DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

UNC6395: I Told You So (The Breach That Won't Stop Breaching)

Patrick Duggan
Nov 23, 2025
4 min read

Writer: Patrick Duggan Reading Time: 4 min

Remember that blog post I wrote in September about UNC6395 and the Salesloft/Salesforce/Drift OAuth token nightmare?

The one where I said "If you think this will blow over, it won't"?

Yeah. I was right.

Three Days Ago: It Happened Again

November 20, 2025: Salesforce disclosed that some of its customers' data was accessed after a breach at Gainsight.

Who got hit this time?

Oh, just a few small companies you might have heard of:

• Google (yes, THAT Google)

• Cloudflare (the $1.43B security company)

• Proofpoint (literally a security vendor)

• Adidas

• Chanel

• Pandora

• Workday

• Bugcrowd

• Qantas

• TransUnion

• Allianz Life

Total records stolen: 1 BILLION records from 40 companies

The Pattern (September → November)

• Salesloft/Drift OAuth token compromise

• Law Enforcement Request System (LERS) breached

• I warned you to rotate your secrets

• Gainsight breach

• Google, Cloudflare, Proofpoint compromised

• Same threat actor: UNC6395 (Scattered LAPSUS$)

The method? Still OAuth token theft + social engineering.

The lesson? Nobody rotated their damn secrets.

Why This Keeps Happening

Let me quote myself from September:

> "Support agents — bless them — sometimes paste API keys into case notes. Those notes live in Salesforce. Salesforce talks to Salesloft. Salesloft got breached. You see where this is going."

Three months later, companies STILL haven't learned.

Here's the attack chain:

1. Compromise third-party app (Salesloft, Drift, Gainsight) 2. Steal OAuth tokens from support case notes 3. Access Salesforce orgs with legitimate credentials 4. Exfiltrate customer data (CRM records, contracts, PII) 5. Launch extortion campaign (billion records leaked)

The kicker? Salesforce's platform wasn't breached. The OAuth tokens were.

Which means every company using Salesforce integrations is vulnerable.

The Infrastructure Pattern Nobody's Talking About

Here's what my SSL honeypot data shows (and this is the part legacy vendors miss):

• ✅ HTTPS-only (Let's Encrypt certificates)

• ✅ Legitimate cloud infrastructure (DigitalOcean, UCLOUD)

• ✅ Fresh certificates (1-7 days old)

• ✅ DNS TXT records for C&C rotation

• ❌ No web services at all (port scanning only)

• ❌ Self-signed certificates (if any)

• ❌ Stale infrastructure

Translation: UNC6395 is a professional operation.

They're not using some sketchy Russian VPS with an expired SSL cert. They're using the same infrastructure you use:

• Let's Encrypt for free SSL

• DigitalOcean for cheap VPS

• Cloudflare for DNS (yes, really)

Your WAF can't tell them apart from legitimate traffic.

What Legacy Vendors Missed

Cloudflare: Processes 20% of internet traffic, $1.43B in revenue. Got breached anyway.

Proofpoint: Enterprise email security vendor. Got breached anyway.

Google: Unlimited security budget. Got breached anyway.

Why? Because they're looking for network-layer attacks (malware, DDoS, phishing).

• OAuth token abuse in support case notes

• Legitimate certificates on attacker infrastructure

• DNS TXT records used for C&C rotation

That's what I catch with a $75/month honeypot.

The Data Cloudflare Doesn't Publish

My SSL honeypot data shows things billion-dollar vendors don't share:

• 103.250.186.160 (India): Let's Encrypt R12, credential harvesting

• 152.42.200.79 (Singapore): Let's Encrypt R12, Pterodactyl C&C panel

• Certificate issued: 1 day before attack (fresh infrastructure)

• Port scanners, SSH brute-forcers, credential stuffers

• No web services running

• No SSL certificates

The insight: If you're only blocking "known bad IPs," you're missing the professionals.

I Told You To Rotate Your Secrets

From my September post:

> "If your secrets haven't been rotated since August, they're stale."

Today is November 23.

That means: If you followed my advice in September, your secrets are now 3 months old.

Rotate them again.

How to Actually Fix This

Step 1: Audit Your OAuth Tokens

• Salesloft

• Drift

• Gainsight

• HubSpot

• Marketo

• Zendesk

Question: When was the last time you rotated those OAuth tokens?

Answer: You don't know, do you?

Step 2: Search Support Case Notes for API Keys

• "API key"

• "Secret"

• "Token"

• "Password"

I guarantee you'll find at least 5.

Delete them. Rotate them. Don't paste them in case notes.

Step 3: Enable Salesforce Event Monitoring

• OAuth token creations

• API usage by third-party apps

• Login anomalies

Salesforce has this built-in. Turn it on.

Step 4: Assume You're Already Compromised

Because statistically, you probably are.

40 companies breached. 1 billion records stolen.

Are you one of the 40? You might not know yet.

The Part Where I'm Right Again

September prediction: "If you think this will blow over, it won't."

November reality: Google, Cloudflare, Proofpoint breached.

December prediction: It's going to happen again.

Why? Because the attack method works:

1. Compromise third-party SaaS vendor 2. Steal OAuth tokens 3. Access Salesforce orgs 4. Exfiltrate data 5. Extort victims

Until companies fix the root cause (OAuth tokens in support notes), this will keep happening.

What I'm Doing About It

• 645 IPs blocked (last 30 days)

• 222 SSL-enriched with certificate data

• DNS TXT records for C&C rotation detection

• `?ssl_enriched=true` - Professional attackers only

• `?https_port_open=true` - Web-facing infrastructure

• `?has_txt_records=true` - C&C rotation indicators

Cost: FREE (unlike the $30K-$500K/year vendors charge)

Endpoint: `https://analytics.dugganusa.com/api/v1/stix-feed`

Why I'm sharing this:

Because Cloudflare got breached. Because Google got breached. Because Proofpoint got breached.

Security is cumulative. You need multiple layers.

My SSL honeypot data fills gaps legacy vendors have.

The Uncomfortable Truth

Billion-dollar security companies got owned.

Why? Not because they lack resources. Because they have blind spots.

• Professional operation indicators (Let's Encrypt certificates)

• Fresh infrastructure patterns (certificates <7 days old)

• DNS TXT records for C&C rotation

• Network-layer attacks (DDoS, malware, phishing)

• Known bad IPs (from 10-year-old databases)

• Signature-based detections

Both are needed.

But only one is free.

Sources

• [Salesforce says customers' data accessed after Gainsight breach (TechCrunch)](https://techcrunch.com/2025/11/20/salesforce-says-some-of-its-customers-data-was-accessed-after-gainsight-breach/)

• [Salesforce Extortion Accelerates With New Leak Site (UpGuard)](https://www.upguard.com/blog/salesforce-leak-extortion-scatterered-lapsus-hunters)

• [Widespread Data Theft Targets Salesforce Instances via Salesloft Drift (Google Cloud Blog)](https://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesforce-instances-via-salesloft-drift)

• [Salesforce Data Theft Roundup (Salesforce Ben)](https://www.salesforceben.com/salesforce-data-theft-roundup-everything-you-need-to-know/)

• [UNC6395: The Breach That Keeps On Breaching (Sep 16, 2025)](https://www.dugganusa.com/post/unc6395-the-breach-the-keeps-on-breaching)

• [When Attackers Have Better OpSec Than You (Nov 23, 2025)](https://www.dugganusa.com/post/when-attackers-have-better-opsec)

About the Author:

Patrick Duggan runs a $75/month SSL honeypot that catches infrastructure patterns billion-dollar vendors miss. Free STIX feed available at analytics.dugganusa.com.

I told you this would keep happening. It did. Rotate your damn secrets.