Between August 8 and 18, 2025, attackers exploited the Salesloft integration with Drift and Salesforce to steal OAuth and refresh tokens and access customer environments. The attack targeted sensitive information such as AWS access keys, passwords, and Snowflake-related tokens. Only customers using the Drift–Salesforce link were affected. All active tokens were revoked and administrators must re-authenticate integrations. Google Threat Intelligence links the activity to UNC6395, noting use of SOQL queries to extract data (including searching support cases) and deletion of query jobs while logs persisted. Attackers used Tor, AWS and DigitalOcean infrastructure and tools including Salesforce-CLI/1.0. Organizations are advised to review Salesforce logs for indicators like AKIA, Snowflake references, "password", "secret", and "key", and to reset and rotate credentials. A ShinyHunters claim was later retracted and no evidence ties ShinyHunters or Scattered Spider to the intrusion.
Hackers have targeted the Salesloft sales automation platform and exploited the Drift integration with Salesforce to steal OAuth and refresh tokens, thereby gaining access to customer environments. Between August 8 and 18, 2025, the attackers carried out a large-scale data theft, targeting sensitive information, including AWS access keys, passwords, and Snowflake-related tokens. According to Salesloft, only customers with the Drift-Salesforce link were affected. As a precaution, all active tokens have been revoked, and administrators must re-authenticate their integration.
Additional research by Google Threat Intelligence, formerly Mandiant, suggests the involvement of a group identified under the name UNC6395. Once access was gained, this group used SOQL queries to extract sensitive data from Salesforce objects. This included searching support cases for passwords, secrets, and other sensitive information. To make detection more difficult, the attackers deleted query jobs, although log files were retained.
Collection
[
|
...
]