A recently discovered breach involving Salesloft, Drift, and Salesforce has exposed customer data, all due to a compromised OAuth connection. Attackers gained unauthorized access and quietly pulled tokens linking Salesloft’s integration with the Drift AI chat agent, which then gave them access to Salesforce records. This happened between August 8 and August 18, 2025, according to threat researchers from Google’s Threat Intelligence Group (GTIG) and Mandiant.
Once attackers had those OAuth and refresh tokens, they used them to execute automated SOQL queries inside many Salesforce instances. They targeted key data including user profiles, accounts, cases, and opportunities and even exported credentials. Assets at risk included AWS access keys (AKIA), Snowflake tokens, and plaintext passwords.
Google’s GTIG estimates that over 700 organizations may have been affected. The situation only started to improve after Salesloft and Salesforce revoked the Drift-related tokens on August 20, 2025, effectively cutting off the attacker’s access.
Once the breach came to light, Salesloft confirmed the unauthorized activity. They revoked all active access and refresh tokens tied to the Drift integration. At the same time, Salesforce temporarily removed the Drift app from its AppExchange while investigations were underway. Affected customers were notified directly.
In terms of tradecraft, attackers showed strong operational security. They used Python-based automation, connected through Tor and cloud VPS hosts, and tried to erase their query history. Fortunately, audit logs remained intact, and GTIG published indicators like suspicious IP addresses and user-agent strings to help defenders detect the intrusion.
The adversary is tracked by Google and Mandiant as UNC6395. While some speculation has linked the breach to other hacking groups, GTIG hasn’t confirmed those claims. Attribution remains tentative and focused on the UNC6395 tracking label for now.
This incident shows how risky third-party integrations can be especially when they involve OAuth tokens with broad permissions. A single compromised SaaS-to-SaaS connection can turn into a widespread data breach. Cloud-to-cloud connections need the same vigilance as direct access points.
For affected organizations or those using the Drift integration, immediate steps include: examining Salesforce data objects for secrets or tokens; rotating, revoking, or regenerating AWS, Snowflake, and other credentials; re-authenticating apps; and reviewing GTIG’s published IOCs for signs of compromise.
The main takeaway is simple: limit OAuth scopes, continually monitor connected apps, and treat SaaS-to-SaaS trust relationships as part of your security perimeter. This breach underscores that OAuth access is not risk-free especially when those connections can be weaponized.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
