48 Hours: Anatomy of a Cloud Breach

True Crime. Real Justice. Real Consequences.

In just ten days in August 2025, a sophisticated cybercrime spree quietly unfolded inside the digital walls of some of the world’s most trusted enterprise platforms. By the time investigators shut it down, over 700 organizations had been touched. The weapon? Not malware, not ransomware, but something deceptively simple: OAuth tokens.

 

This is the story of how a single integration — Drift connected to Salesforce — became the access point for a high-impact data theft campaign that threatened to expose sensitive data across industries.

The Setup: An Invisible Doorway

The attackers, later identified by Google’s Threat Analysis Group as UNC6395, didn’t have to break in. They walked through the front door.

 

Drift, a popular sales and marketing tool, connected seamlessly to Salesforce using OAuth — a widely trusted mechanism for application integration. But OAuth, when over-scoped and under-protected, can also be a golden key.

 

Between August 8 and August 18, those stolen keys allowed attackers to run bulk SOQL queries against Salesforce orgs, quietly siphoning off sensitive data.

The Heist: What They Took

This wasn’t smash-and-grab. It was clinical. Surgical.

 

The attackers used Salesforce queries to pull:

  • User lists and account data — prime reconnaissance for social engineering.
  • Case records and opportunity details — rich with operational intelligence.
  • Secrets hidden in plain sight: AWS credentials, VPN keys, Snowflake tokens stored inside fields and attachments.

 

Each stolen record wasn’t just data — it was a stepping stone to deeper access. One compromised Salesforce org could mean an entire cloud environment laid bare.

The Discovery: 48 Hours to Containment

By August 18, the campaign had spread to hundreds of victims. Google TAG traced the activity and raised the alarm.

 

Two days later, on August 20, Salesforce and Drift revoked the compromised OAuth tokens. The door finally slammed shut.

 

But the 48 hours between discovery and containment were a race against time. Every query run, every record pulled, widened the blast radius.

The Motive: Why This Works

Unlike ransomware, there was no loud demand. No splashy headlines at first. The value here was stealth:

  • Credentials for sale on the dark web.
  • Insider intelligence that could inform corporate espionage.
  • Cloud access that could be monetized quietly, over time.

 

The attackers didn’t want attention. They wanted persistence.

The Aftermath: Lessons in Platform Failure

The Drift–Salesforce breach wasn’t just a crime against data. It was a crime against trust in platform integrations.

 

What went wrong:

  • OAuth tokens had broad permissions with little scoping.
  • Monitoring failed to catch abnormal query volumes until too late.
  • Remediation was manual, not automated. 

What platform engineering could have changed:

  • Least privilege tokens enforced by policy.
  • Centralized observability pipelines lighting up anomalous queries.
  • Automated remediation playbooks revoking and rotating tokens in minutes, not days.
  • Zero trust guardrails to block unusual token usage outright.

The Verdict

For enterprises, the lesson is clear: platform engineering is no longer about developer productivity. It’s about digital survival.

 

In the wrong hands, an OAuth token can be more dangerousthan malware. And without platform-level guardrails, even the most trusted SaaSplatforms can become a liability.

 

As the dust settles, one truth remains: in a world ofinterconnected systems, security must be engineered in from the start.

menu
Company
About UsOur TeamCareers
Services
DevSecOpsQuality EngineeringModernizationDue Diligence
Resouces
Case StudiesWhite Papers
Contact Us
info@infiligence.com
Our Location
SF Bay Area, US
Chennai, India
Hyderabad India
© Infiligence. All Rights Reserved 2025.
HelpPrivacy PolicyTerms of Service