Data Breach Exposes OAuth Tokens in Salesloft Incident
A recent data breach has raised alarms within the tech community as hackers successfully infiltrated the sales automation platform, Salesloft, compromising OAuth and refresh tokens linked to the Drift AI chat agent. This incident not only highlights vulnerabilities in cloud security but also reveals the ongoing threats organizations face in maintaining secure digital environments.
Details of the Breach
The threat has been identified by the Google Threat Intelligence Group and Mandiant, who are tracking it under the designation UNC6395. Initial reports suggest that the breach began around August 8, 2025, and continued until at least August 18, 2025. During this window, the hacker group targeted Salesforce customer instances using compromised OAuth tokens associated with the Drift application.
Researchers, including Austin Larsen, Matt Lin, Tyler McLellan, and Omar ElAhdan, noted that the attackers have exported large volumes of data from numerous corporate Salesforce accounts. This targeted effort appears aimed at harvesting sensitive credentials, including Amazon Web Services (AWS) access keys, passwords, and tokens related to Snowflake, further illustrating the breach’s severity.
Operational Security Measures by Hackers
Demonstrating a sophisticated level of operational security, UNC6395 took steps to delete query jobs, suggesting a calculated approach to avoid detection. Google has urged organizations to carefully assess their logs for any signs of data exposure, emphasizing the importance of revoking API keys, rotating credentials, and conducting thorough investigations to gauge the extent of the compromise.
Salesloft’s Response
In response to the urgent situation, Salesloft issued an advisory on August 20, 2025, acknowledging a security issue related to the Drift application. The company took proactive measures by revoking connections between Drift and Salesforce to mitigate further risk. They clarified that customers who do not integrate with Salesforce should not be affected by this incident.
According to Salesloft, the threat actor leveraged OAuth credentials to extract data from its customers’ Salesforce instances, running queries to gather information associated with various Salesforce objects such as Cases, Accounts, Users, and Opportunities. Salesloft has advised administrators to re-authenticate their Salesforce connections to restore integration safely.
Salesforce’s Assessment
Salesforce confirmed a “small number of customers” were impacted, stating that the breach resulted from a “compromise of the app’s connection.” Following the detection of suspicious activities, both Salesforce and Salesloft invalidated active access and refresh tokens, in addition to removing Drift from AppExchange. Notifications were promptly sent to affected customers, indicating a level of transparency and responsiveness in handling the crisis.
The Bigger Picture: Emerging Threats in Cloud Security
This breach appears against a backdrop of increasingly aggressive tactics from financially motivated threat groups, like UNC6040 and UNC6240, also known as ShinyHunters. The latter has recently collaborated with Scattered Spider (UNC3944) to enhance their attack strategies. Security experts caution that the attacks on Salesforce instances are becoming more sophisticated, targeting organizations of significant interest and indicating a trend toward complex supply chain attack strategies.
Insights from Cybersecurity Experts
Cory Michal, Chief Security Officer at AppOmni, pointed out the exemplary scale and discipline in the UNC6395 attacks. Instead of being random, these operations methodically targeted hundreds of Salesforce tenants from specific organizations. The structured queries executed by the attackers indicate a deliberate effort to extract credentials and cover their tracks by deleting evidence of their activities.
Michal suggested that the targeted organizations, which included notable security and tech firms, might be facing an “opening move” in a broader supply chain attack. By infiltrating vendors and service providers, attackers can position themselves to pivot into downstream customers and partners—exploiting established trust relationships across the tech supply chain. This scenario presents a concerning prospect of further vulnerabilities that organizations must address to safeguard their digital assets.
