Salesforce OAuth Token Key Breach: Key Lessons from the GTIG Advisory

Read full article here: https://astrix.security/learn/blog/salesforce-oauth-token-breach-gtig-advisory/?source=nhimg

On August 26, 2025, Google’s Threat Intelligence Group (GTIG) issued an urgent advisory on a data-theft campaign targeting Salesforce organizations. The threat actor, tracked as UNC6395, weaponized stolen OAuth tokens from the Salesloft Drift app to infiltrate Salesforce instances, exfiltrate sensitive data, and hunt for even more non-human identities (NHIs) such as AWS access keys and Snowflake tokens.

This campaign is a wake-up call: OAuth tokens, service accounts, and workload identities, not passwords, are the new crown jewels. And once compromised, they render traditional human-centric defenses like MFA useless.

What Happened: Attack Breakdown

• Attack Vector: Stolen OAuth tokens tied to the Salesloft Drift app gave attackers direct, trusted access to Salesforce environments.
• Execution: Large volumes of Salesforce data were exported, with attackers specifically searching for embedded secrets (AWS keys, Snowflake tokens).
• Evasion: The threat actor deleted query jobs to cover their tracks, though GTIG confirmed Salesforce logs remain intact for forensic review.
• Response: On August 20, Salesforce and Salesloft revoked all Drift tokens. Salesforce also pulled Drift from its AppExchange pending investigation. Importantly, GTIG emphasized this was not a flaw in Salesforce itself, but in the way OAuth tokens were abused.

Why This Matters: NHI Security in Focus

This incident highlights the growing attacker focus on NHIs:

• OAuth tokens, API keys, and service accounts bypass MFA entirely.
• They’re often long-lived, highly privileged, and poorly monitored.
• Once stolen, they provide silent, trusted access across systems.

The GTIG advisory even warns organizations to check Salesforce datasets for cloud service credentials hidden in records, underscoring how NHI sprawl turns every integration into a potential attack vector.

What to Do Now

Security teams should act immediately:

1. Review Salesforce Logs - Audit queries and data exports from August 8–18, 2025, looking for anomalies.
2. Revoke and Rotate - Revoke suspicious OAuth tokens. Enforce regular rotation and expiration for all app credentials.
3. Audit Third-Party Integrations - Assess every connected app for least privilege. Remove unused or over-permissioned integrations.
4. Hunt for Secrets - Check exfiltrated datasets for sensitive NHIs (AWS keys, Snowflake tokens, service-account credentials).
5. Engage Experts - Navigating this requires deep visibility into the NHI landscape. Specialized tools like Astrix can help organizations inventory, govern, and remediate NHI risks quickly.

Key Lesson

This breach isn’t about Salesforce. It’s about the weakest link in modern identity security: unmanaged NHIs. Attackers now know OAuth tokens and service accounts are often easier to steal and harder to detect than human credentials.

The takeaway is clear:

• Zero Trust must extend to machines.
• NHIs need owners, rotation policies, least privilege, and monitoring, just like human accounts.
• OAuth tokens, secrets, and app integrations require continuous governance—not blind trust.

In short: securing your enterprise means securing every identity, human or machine.