The Master Key Problem: What the Salesloft Breach Says About Digital Trust

In September 2025, the FBI released a Flash alert warning that two criminal groups — UNC6395 and UNC6040 — were actively compromising Salesforce instances across industries.

UNC6395 breached Salesloft, a sales engagement tool deeply linked to Salesforce, and then pivoted through that trusted connection to access Salesforce data. UNC6040, meanwhile, runs a separate vishing-based campaign aimed directly at Salesforce users.

The UNC6395 campaign offers a clear warning: attackers no longer need to breach Salesforce itself when they can hijack the systems it trusts. In this post, we’ll unpack how UNC6395 exploited a trusted integration between Salesloft and Salesforce — and what that says about modern supply-chain risk.

The number of organizations hit by UNC6395 is more than 700 worldwide, including cybersecurity companies such as Zscaler, Palo Alto Networks, Proofpoint, Cloudflare, and Tenable.  

What remains unclear is just how far UNC6395’s campaign has spread — or exactly how much sensitive information may still be in play.  

We do know that stolen Salesforce data is now fueling extortion attempts. A threat group has launched a data leak site demanding ransom from companies whose customer records were posted online. Salesforce has publicly stated that it will not pay extortion demands.

It remains unclear whether these new leak-site claims stem directly from UNC6395’s operations, but one fact is clear: once credentials are stolen, the records they unlock can resurface repeatedly.

"From the days of passwords to certificates, the biggest question has always been ‘How do you manage and keep the integrity of keys intact?’” said Michael Adjei, director of systems engineering at Illumio. “That problem hasn’t gone away — it’s only gotten bigger in an interconnected world.”

When a trusted key unlocks the kingdom

UNC6395’s weapon was OAuth tokens stolen from Salesloft integrations (a sales engagement platform that syncs calls, emails, and chats into Salesforce) — specifically through the Drift chatbot connection.

With those tokens, attackers gained trusted API-level access to Salesforce and other linked environments, quietly querying data, exfiltrating contacts, cases, and even credentials like AWS keys, VPN secrets, and Snowflake tokens.

Google now advises that all Drift-issued tokens be treated as compromised.

The perimeter isn’t your firewall anymore

If an integration is the lock, and an OAuth token the key, what happens when that key ends up in the wrong hands?

Modern enterprises depend on tightly connected systems. When one integration is breached, others can quickly be exposed.

A single compromise in a CRM connection can reveal customer data, support cases, or files stored in productivity tools. Credentials and API keys left in notes or tickets can then open access to cloud environments.

Most enterprise stacks link CRMs, engagement platforms, chat tools, and cloud storage. Each connection improves efficiency — but also extends the path an attacker can take.

Once a token is stolen, the attacker effectively becomes the legitimate integration, bypassing MFA, audit logs, and password resets entirely.

Why OAuth tokens are gold

OAuth tokens confer delegated access — by design. But that same design creates a weak point: once trust is granted, it’s rarely revoked.

“Long-lived tokens often outlast employees, vendors, or even the tools that created them, leaving unseen doors open across systems,” Adjei said.

API calls that look normal

Malware is loud; API calls are quiet.

In this breach, attackers hid in plain sight, issuing SOQL and Bulk API queries that mimicked legitimate operations.

“APIs are like a car with tinted windows — people assume it’s you inside,” Adjei said. “The only way to know otherwise is to open the door.”

Because these requests came from valid integrations, the system treated them as benign. That makes detection difficult: the attacker’s actions blend into normal business activity.

“Many organizations don’t even know all the applications and integrations in use,” Adjei added. “Tokens may have been set up years ago and never rotated. That combination of shadow IT and long-lived access means exposure can last for months.”

From SolarWinds to Salesloft

Unlike SolarWinds, where attackers slipped malicious code into a software update, UNC6395 didn’t need to write a single line of malware. Instead, they exploited trust itself.

“SolarWinds was an awakening,” Adjei said. “It proved the effectiveness of targeting the weakest link: a highly integrated vendor. If you compromise that, you gain access to many organizations at once.”

This move from code-based supply-chain attacks like SolarWinds to token-based ones signals a paradigm shift: you no longer need to break in with malware when the keys already exist.

Who’s behind the breach

Threat-intelligence analysis traces the initial access to UNC6395 — financially motivated cyber criminals.  While some have noted the group’s overlap with ShinyHunters’ focus on Salesforce, no confirmed relationship between UNC6395 and ShinyHunters has been established.

‍ShinyHunters is a broader data-broker and cybercrime collective that may intersect with or benefit from UNC6395’s campaigns, but attribution isn’t settled.

Now Scattered Lapsus$ Hunters is claiming they will soon begin extorting hundreds more organizations they say lost data from Salesloft. Salesforce has emphasized that the theft of any third-party Salesloft data allegedly stolen by ShinyHunters did not originate from a vulnerability within the core Salesforce platform.

How to cut the blast radius

After all, compromise is no longer a question of “maybe” — it’s more about how far an attacker can go.

“Visibility and context let you see changes in behavior — sudden large data transfers, anomalies, over-extended access,” Adjei said. “But visibility is only valuable if you act on it.”

To shrink the impact of a lost key:

• Enforce least privilege. Never give broader scopes than needed.
• Rotate and revoke tokens regularly.
• Audit every connected app, every integration.
• Deploy continuous monitoring tuned for anomalous API traffic and unusual token usage.

How Illumio Insights can help

Attackers like UNC6395 didn’t need malware to infiltrate hundreds of organizations — they simply followed the invisible pathways of trust. Illumio Insights shines light on those paths.  

By mapping system-to-system communication across your environment, Insights can reveal which applications talk to each other, how often, and when something looks out of place. When a compromised OAuth token begins moving data in unexpected ways, Insights helps teams spot and contain it before it can spread.

Key capabilities include:

• Lateral movement detection: visibility into system-to-system communication is essential to uncover attackers moving within environments.
• Behavioral threat detection: analytics that identify abnormal use of native tools help surface activity that blends into normal operations.  
• Alert prioritization: filtering out routine behavior and highlighting suspicious patterns is critical when attackers use trusted processes.  
• Rapid containment: the ability to isolate compromised assets quickly — without waiting for malware signatures — can stop a threat before it can spread.

In a world where breaches exploit trust rather than code, Illumio Insights delivers the visibility and instant control defenders need in real time.

The Salesloft breach teaches us that attackers don’t need to blow up the walls to your castle — they just need a working key.  

When keys are available, your security posture hinges on who holds them and how fast you can stop them in their tracks.

Discover how Illumio Insights identifies and stops threats before they spread. Experience the full power of Illumio Insights free for 14 days.