Attackers attributed to UNC6395 exploited compromised OAuth and refresh tokens tied to the Drift third-party application within Salesloft to access numerous Salesforce customer instances between August 8 and August 18, 2025. The actors exported large volumes of data, focusing on credentials such as AWS access keys (AKIA), passwords, and Snowflake tokens. The group deleted query jobs to hinder detection. Organizations are urged to review logs, revoke API keys, rotate credentials, and investigate the scope of exposure. Salesloft revoked Drift-Salesforce connections and advised administrators to re-authenticate Salesforce integrations to restore service.
A widespread data theft campaign has allowed hackers to breach sales automation platform Salesloft to steal OAuth and refresh tokens associated with the Drift artificial intelligence (AI) chat agent. The activity, assessed to be opportunistic in nature, has been attributed to a threat actor tracked by Google Threat Intelligence Group and Mandiant, tracked as UNC6395. "Beginning as early as August 8, 2025, through at least August 18, 2025, the actor targeted Salesforce customer instances through compromised OAuth tokens associated with the Salesloft Drift third-party application," researchers Austin Larsen, Matt Lin, Tyler McLellan, and Omar ElAhdan said.
In these attacks, the threat actors have been observed exporting large volumes of data from numerous corporate Salesforce instances, with the likely aim of harvesting credentials that could be then used to compromise victim environments. These include Amazon Web Services (AWS) access keys (AKIA), passwords, and Snowflake-related access tokens. UNC6395 has also demonstrated operational security awareness by deleting query jobs, although Google is urging organizations to review relevant logs for evidence of data exposure, alongside revoking API keys, rotating credentials, and performing further investigation to determine the extent of compromise.
Salesloft, in an advisory issued August 20, 2025, said it identified a security issue in the Drift application and that it has proactively revoked connections between Drift and Salesforce. The incident does not affect customers who do not integrate with Salesforce. "A threat actor used OAuth credentials to exfiltrate data from our customers' Salesforce instances," Salesloft said. "The threat actor executed queries to retrieve information associated with various Salesforce objects, including Cases, Accounts, Users, and Opportunities."
Collection
[
|
...
]