DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

UNC6395 and the Drift OAuth Breach: A Supply Chain Failure with Consumer Consequences

Patrick Duggan
Sep 4, 2025
2 min read

The UNC6395 campaign, disclosed in late August 2025, is now recognized as one of the most widespread SaaS breaches of the year. By compromising OAuth tokens from Salesloft’s Drift integration, attackers infiltrated hundreds of Salesforce instances across industries. While many affected organizations were security vendors, the breach at TransUnion marks a turning point — shifting the narrative from internal CRM exposure to direct consumer harm.

TransUnion: The Consumer Flashpoint

TransUnion confirmed that attackers accessed its Salesforce environment via the Drift integration, exfiltrating sensitive data on approximately 4.4 million U.S. consumers. The stolen data includes:

Full names
Dates of birth
Addresses and phone numbers
Email addresses
Unredacted Social Security Numbers
Support ticket content and metadata

This breach is particularly significant given TransUnion’s role as a national credit bureau. Unlike vendor-side CRM leaks, this incident exposes individuals to identity theft, impersonation, and long-tail fraud risks. TransUnion has begun notifying affected individuals and regulators, and is offering credit monitoring and identity protection services.

Source: SecurityWeek coverage of TransUnion breach

Affected Vendors: The Broader Blast Radius

The following companies have publicly disclosed impact from the UNC6395 campaign:

TransUnion – Consumer data breach affecting 4.4M individuals
Cloudflare – Support case data and 104 API tokens exposed
Zscaler – CRM data including customer contact info and support case content
Palo Alto Networks – Internal sales records and basic case data accessed
SpyCloud – Salesforce data accessed via compromised Drift token
PagerDuty – Confirmed breach via Drift-Salesforce integration
Tanium – Limited exposure of Salesforce data; no platform compromise
Google – Small number of Workspace accounts accessed via Drift Email OAuth
Salesloft – Source of the compromised integration; Drift app taken offline
Drift – OAuth tokens exploited; integration removed from Salesforce AppExchange

Sources:

CRN: 5 Cybersecurity Vendors Impacted
Security Boulevard: Drift Breach Rolls Up Cloudflare, Palo Alto, Zscaler
Obsidian Security: UNC6395 Overview

Strategic Takeaways

OAuth Is a Supply Chain Risk Surface: Trusted integrations can become blind spots. Drift’s compromise bypassed traditional perimeter defenses and cascaded across Salesforce tenants.
Token Hygiene Is Non-Negotiable: Organizations must treat OAuth tokens with the same rigor as credentials — enforce IP restrictions, rotate frequently, and audit scopes.
Support Systems Are Attack Surfaces: Case data often contains sensitive credentials, logs, and configuration details. Vendors must sanitize inputs and enforce secure handling protocols.

UNC6395 and the Drift OAuth Breach: A Supply Chain Failure with Consumer Consequences

TransUnion: The Consumer Flashpoint

Affected Vendors: The Broader Blast Radius

Strategic Takeaways

Recent Posts

Comments