A widespread data theft campaign has allowed hackers to breach sales automation platform Salesloft to steal OAuth and refresh tokens associated with the Drift artificial intelligence (AI) chat agent.
The activity, assessed to be opportunistic in nature, has been attributed to a threat actor tracked by Google Threat Intelligence Group and Mandiant, tracked as UNC6395.
“Beginning as early as August 8, 2025, through at least August 18, 2025, the actor targeted Salesforce customer instances through compromised OAuth tokens associated with the Salesloft Drift third-party application,” researchers Austin Larsen, Matt Lin, Tyler McLellan, and Omar ElAhdan said.
In these attacks, the threat actors have been observed exporting large volumes of data from numerous corporate Salesforce instances, with the likely aim of harvesting credentials that could be then used to compromise victim environments. These include Amazon Web Services (AWS) access keys (AKIA), passwords, and Snowflake-related access tokens.
UNC6395 has also demonstrated operational security awareness by deleting query jobs, although Google is urging organizations to review relevant logs for evidence of data exposure, alongside revoking API keys, rotating credentials, and performing further investigation to determine the extent of compromise.
Salesloft, in an advisory issued August 20, 2025, said it identified a security issue in the Drift application and that it has proactively revoked connections between Drift and Salesforce. The incident does not affect customers who do not integrate with Salesforce.
“A threat actor used OAuth credentials to exfiltrate data from our customers’ Salesforce instances,” Salesloft said. “The threat actor executed queries to retrieve information associated with various Salesforce objects, including Cases, Accounts, Users, and Opportunities.”
The company is also recommending that administrators re-authenticate their Salesforce connection to re-enable the integration. The exact scale of the activity is not known. However, Salesloft said it has notified all affected parties.
In a statement Tuesday, Salesforce said a “small number of customers” were impacted, stating the issue stems from a “compromise of the app’s connection.”
“Upon detecting the activity, Salesloft, in collaboration with Salesforce, invalidated active Access and Refresh Tokens, and removed Drift from AppExchange. We then notified affected customers,” Salesforce added.
The development comes as Salesforce instances have become an active target for financially motivated threat groups like UNC6040 and UNC6240 (aka ShinyHunters), the latter of which has since joined hands with Scattered Spider (aka UNC3944) to secure initial access.
“What’s most noteworthy about the UNC6395 attacks is both the scale and the discipline,” Cory Michal, CSO of AppOmni, said. “This wasn’t a one-off compromise; hundreds of Salesforce tenants of specific organizations of interest were targeted using stolen OAuth tokens, and the attacker methodically queried and exported data across many environments.”
“They demonstrated a high level of operational discipline, running structured queries, searching specifically for credentials, and even attempting to cover their tracks by deleting jobs. The combination of scale, focus, and tradecraft makes this campaign stand out.”
Michal also pointed out that many of the targeted and compromised organizations were themselves security and technology companies, indicating that the campaign may be an “opening move” as part of a broader supply chain attack strategy.
“By first infiltrating vendors and service providers, the attackers put themselves in position to pivot into downstream customers and partners,” Michal added. “That makes this not just an isolated SaaS compromise, but potentially the foundation for a much larger campaign aimed at exploiting the trust relationships that exist across the technology supply chain.”
