314/68 Friday, August 29, 2025
Researchers from Google Threat Intelligence Group (GTIG) and Mandiant have uncovered a large-scale campaign targeting the sales automation platform Salesloft to steal OAuth and refresh tokens linked to the Drift AI Chat Agent. The threat actor group UNC6395 leveraged this vector to extract data from the Salesforce systems of multiple organizations between August 8–18, 2025, aiming to steal critical assets such as AWS Access Keys (AKIA) and Snowflake Tokens.
The report revealed that the attackers used stolen OAuth tokens to exfiltrate large volumes of data from Salesforce objects such as Cases, Accounts, Users, and Opportunities. To reduce the chances of detection, they deleted query jobs after use. This campaign put sensitive information of many organizations worldwide at risk. Google advised organizations using Drift-Salesforce integrations to assume their Salesforce data has been compromised and to take immediate action, including reviewing logs, revoking API keys, rotating credentials, and checking whether any secrets have been exploited by attackers.
Salesloft confirmed that the incident only impacted customers using the Drift-Salesforce integration. On August 20, 2025, the company revoked all connections and notified affected customers. At the same time, Salesforce removed Drift from AppExchange and invalidated compromised tokens. However, GTIG warned that UNC6395 is a highly sophisticated threat group with expertise in both SAP and Salesforce, urging organizations to adopt proactive measures to contain the impact and mitigate risks from future attacks.
