DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Why the UNC6395 Breach Is Likely to Cascade—Just Like Snowflake’s Did

Patrick Duggan
Aug 27, 2025
2 min read

The Salesforce–Drift breach may appear scoped to a single third-party integration, but the tactics used by UNC6395 mirror the early stages of the Snowflake breach in 2024.

In both cases, attackers didn’t just steal data—they harvested credentials and secrets that could be reused across environments. That’s the real risk: credential portability.

What UNC6395 Did

According to Google Cloud’s Threat Intelligence Group, UNC6395 used compromised OAuth tokens from the Drift app to access Salesforce customer instances and exfiltrate objects like Accounts, Users, Opportunities, and Cases. They then searched for embedded secrets—AWS access keys, Snowflake tokens, passwords—that could be used to compromise other platforms.

This is the same playbook UNC5537 used in the Snowflake breach.

What Happened with Snowflake

In 2024, UNC5537 (aka “Judische” or “Waifu”) accessed Snowflake customer environments using credentials stolen via infostealer malware. The breach eventually impacted over 165 organizations, including:

AT&T: Call and text records for 109 million customers were exposed
Ticketmaster: 590 million records offered for sale on the dark web
Santander Bank: Customer databases compromised
Advance Auto Parts: 2.3 million customer records leaked
LendingTree: Financial data targeted

The breach began with a single contractor endpoint and escalated into one of the largest credential-based compromises in recent memory3.

Why This Pattern Will Repeat

Secrets are portable: An AWS key found in Salesforce can be used to access unrelated infrastructure.
OAuth tokens are under-monitored: Most orgs don’t log or rotate them with the same rigor as passwords or API keys.
Third-party apps are over-permissioned: Drift had access to sensitive Salesforce objects—many other apps likely do too.
Attackers are patient: UNC6395 deleted query jobs to avoid detection, suggesting long-term intent.

In short, the Salesforce breach is not the end—it’s the beginning of a credential cascade. Just as Snowflake’s breach started with a single contractor and ended with global data exposure, the Drift incident may be the first domino in a broader SaaS compromise.

Why the UNC6395 Breach Is Likely to Cascade—Just Like Snowflake’s Did

What UNC6395 Did

What Happened with Snowflake

Why This Pattern Will Repeat

Recent Posts

Comments