UNC6395 Exploits Compromised OAuth Tokens in Salesforce Data Breach via Third-Party App

The threat actor group UNC6395 conducted a data theft campaign by exploiting compromised OAuth tokens from a third-party application, Salesloft Drift, to gain unauthorized access to Salesforce data. OAuth tokens are widely used for authentication and authorization between services, allowing third-party applications to access user data without exposing passwords. However, if these tokens are compromised, attackers can bypass traditional authentication mechanisms and gain persistent access to sensitive data. In this case, the attackers leveraged the compromised tokens to access Salesforce, a high-value target due to the vast amounts of customer and business data it stores. This incident highlights the risks associated with third-party integrations and the critical importance of securing OAuth tokens. For cybersecurity professionals, this attack underscores the necessity of rigorous third-party access management and robust OAuth token security practices. Key measures include regular token rotation to limit the window of opportunity for attackers, restricting token scopes to the minimum required permissions, and implementing continuous monitoring for anomalous token usage. Additionally, organizations should adopt a zero-trust security model, where third-party applications are subject to continuous verification and strict access controls. This approach minimizes the risk of unauthorized access even if tokens are compromised. The broader implication for the cybersecurity landscape is the increasing prevalence of supply chain attacks, where adversaries exploit vulnerabilities in third-party applications to compromise high-value targets. Such attacks can lead to significant operational disruptions, regulatory fines, and loss of customer trust. Organizations must prioritize third-party risk assessments, regularly audit integrated applications, and enforce identity-centric security measures to defend against these threats effectively. Salesforce administrators should review OAuth app permissions, revoke unused or suspicious tokens, and enable logging and alerting for token-related activities. Furthermore, this attack aligns with broader trends in cybersecurity, including the rise of cloud-based attacks and the growing focus on identity-based threats. As organizations increasingly rely on third-party applications and cloud services, securing the authentication and authorization mechanisms that connect these services becomes paramount.