A sophisticated cyberattack has compromised the Salesloft platform, exploiting a third-party integration with Drift's AI chat agent to steal sensitive customer data from Salesforce. The breach, attributed to threat actor UNC6395, leveraged stolen OAuth and refresh tokens to gain unauthorized access to Salesforce environments, leading to the exfiltration of critical information including AWS access keys and passwords.

Key Takeaways

• Compromised Integration: The attack targeted the Salesloft-Drift integration, which connects Drift's AI chat functionality to Salesforce.

• Data Exfiltration: Threat actors stole OAuth and refresh tokens, enabling them to access and export data from Salesforce objects like Accounts, Opportunities, Users, and Cases.

• Sensitive Information Targeted: The primary goal was to harvest credentials, including AWS access keys (AKIA), passwords, and Snowflake tokens.

• Attribution: Google Threat Intelligence Group (GTIG) identified the threat actor as UNC6395, though the ShinyHunters group has also claimed responsibility.

• Remediation: Salesloft and Salesforce have revoked compromised tokens and removed the Drift application from AppExchange pending investigation. Affected customers are urged to rotate credentials and review logs.

Attack Details and Tactics

The breach, which began around August 8, 2025, and lasted for approximately ten days, saw threat actors exploit compromised OAuth and refresh tokens associated with the Salesloft Drift application. This allowed them to connect as authenticated users to customer Salesforce instances. The attackers then executed large-scale SOQL queries to export data from key Salesforce objects. To hinder detection, the threat actor attempted to cover their tracks by deleting query jobs, but Salesforce event logs remained intact, allowing for forensic analysis.

Impact and Affected Parties

Only customers integrating Salesloft with Salesforce via Drift were impacted by this incident. Google Cloud customers without this specific integration are not known to be exposed. The stolen data included sensitive material such as AWS access keys (AKIA), passwords, and Snowflake tokens. Organizations are advised to review their Salesforce objects for any captured secrets and to take immediate steps to secure their environments.

Response and Remediation

In response to the incident, Salesloft and Salesforce took swift action. On August 20, 2025, all active Drift tokens were revoked, and the application was removed from the Salesforce AppExchange. Affected customers have been notified and are strongly advised to:

• Rotate and revoke all exposed credentials, including AWS and Snowflake credentials, and reset user passwords.

• Investigate and scan Salesforce objects for sensitive keywords like “AKIA” and “password.”

• Review Salesforce event logs for unusual activity related to the Drift-connected app.

• Harden connected app controls by applying least-privilege scopes, enforcing IP restrictions, and limiting session durations.

This incident highlights the critical risks associated with third-party OAuth integrations and underscores the importance of robust security practices and continuous monitoring in enterprise SaaS environments. As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• Hackers Abuse Compromised OAuth Tokens to Access and Steal Salesforce Corporate Data, GBHackers News.

• Salesloft Breach Targets OAuth Tokens for Salesforce Data Theft, TechNadu.

• Salesloft breached to steal OAuth tokens for Salesforce data-theft attacks, TechRadar.

• ShinyHunters Breach Salesloft Integration, Steal Customer Data, WebProNews.

• Salesloft OAuth Breach via Drift AI Chat Agent Exposes Salesforce Customer Data, The Hacker News.