A significant data theft campaign has targeted the Salesloft sales automation platform, exploiting OAuth and refresh tokens linked to the Drift AI chat agent to access sensitive customer information in Salesforce.

Researchers from Google Threat Intelligence Group and Mandiant have attributed the campaign to the threat actor known as UNC6395. The activity, which ran from August 8 to at least August 18, 2025, focused on Salesforce customer instances connected via compromised OAuth tokens from the Salesloft Drift third-party application.

Threat actors were observed exporting large volumes of data from numerous corporate Salesforce instances. The stolen data likely includes AWS access keys (AKIA), passwords, and Snowflake-related tokens, which could enable further access to victim environments. Notably, UNC6395 displayed operational security awareness by deleting query jobs to obscure traces of their activity.

In response, Salesloft issued an advisory on August 20, 2025, confirming a security issue in the Drift application and proactively revoking connections between Drift and Salesforce. Customers not integrating with Salesforce were not affected. Administrators are advised to re-authenticate Salesforce connections to restore integration functionality.

Salesforce confirmed that a “small number of customers” were impacted due to a compromise of the app’s connection. Following detection, active Access and Refresh Tokens were invalidated, and Drift was removed from AppExchange. Affected customers were promptly notified.

The campaign highlights how financially motivated threat groups increasingly target SaaS platforms. Experts note that the scale, focus, and operational discipline of UNC6395 are striking. Hundreds of Salesforce tenants were methodically queried, credentials were specifically targeted, and efforts were made to cover tracks, signaling a well-planned attack rather than a one-off compromise.

Cory Michal, CSO of AppOmni, emphasized that many of the targeted organizations were themselves security and technology companies, suggesting this campaign could represent an initial move in a broader supply chain attack strategy. By first compromising vendors and service providers, attackers position themselves to pivot into downstream customers and partners, exploiting trusted relationships across the technology ecosystem.

This incident underscores the importance of strong OAuth security, monitoring, and incident response in SaaS environments, particularly for organizations connected to third-party apps handling sensitive data.

Source: https://thehackernews.com/2025/08/salesloft-oauth-breach-via-drift-ai.html