In August 2025, the largest SaaS breach of the year shook the enterprise world when a newly identified threat actor, UNC6395, orchestrated a supply-chain attack through compromised Salesloft Drift and Drift Email applications. By stealing OAuth tokens, the attackers gained unauthorized access to Salesforce and Google Workspace environments of more than 700 companies—an attack scale ten times greater than previous Salesforce breaches.
The attackers exfiltrated sensitive business data, including Salesforce account records, customer contacts, support cases, and opportunity details. More alarmingly, they actively searched for credentials such as AWS access keys, Snowflake tokens, VPN logins, and passwords, putting critical infrastructure at risk. Victims included some of the world’s most prominent organizations—Google, Palo Alto Networks, Zscaler, and Nutanix—underscoring the breadth and severity of the compromise.
UNC6395 demonstrated advanced operational security by deleting forensic traces and using automated Python tools, Tor exit nodes, and cloud infrastructure to obfuscate their origins. This campaign highlights how SaaS-to-SaaS integrations—often granted over-permissive access without rigorous review—have become a new frontier for attackers. Because OAuth tokens can bypass MFA and often don’t expire, they represent a powerful backdoor into enterprise systems.
In response, affected companies revoked compromised tokens, rotated credentials, and implemented new security controls. Salesloft confirmed it notified all impacted customers and took immediate steps to contain the damage, but the long-term risks from stolen data remain under investigation.
This incident is a wake-up call for enterprises relying heavily on SaaS integrations. Security experts emphasize the urgent need for continuous monitoring of third-party app connections, strict least-privilege access controls, and real-time detection of anomalous SaaS activity. The UNC6395 campaign makes clear: cloud identity and SaaS-to-SaaS integrations are now the primary battleground for enterprise cybersecurity.
#UNC6395 #SalesloftDrift #SupplyChainAttack #SalesforceBreach #GoogleWorkspace #OAuthTokens #SaaSSecurity #DataExfiltration #AWSKeys #SnowflakeTokens #PaloAltoNetworks #Zscaler #Nutanix #CloudIdentity #SaaSIntegration #Cybersecurity
