UNC6395 targets Salesloft in Drift OAuth token theft campaign
August 28, 2025
Hackers breached Salesloft to steal OAuth/refresh tokens for Drift AI chat; GTIG and Mandiant link the campaign to threat actor UNC6395.
Google Threat Intelligence Group and Mandiant researchers investigate a large-scale data theft campaign carried out to hack the sales automation platform Salesloft to steal OAuth and refresh tokens associated with the Drift artificial intelligence (AI) chat agent.
The experts discovered that threat threat actor UNC6395 stole OAuth tokens via Salesloft Drift, exfiltrating data from Salesforce between Aug 8 and 18, 2025, to harvest credentials like AWS access keys (AKIA) and Snowflake tokens.
“Beginning as early as Aug. 8, 2025 through at least Aug. 18, 2025, the actor targeted Salesforce customer instances through compromised OAuth tokens associated with the Salesloft Drift third-party application.” reads the report published by the Google TIG group. “The actor systematically exported large volumes of data from numerous corporate Salesforce instances.”
UNC6395 stole Salesforce data, prompting GTIG to advise treating it as compromised and rotating credentials. The threat actor deleted query jobs to evade detection. Google urges log reviews, key revocation, and credential rotation to assess compromise.
“Given GTIG’s observations of data exfiltration associated with the campaign, organizations using Drift integrated with Salesforce should consider their Salesforce data compromised and are urged to take immediate remediation steps.” recommends Google. “Impacted organizations should search for sensitive information and secrets contained within Salesforce objects and take appropriate action, such as revoking API keys, rotating credentials, and performing further investigation to determine if the secrets were abused by the threat actor.”
Salesloft warned that hackers exploited OAuth credentials in the Drift app to steal Salesforce data (Cases, Accounts, Users, Opportunities). On August 20, 2025, it revoked all Drift–Salesforce connections, stressing that non-Salesforce users are unaffected. Admins are advised to re-authenticate Salesforce integrations, and impacted customers have been notified, though the full scale remains unclear.
“From August 8 to August 18, 2025, a threat actor used OAuth credentials to exfiltrate data from our customers’ Salesforce instances. All impacted customers have been notified.” reads the Drift/Salesforce Security Update published by Salesloft. “Initial findings have shown that the actor’s primary objective was to steal credentials, specifically focusing on sensitive information like AWS access keys, passwords, and Snowflake-related access tokens. We have determined that this incident did not impact customers who do not use our Drift-Salesforce integration.”
Salesforce said only a small number of customers were affected due to a compromised app connection. Working with Salesloft, it revoked tokens, pulled Drift from AppExchange, and notified impacted users.
Salesloft states that they have no evidence of ongoing malicious activity related to this incident.
Salesloft and Salesforce are requiring admins to re-authenticate. A DFIR firm is assisting the investigation. Salesloft also shared indicators of compromise (IOCs).
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, data theft)
