Data Theft Exposes Salesforce Users to New Threats

A recent data theft campaign has left over 700 organizations vulnerable after hackers breached the sales automation platform Salesloft to steal OAuth and refresh tokens associated with the Drift AI chat agent. The attackers, identified as a group known as UNC6395 by the Google Threat Intelligence Group (GTIG) and Mandiant, targeted Salesforce customer instances from August 8 to August 18, 2025. Their method involved exporting large volumes of sensitive data from various corporate Salesforce environments, potentially harvesting credentials for further exploitation.

According to researchers Austin Larsen, Matt Lin, Tyler McLellan, and Omar ElAhdan, the threat actors managed to extract critical information, including Amazon Web Services (AWS) access keys, passwords, and Snowflake-related access tokens. This sophisticated operation showcases a high level of planning and execution, with the attackers even deleting query jobs to cover their tracks. Organizations are now urged to review logs for signs of data exposure and to take immediate actions such as revoking API keys and rotating credentials.

Salesloft issued a statement on August 20, 2025, acknowledging a security issue in the Drift application and proactively revoking connections between Drift and Salesforce. While the incident does not affect customers who do not integrate with Salesforce, those who do are advised to re-authenticate their Salesforce connections. The exact scale of the breach remains unclear, but Salesloft has committed to notifying all affected parties.

Salesforce commented that a small number of customers were impacted due to a compromise in the app's connection. Upon detection of the breach, Salesloft and Salesforce invalidated active access and refresh tokens, removing Drift from AppExchange. This incident underscores the need for heightened security measures in the face of increasingly targeted attacks.

Expert Cory Michal, CSO of AppOmni, highlighted the disciplined approach taken by UNC6395, indicating that this was not just a random act of compromise. The attackers specifically targeted organizations of interest, many of which were security and technology companies, potentially positioning themselves for further supply chain attacks. By infiltrating vendors and service providers, they could pivot into downstream customers and partners, amplifying the threat across the technology supply chain.

Following the breach, Salesloft has engaged Mandiant and Coalition to investigate the situation and facilitate containment and remediation efforts. They are urging Drift customers to update their API keys for all connected integrations, emphasizing the importance of proactive security measures. This incident serves as a critical reminder of the vulnerabilities that exist within SaaS platforms and the necessity for organizations to remain vigilant in their security protocols.

In a world where cyber threats are evolving, AI Shield Stack (https://www.aishieldstack.com) offers solutions that can help organizations enhance their security posture and protect against such breaches.

Cited: https://thehackernews.com/2025/08/salesloft-oauth-breach-via-drift-ai.html