In a significant cybersecurity incident, threat actors have exploited vulnerabilities in the sales automation platform Salesloft, specifically targeting OAuth and refresh tokens linked to the Drift AI chat agent. This breach has led to unauthorized access to Salesforce customer data, raising concerns about the security of integrated third-party applications.
Incident Overview
The malicious activity, identified as early as August 8, 2025, and continuing through at least August 18, 2025, has been attributed to a threat actor designated UNC6395 by Google’s Threat Intelligence Group and Mandiant. These attackers focused on Salesforce customer instances by compromising OAuth tokens associated with the Salesloft Drift third-party application.
During the attacks, the perpetrators exported substantial volumes of data from numerous corporate Salesforce instances. Their primary objective appears to be the harvesting of credentials, including Amazon Web Services (AWS) access keys (AKIA), passwords, and Snowflake-related access tokens. Such credentials could potentially be used to further infiltrate and compromise victim environments.
Operational Tactics
UNC6395 demonstrated a high level of operational security awareness by deleting query jobs post-exfiltration, an attempt to cover their tracks. Despite these efforts, Google has urged organizations to review relevant logs for any signs of data exposure. Recommended actions include revoking API keys, rotating credentials, and conducting thorough investigations to assess the extent of the compromise.
Salesloft’s Response
On August 20, 2025, Salesloft issued an advisory acknowledging the security issue within the Drift application. The company proactively revoked connections between Drift and Salesforce to mitigate further risks. Salesloft clarified that customers not integrating with Salesforce remain unaffected by this incident.
In their statement, Salesloft detailed that the threat actor utilized OAuth credentials to extract data from customers’ Salesforce instances. The attackers executed queries to retrieve information related to various Salesforce objects, including Cases, Accounts, Users, and Opportunities.
Salesloft has recommended that administrators re-authenticate their Salesforce connections to re-enable the integration. While the exact scale of the breach remains undetermined, the company has notified all affected parties to ensure they are informed and can take necessary precautions.
Salesforce’s Position
Salesforce, in a statement released on August 26, 2025, indicated that a small number of customers were impacted by this breach. The company attributed the issue to a compromise of the app’s connection.
Upon detecting the malicious activity, Salesloft, in collaboration with Salesforce, invalidated active Access and Refresh Tokens and removed Drift from the AppExchange platform. Subsequently, they notified the affected customers to inform them of the breach and the steps taken to address it.
Broader Implications
This incident underscores a growing trend where Salesforce instances are becoming prime targets for financially motivated threat groups. Groups such as UNC6040 and UNC6240 (also known as ShinyHunters) have been actively targeting these platforms. Notably, ShinyHunters has collaborated with Scattered Spider (UNC3944) to secure initial access to these systems.
Cory Michal, Chief Security Officer of AppOmni, highlighted the scale and discipline of the UNC6395 attacks. He noted that this was not an isolated incident but a coordinated effort targeting hundreds of Salesforce tenants across various organizations. The attackers methodically queried and exported data, demonstrating a high level of operational discipline.
Michal also pointed out that many of the targeted organizations were security and technology companies. This suggests that the campaign may be an initial move in a broader supply chain attack strategy. By infiltrating vendors and service providers, attackers position themselves to pivot into downstream customers and partners, potentially leading to more extensive compromises.
Recommendations for Organizations
In light of this breach, organizations are advised to:
– Review and Monitor Logs: Regularly inspect logs for any signs of unauthorized access or data exfiltration.
– Revoke and Rotate Credentials: Promptly revoke compromised API keys and rotate credentials to prevent further unauthorized access.
– Re-authenticate Integrations: Administrators should re-authenticate connections between third-party applications and platforms like Salesforce to ensure secure integrations.
– Enhance Security Measures: Implement multi-factor authentication (MFA) and other security protocols to strengthen defenses against potential breaches.
– Stay Informed: Keep abreast of advisories from service providers and act swiftly on any recommended security measures.
Conclusion
The Salesloft OAuth breach via the Drift AI chat agent serves as a stark reminder of the vulnerabilities inherent in integrating third-party applications with core business platforms. Organizations must remain vigilant, continuously monitor their systems, and adopt robust security practices to safeguard sensitive data against evolving cyber threats.
