Threat actors breached Salesloft to steal OAuth and refresh tokens from the Drift chat agent integration, enabling lateral movement into customer Salesforce environments. SalesDrift connects the Drift AI chat agent with Salesforce and synchronizes conversations, leads, and support cases into CRMs. The compromised tokens were used to pivot from Salesloft into customer orgs and conduct a Salesforce data theft campaign between August 8 and August 18, 2025. Initial findings indicate the primary objective was credential theft, with attackers targeting AWS access keys, passwords, and Snowflake-related access tokens. Known threat groups such as ShinyHunters and Scattered Spider exploited the integration tokens.
Hackers breached sales automation platform Salesloft to steal OAuth and refresh tokens from its Drift chat agent integration with Salesforce to pivot to customer environments and exfiltrate data. Salesloft's SalesDrift is a third-party platform that connects the Drift AI chat agent with a Salesforce instance, allowing organizations to sync conversations, leads, and support cases into their CRM.
"Initial findings have shown that the actor's primary objective was to steal credentials, specifically focusing on sensitive information like AWS access keys, passwords, and Snowflake-related access tokens," reads a Salesloft advisory.
Collection
[
|
...
]