Finding Hidden Credentials in Salesforce: Your Complete Secrets Scanning Guide

Read full article here: https://blog.gitguardian.com/a-complete-guide-to-finding-hidden-credentials-in-salesforce/?utm_source=nhimg

The Salesloft Drift breach is a wake-up call for every Salesforce customer. Hundreds of enterprises — including Cloudflare, Palo Alto Networks, Farmers Insurance, and Zscaler — were impacted when attackers weaponized OAuth tokens from Drift to exfiltrate Salesforce data.

What makes this breach different isn’t just the scale (Farmers reported over 1.1M customer records affected). It’s Google’s explicit guidance: run secrets-scanning tools across your Salesforce data.

This is a first. Google is telling customers to proactively search their CRM data for hardcoded credentials — API keys, AWS tokens, Snowflake secrets — because attackers are actively looking for them, and they’re finding them.

The Breach Was Months in the Making

Mandiant’s investigation revealed the campaign began long before August’s data theft:

• March–June 2025: UNC6395 gained access to Salesloft’s GitHub repos, added guest users, and studied integration workflows.
• August 2025: Attackers used their knowledge to mint OAuth tokens, pivot into Salesforce orgs, and exfiltrate sensitive datasets.
• Post-breach findings: Elastic confirmed that even a single compromised email account (via “Drift Email”) exposed valid credentials. Over a dozen cybersecurity vendors — including BeyondTrust, CyberArk, PagerDuty, JFrog, and Rubrik — are now confirmed victims.

Cloudflare observed threat actors attempting to use stolen tokens within days of the campaign starting — showing just how quickly secrets can be weaponized once stolen.

Why Secrets Scanning Is Now Mandatory

This breach was not about a Salesforce “vulnerability” — it was an identity and secrets governance failure.

• Drift’s OAuth tokens were long-lived and not continuously monitored.
• Most customers had little to no visibility into which apps were connected, what data they could access, or how to revoke them.
• Stolen OAuth tokens bypassed MFA and SSO, giving attackers API-level superuser access.

And it doesn’t stop at Salesforce. Many organizations store cloud credentials in Salesforce objects — meaning the blast radius extends to AWS, Azure, GCP, and other production systems.

Build a Salesforce Secrets-Scanning Pipeline

Google recommends scanning Salesforce data for secrets. Here’s a step-by-step guide to do just that, using Salesforce CLI and GitGuardian’s ggshield:

Step 1: Authenticate with Your Salesforce Org

sf org login web

Opens a browser window, authenticates with OAuth, and stores your access/refresh tokens locally (e.g. ~/.sfdx/user.json).

Step 2: Enumerate Objects

sf force:schema:sobject:list -o YOUR_ORG > objects.txt

Retrieves a full list of standard and custom objects.

Step 3: Export Object Data via SOQL

sf data query -o YOUR_ORG --query "SELECT FIELDS(ALL) FROM Lead LIMIT 200 OFFSET 0" --json > Lead.jsonl

Exports data in batches of 200 records. Use OFFSET to paginate until you’ve captured all records.

Step 4: Connect Salesforce Data to GitGuardian

Follow GitGuardian’s Bring Your Own Source guide to create a custom source, retrieve your integration ID, and configure a service account.

Step 5: Run the Scanner

ggshield secret scan path Lead.jsonl --source-uuid YOUR_INTEGRATION_ID

Detects 500+ types of secrets (API keys, tokens, passwords) and creates security incidents in GitGuardian automatically.

Why This Approach Works

• Unified visibility: Your Salesforce data is treated like a monitored repository.
• Enterprise-grade detection: Over 500+ secret types, with validity checks and remediation playbooks.
• Continuous monitoring: Every export and scan becomes part of your central security program.

In practice, teams have already found GitHub personal access tokens and AWS keys hidden in Salesforce objects using this approach — closing attack paths before they’re exploited.

The Takeaway

Secrets sprawl isn’t hypothetical — attackers are actively hunting and weaponizing credentials at scale.

Inventory every connected app (OAuth, API integrations, service accounts).
Scan Salesforce and other business systems for secrets regularly.
Rotate and revoke any credentials found during your scans.

If you aren’t scanning for secrets, you’re trusting that no developer ever dropped a key into Salesforce Notes, Attachments, or Custom Objects — a dangerous assumption in 2025.