Widespread Authentication Token Theft: Salesloft Incident Affects Major Companies
In a recent cybersecurity breach, organizations like Palo Alto Networks and Zscaler found themselves victims of a significant authentication token theft campaign aimed at Salesforce instances. This attack exploited vulnerabilities via the Salesloft Drift, a third-party AI chat agent platform, raising concerns about data security for numerous clients.
Timeline of the Incident
Salesloft first reported the breach on August 20, revealing that it had acted swiftly by revoking the connections between its Drift platform and Salesforce. The company urged Drift administrators to re-authenticate their Salesforce connections to enhance security.
In a follow-up statement, Salesloft clarified that, during the period from August 8 to August 18, a threat actor utilized OAuth credentials to extract sensitive data from customer Salesforce instances. This alarming revelation indicated a targeted approach to steal not just any data, but specific credentials such as AWS access keys, passwords, and tokens related to Snowflake.
The Threat Actor: UNC6395
The threat actor behind the campaign has been identified by Google as UNC6395. This group was particularly focused on exploiting compromised OAuth tokens linked to Salesloft Drift, leading to the systematic extraction of vast amounts of data from numerous corporate Salesforce accounts. Their goal appeared to be uncovering secrets that could further compromise these corporate environments.
Google’s threat intelligence unit, along with their partner Coalition, assisted in addressing the breach. They indicated that, in some instances, the attack also extended to a small number of Google Workspace accounts configured to integrate with Salesloft Drift, indicating a broader impact of the incident. However, it’s crucial to note that the breach did not stem from a vulnerability within the core Salesforce platform itself.
The Aftermath for Affected Companies
Following the notification of the breach, Salesforce took immediate action by temporarily removing the Drift application from its AppExchange while further investigations were conducted. Additionally, Google disabled the integration between Google Workspace and Salesloft Drift to minimize further risk.
In response to the attack, Palo Alto Networks released a statement confirming that it was one of “hundreds of organizations” impacted by this supply chain attack. Importantly, they reassured that the breach was isolated to their CRM platform, and none of their products or services were affected. The compromised data primarily consisted of business contact information and basic case data concerning their customers. They emphasized the seriousness of the incident, stating they would proactively reach out to clients potentially affected by the breach.
Conversely, Zscaler reported on August 30 that its operations were also impacted, though it emphasized that the credentials obtained provided only limited access to some Salesforce information like contact and licensing details. After an extensive investigation, Zscaler found no evidence to suggest any misuse of this information.
Rising Supply Chain Attack Trends
This incident comes at a time when the frequency of supply chain attacks is soaring. Recent data from Cyble indicates a troubling trend, revealing that supply chain attacks have doubled since April 2025, averaging 26 incidents per month. This doubling rate is attributed to the mass exploitation of zero-day vulnerabilities and unpatched security flaws.
In one noteworthy case, a ransomware group claimed responsibility for an attack that compromised data for 41,000 customers, illustrating the wide-reaching implications of such breaches. Although IT and IT services sectors are commonly targeted, Cyble’s reports show that at least 20 other industries have been affected by supply chain attacks in the past year.
To counter these threats, Cyble recommends organizations conduct regular security audits, assess third-party risks, and implement robust security practices such as network micro-segmentation and stringent access controls. These measures are vital for minimizing potential damage from future supply chain attacks.
Conclusion
The ongoing developments surrounding the Salesloft incident and the increasing trend in supply chain attacks underscore the importance of vigilance in cybersecurity practices. Organizations must prioritize their security measures to protect sensitive data and ensure the integrity of their systems in this evolving threat landscape.
