Salesloft Breach Exploits OAuth Tokens for Salesforce Data Theft Campaign
Published on August 27, 2025
- Salesforce theft: An OAuth token theft operation compromised the Salesloft SalesDrift platform, allowing unauthorized access to Salesforce environments.
- Impacted users: Only customers using the Drift-Salesforce integration were affected by this incident.
- Attribution: Google's Threat Intelligence team identified this incident as UNC6395 threat actor activity.
A sophisticated Salesloft breach has exposed critical vulnerabilities in third-party integrations, enabling threat actors to execute a coordinated Salesforce data theft operation targeting sensitive organizational credentials.
The security incident, tracked by Google's Threat Intelligence team (GTIG) as UNC6395 threat actor activity, demonstrates escalating risks associated with OAuth token management in enterprise SaaS environments.
Advanced OAuth Token Exploitation Campaign
The OAuth token theft operation compromised the Salesloft Drift platform, a third-party integration that connects Drift chat agents with Salesforce, the GTIG report said.
Between August 8 and August 18, 2025, attackers leveraged stolen OAuth and refresh tokens to gain unauthorized access to customer Salesforce environments, executing systematic data exfiltration campaigns focused on high-value credentials.
The UNC6395 threat actor specifically targeted:
- Amazon Web Services (AWS) access keys (AKIA identifiers)
- Snowflake-related access tokens
- Various authentication credentials stored within Salesforce objects
- Organization-specific login URL strings, such as VPN or SSO login pages
A recent Salesloft advisory announced that this incident “did not impact customers who do not use our Drift-Salesforce integration.”
On August 20, 2025, Salesloft revoked all active access and refresh tokens with the Drift application, and Salesforce removed it from the Salesforce AppExchange. GTIG said this issue “does not stem from a vulnerability within the core Salesforce platform.”
Tactical Sophistication and Operational Security
The campaign exhibits advanced operational security measures, including infrastructure obfuscation through Tor networks and legitimate cloud hosting providers such as AWS and DigitalOcean.
Analysis of network artifacts reveals custom user-agent strings, indicating purpose-built tooling designed specifically for Salesforce data extraction operations.
UNC6395 attempted to maintain stealth by deleting query jobs following data extraction, though log integrity remained intact, enabling forensic reconstruction of compromise activities. This behavior demonstrates threat actor awareness of detection mechanisms while revealing limitations in log manipulation capabilities.
Immediate Response and Remediation Requirements
In coordination with Salesforce, all active Drift application tokens have been revoked, requiring customers to re-authenticate their integrations:
- Go to Settings > Integrations > Salesforce;
- Click Disconnect;
- Click Connect Account;
- Log in with your Salesforce credentials and authorize the connection.
Organizations are recommended to:
- Implement credential rotation protocols
- Conduct thorough searches for potentially exposed secrets
- Harden access controls
This incident highlights critical risks associated with third-party OAuth integrations and underscores the need for enhanced token lifecycle management and continuous monitoring of privileged access pathways within enterprise cloud environments.
In June, Google reported that UNC6040 (ShinyHunters) targeted Salesforce via phishing, which was also behind the recent Allianz Life data breach. Last year, the Snowflake data theft incident attributed to UNC5537 impacted 165 customers.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular