybercriminals can only dream of, they breached over 700 companies without attacking a single one directly.
Between August 8 and 18, 2025, the sophisticated threat group UNC6395 pulled off what security experts are calling the year's most audacious supply chain attack. They didn't waste time infiltrating individual corporate networks or crafting elaborate phishing campaigns. Instead, they found something far more valuable, a single compromised integration point that gave them keys to hundreds of enterprise kingdoms simultaneously.
The target was Salesloft's Drift platform—an AI chat agent that helps sales teams convert website visitors into leads. The prize was OAuth tokens that unlocked direct access to victims' Salesforce databases, packed with the crown jewels of corporate espionage, Amazon Web Services access keys, Snowflake credentials, VPN passwords, and customer data spanning industries from technology to finance.
This wasn't a smash-and-grab operation. UNC6395 demonstrated surgical precision, systematically cataloguing each victim's data before extracting exactly what they needed. They understood enterprise security systems well enough to cover their tracks while leaving just enough evidence for investigators to piece together the scale of their success weeks later.
The implications extend far beyond the immediate victims. This attack exposes a fundamental flaw in how modern businesses think about cybersecurity—and suggests that the convenience driving enterprise software adoption has created vulnerabilities that most security teams don't even know exist.
How one integration became 700 backdoors
UNC6395's breakthrough came from recognising a basic truth about modern enterprise software, everything connects to everything else.
Salesloft Drift wasn't just a chat widget. Once integrated with a company's Salesforce instance, it became a trusted insider with persistent access to customer records, sales pipelines, and support cases. The integration relied on OAuth tokens—digital credentials designed to eliminate password sharing between applications while maintaining security.
These tokens function like master keys that never expire. Unlike human users who log in and out, OAuth tokens remain "always authenticated," providing seamless access that makes SaaS applications productive and user-friendly. UNC6395 turned this convenience into their greatest weapon.
Once they compromised Drift's OAuth tokens, the attackers could waltz into victim organisations' Salesforce environments without triggering multi-factor authentication, security alerts, or most monitoring systems. To enterprise security infrastructure, UNC6395's systematic data harvesting looked like normal application behaviour.
The hackers demonstrated methodical expertise that would impress any database administrator. They began each intrusion with reconnaissance queries—simple commands like "SELECT COUNT() FROM User" to measure the size of their target before diving deeper. Then came the surgical extractions, pulling detailed user profiles, case histories, and account information with queries specifically designed to locate embedded credentials.
Their shopping list was precise, AWS access keys beginning with "AKIA," Snowflake database credentials, anything containing the words "password," "secret," or "key." They weren't interested in bulk data theft; they wanted the specific credentials that would unlock additional systems across their victims' infrastructure.
The expanding attack surface
What began as a Salesforce-focused incident rapidly evolved into something far more concerning. On August 28, Google's investigation revealed that UNC6395 had also compromised Drift's email integration tokens, providing access to Google Workspace accounts for organisations using that connection.
Austin Larsen from Google's Threat Intelligence Group delivered the sobering update, "The scope of this compromise is not exclusive to the Salesforce integration with Salesloft Drift and impacts other integrations."
This expansion illuminated the true scope of modern enterprise attack surfaces. Salesloft Drift doesn't just connect to Salesforce—it integrates with 58 different business applications spanning customer relationship management, analytics, marketing automation, and sales tools. Each integration potentially offered UNC6395 additional pathways into victim networks.
The attackers' infrastructure revealed careful operational planning. They mixed legitimate cloud hosting from AWS and DigitalOcean with Tor exit nodes for anonymity. Their custom tools bore innocuous names like "Salesforce-Multi-Org-Fetcher/1.0"—identifiers that would blend seamlessly into enterprise network traffic while enabling systematic data collection across hundreds of targets.
Most disturbing was their operational security discipline. UNC6395 routinely deleted query jobs after completing extractions, demonstrating awareness of Salesforce's audit capabilities while leaving just enough forensic evidence for investigators to reconstruct their activities. They understood enterprise logging systems better than many enterprises understand them themselves.
The ten-day blindness
The most unsettling aspect of this breach isn't the initial compromise—it's how long sophisticated enterprise security systems remained oblivious to systematic data theft happening through legitimate channels.
For over ten days, UNC6395 extracted sensitive data from hundreds of organisations while security monitoring systems detected nothing unusual. The attackers exploited a fundamental blindspot in enterprise cybersecurity, the assumption that authenticated access equals legitimate access.
Traditional security monitoring excels at detecting unauthorised entry attempts, unusual login patterns, and malware signatures. UNC6395's approach—using legitimate OAuth tokens to conduct apparently normal database queries—fell completely below the radar of most alerting systems.
This visibility gap reflects deeper challenges in protecting distributed enterprise environments. When critical business data flows through dozens of interconnected applications, each with its own authentication mechanisms and access patterns, distinguishing malicious activity from legitimate automation becomes nearly impossible.
Chad Knipschild from security vendor AppOmni captured the strategic implications, "The lateral movement is made possible by the abuse of admin OAuth tokens from lesser-known SaaS apps to compromise business-critical applications."
The delayed discovery wasn't due to poor security practices at individual organisations. Companies like Zscaler—a cybersecurity firm that confirmed its own compromise in this campaign—maintain sophisticated threat detection capabilities. The problem was architectural, OAuth-based integrations create trusted pathways that bypass many of the controls designed to detect unauthorised access.
When response reveals the problem
The coordinated response to UNC6395's campaign exposed just how complex modern enterprise security has become. On August 20, Salesloft and Salesforce revoked all active Drift OAuth tokens and removed the application from Salesforce's AppExchange marketplace. Google similarly disabled compromised integrations and revoked affected tokens.
But the remediation process revealed the true scope of the challenge facing enterprise security teams. Google's advisory read like a forensic manual, search Salesforce objects for AWS access key patterns, examine authentication logs spanning multiple platforms, deploy credential-scanning tools across entire data repositories, manually review third-party application permissions.
For organisations using Salesloft Drift, this represented weeks of investigative work just to understand their exposure. Many discovered they lacked basic visibility into their own integration ecosystems—they knew which applications their employees used, but not which applications those applications could access.
Zscaler's response illustrates the operational burden. Despite being a cybersecurity company with extensive internal expertise, they needed to revoke Drift's access, rotate API tokens across multiple systems, implement additional safeguards, and conduct comprehensive audits to determine what customer contact information had been exposed.
The incident highlighted a uncomfortable reality, most enterprises have limited understanding of their actual attack surface. The applications employees use daily connect to dozens of other systems through OAuth tokens, API keys, and automated workflows that operate largely outside IT oversight.
The non-human identity crisis
UNC6395's success exposes the most significant blindspot in contemporary cybersecurity, non-human identities.
While enterprises invest heavily in monitoring human user behaviour—tracking login patterns, enforcing multi-factor authentication, analysing behavioural anomalies—application-to-application authentication operates with minimal oversight. OAuth tokens and API keys function as "always logged in" identities that rarely expire and typically lack the monitoring applied to human accounts.
This creates an asymmetric risk profile. Human users might access enterprise systems for eight hours daily; OAuth tokens provide 24/7 access that persists across employee departures, organisational changes, and evolving business relationships. They enable the seamless integrations that make modern SaaS environments productive, but they also create permanent pathways that sophisticated threat actors can exploit indefinitely.
Research from Obsidian Security suggests that supply chain attacks exploiting SaaS integrations affect ten times more companies than traditional credential-based breaches. The mathematics are compelling, why target individual organisations when compromising one vendor with hundreds of downstream connections provides dramatically superior return on investment?
This economic logic suggests that UNC6395's technique represents more than an isolated incident. As enterprise application portfolios continue expanding—growing 41% over the past two years according to World Economic Forum research—the number of potential integration points multiplies accordingly.
The new enterprise reality
The Salesloft Drift incident crystallises fundamental tensions in modern enterprise technology adoption. The same features that make SaaS applications appealing—frictionless integration, seamless authentication, broad connectivity—also create attack surfaces that traditional security models cannot adequately address.
Most enterprise security frameworks assume defined network perimeters and known endpoints. The distributed reality of SaaS environments, where critical business data flows through dozens of interconnected applications managed by different vendors, challenges these foundational assumptions.
The incident also reveals the limitations of conventional vendor risk assessment. Neither Salesforce nor Google experienced direct platform compromises. Instead, the trusted relationships that enable their ecosystems became vectors for widespread data exposure. This dynamic complicates traditional due diligence processes that evaluate individual vendors' security postures rather than systemic supply chain implications.
UNC6395's systematic success demonstrates that sophisticated threat actors increasingly understand enterprise software architectures better than the organisations deploying them. Their reconnaissance-then-extraction methodology, operational security discipline, and infrastructure choices suggest deep familiarity with both Salesforce environments and enterprise monitoring capabilities.
The inevitable evolution
The response to this incident is already driving changes across the enterprise security industry. Vendors are expanding monitoring capabilities to include non-human identities and SaaS-to-SaaS connections. Organisations are conducting integration audits and implementing restrictive OAuth policies. Security frameworks are evolving to account for distributed application ecosystems.
Yet the fundamental challenge persists. The productivity and convenience benefits of SaaS integrations cannot easily be separated from their security implications. As artificial intelligence becomes more embedded in enterprise applications—as it was with Salesloft Drift's AI chat capabilities—the complexity and interconnectedness of these environments will only intensify.
UNC6395's campaign succeeded because it exploited the gap between how security teams conceptualise risk and how modern software actually operates. Until organisations develop security models that account for the complete ecosystem of applications, integrations, and non-human identities that comprise their actual attack surface, similar supply chain compromises appear inevitable.
The over 700 organisations affected by this incident face immediate operational challenges around credential rotation and system auditing. The broader enterprise community faces more fundamental questions about whether current security paradigms can protect the distributed, interconnected systems that increasingly define modern business operations.
What UNC6395 demonstrated isn't just a new attack technique—it's a preview of how cybercrime evolves when criminals understand enterprise architecture better than enterprises do.
