- Hackers breached Salesloft and used compromised OAuth tokens to access Salesforce customer data.
- The threat group, identified as UNC6395, targeted Salesforce instances linked to the Drift AI chat app between August 8 and August 18, 2025.
- Attackers exported sensitive data, including Amazon Web Services (AWS) keys, passwords, and other credentials.
- Salesloft and Salesforce stated that they revoked affected tokens and removed Drift from AppExchange to stop the breach.
- Security experts warn this campaign could be part of a larger supply chain attack, affecting service providers and their customers.
A data theft campaign has impacted the sales automation platform Salesloft, allowing Hackers to use stolen access tokens to break into customer accounts on Salesforce, according to findings from Google Threat Intelligence Group and Mandiant. The attacks began as early as August 8, 2025, and continued through at least August 18, with the focus on exploiting OAuth and refresh tokens tied to the third-party Drift AI chat integration.
Researchers report that the threat actor, tracked as UNC6395, used the breach to pull large amounts of data from several companies’ Salesforce systems. According to Salesloft, the attacker ran database queries in Salesforce to gather information such as customer cases, accounts, users, and opportunities. Exfiltrated credentials also include AWS keys, passwords, and tokens related to the data cloud company Snowflake.
In its advisory, Salesloft confirmed, “A threat actor used OAuth credentials to exfiltrate data from our customers’ Salesforce instances.” The company has revoked the connection between Drift and Salesforce and recommends administrators re-authenticate Salesforce connections to restore integration. Salesforce said only a small number of customers were affected by the compromised app connection and that both companies worked quickly to invalidate all active access and refresh tokens. As part of its response, Salesforce also removed the Drift app from its AppExchange and alerted those impacted. Official statements and ongoing updates are available in both Salesloft’s advisory and the Salesforce status page.
Security investigators note that UNC6395 showed deliberate efforts to cover its tracks, for example by deleting activity logs. Google recommends that organizations review system records for signs of data exposure, switch out all credentials and API keys, and conduct a full investigation of their systems.
Industry experts say that this attack may be the first stage of a larger supply chain threat. Cory Michal, Chief Security Officer of AppOmni, states that many affected targets were technology and security providers themselves, warning, “This wasn’t a one-off compromise; hundreds of Salesforce tenants of specific organizations of interest were targeted using stolen OAuth tokens, and the attacker methodically queried and exported data across many environments.”
Recent months have seen other financially motivated groups, such as UNC6040 (also known as ShinyHunters) and UNC6240, join forces to target Salesforce environments. Many organizations remain on alert for further activity as the investigation continues.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Over 50 Countries Seek BRICS Membership as Bloc Expands in 2025
- XRP Futures Surge Past $1B as Price Eyes Breakout Above $3.08
- Fed’s Lisa Cook Hires Abbe Lowell to Fight Trump Mortgage Fraud Firing
- Europe Weighs Digital Euro Launch on Ethereum or Solana Amid US Pressure
- Cardano (ADA) Eyes $1 as Fed Rate Cut Hopes Fuel 5% Rally
