Chinese hackers breach 700 companies through single Salesforce integration
8 days ago
- #supply-chain-attack
- #OAuth-exploit
- #cybersecurity
- Chinese hacking group UNC6395 breached over 700 companies by exploiting a single Salesforce integration point (Salesloft Drift's OAuth tokens).
- The attack occurred between August 8-18, 2025, bypassing direct corporate network infiltration by targeting trusted third-party integrations.
- Compromised OAuth tokens provided access to Salesforce databases containing AWS keys, Snowflake credentials, VPN passwords, and customer data.
- The hackers demonstrated precision, using reconnaissance queries and selective data extraction while evading detection for 10 days.
- The breach expanded beyond Salesforce to include Google Workspace via compromised email integration tokens.
- Enterprise security systems failed to detect the attack because it used legitimate authentication channels (OAuth tokens).
- The incident revealed systemic vulnerabilities in SaaS integrations and non-human identity management (OAuth tokens, API keys).
- Remediation required extensive audits, token revocation, and credential rotation across multiple platforms.
- The attack highlights the growing risk of supply chain compromises via SaaS integrations rather than direct breaches.
- Security frameworks must evolve to monitor non-human identities and complex SaaS-to-SaaS connections.