Mass Data Theft Hits Salesforce Instances Through Salesloft Drift Integration

TL;DR

Google Threat Intelligence Group and Mandiant say an actor tracked as UNC6395 used compromised OAuth tokens tied to the Salesloft Drift app to pull large volumes of data from multiple Salesforce instances in August 2025. Organizations are urged to treat integration tokens as potentially compromised, rotate credentials, and search for exposed secrets; an August 28 update expanded impact to other Drift integrations including Drift Email.

What happened

GTIG and Mandiant investigated a campaign that began as early as Aug. 8, 2025 in which a threat actor identified as UNC6395 exported substantial data from corporate Salesforce environments using OAuth tokens associated with the Salesloft Drift third-party application. The intruder executed queries across objects such as Accounts, Opportunities, Users and Cases and then searched the exported material for secrets. GTIG observed targeted credential types including long-term AWS access keys, Snowflake tokens and plaintext passwords. In response, Salesloft and Salesforce revoked active Drift access and removed the Drift app from the Salesforce AppExchange while Salesloft engaged Mandiant for incident response. On Aug. 28 GTIG expanded its findings: other Drift integrations beyond Salesforce are affected and OAuth tokens connected to the Drift Email integration were used on Aug. 9 to access a very small number of Google Workspace mailboxes specifically configured for that integration; Google revoked those tokens and disabled the integration.

Why it matters

• Third-party integrations can be an attack vector that exposes large volumes of sensitive data across multiple customer instances.
• Harvested credentials such as AWS keys and access tokens enable follow-on intrusions into cloud and data platforms.
• OAuth tokens and connected app permissions can grant broad access without compromising core vendor platforms.
• Organizations using Drift should assume tokens and any linked credentials may be exposed and act quickly to remediate.

Key facts

• Actor tracked as UNC6395 carried out the campaign between at least Aug. 8 and Aug. 18, 2025.
• Compromise relied on OAuth tokens tied to the Salesloft Drift third-party application.
• Threat actor exported data from Salesforce objects including Accounts, Opportunities, Users and Cases.
• GTIG observed the actor searching exfiltrated data for secrets like AWS AKIA identifiers, Snowflake tokens and passwords.
• Salesloft and Salesforce revoked active Drift access and removed the Drift app from the Salesforce AppExchange on Aug. 20, 2025.
• GTIG and Mandiant recommend revoking and rotating keys, searching for exposed secrets, and reviewing logs and connected-app activity.
• Aug. 28 update: other Drift integrations are impacted; Drift Email OAuth tokens were used on Aug. 9 to access a very small number of Google Workspace mailboxes configured for that integration.
• Google revoked those specific Drift Email tokens, disabled the Workspace–Drift integration, and is notifying affected Workspace admins.
• Indicators of compromise (IOCs) and malicious User-Agent strings are available through a GTI collection for registered users.

What to watch next

• Follow advisories and notifications from GTIG, Salesloft and Salesforce for additional indicators and remediation steps.
• Search integrated platforms for exposed secrets, revoke and rotate any API keys and authentication tokens tied to Drift connections as recommended by GTIG.
• not confirmed in the source: whether this actor will target other third-party integration platforms beyond those identified to date.

Quick glossary

• OAuth token: A credential used to grant a third-party application access to an account or API without sharing the user's password.
• Data exfiltration: Unauthorized transfer of data from a system to an external location controlled by an attacker.
• Salesforce object: A structured data entity in Salesforce such as Account, User, Case or Opportunity used to store records.
• Connected app: An application configured to integrate with a platform (like Salesforce) using delegated permissions and tokens.

Reader FAQ

Was Salesforce itself breached?
GTIG says the issue did not stem from a vulnerability in Salesforce’s core platform; the compromise involved OAuth tokens tied to a third-party app.

Should organizations revoke tokens and rotate credentials?
Yes. GTIG recommends revoking and rotating API keys, authentication tokens and resetting associated passwords for integrations tied to Drift.

Did Google Workspace mailboxes get accessed?
According to an Aug. 28 update, OAuth tokens for the Drift Email integration were used on Aug. 9 to access a very small number of Google Workspace mailboxes that had been configured with the integration; Google revoked those tokens and disabled the integration.

Who is UNC6395?
not confirmed in the source

Written by: Austin Larsen, Matt Lin, Tyler McLellan, Omar ElAhdan Update (August 28) Based on new information identified by GTIG, the scope of this compromise is not exclusive to the…

Sources

• Widespread Data Theft Targets Salesforce Instances via Salesloft Drift
• Ongoing Security Response to Third-Party App Incident
• Cybersecurity Alert – Salesloft Drift AI Supply Chain Attack
• Salesloft Drift supply chain attack leads to widespread data …

Related posts

• ViewState Deserialization Zero-Day in Sitecore Products — CVE-2025-53690
• BRICKSTORM Backdoor Targeting Tech and Legal Sectors, Google and Mandiant Warn
• UNC6040 vishing attacks: Proactive hardening and detection for SaaS