A major cybersecurity incident has shaken the SaaS ecosystem as hackers exploited a security gap in Salesloft’s Drift AI chat agent, exposing sensitive Salesforce customer data. The breach, first observed on August 8, 2025, allowed attackers to steal OAuth and refresh tokens, granting them unauthorized access to Salesforce instances of multiple organizations.
The campaign has been linked to a threat actor identified by Google Threat Intelligence Group and Mandiant as UNC6395. According to researchers, the attack was opportunistic but executed with high discipline and precision, making it one of the most significant Salesforce-related breaches of the year.
The hackers exploited OAuth credentials tied to the Salesloft Drift AI application, which many businesses use for customer engagement and sales automation. Using the stolen tokens, they infiltrated Salesforce accounts and launched targeted queries to extract large amounts of corporate data.
The stolen information is believed to include:
Amazon Web Services (AWS) access keys
Passwords
Snowflake-related tokens
Salesforce objects like Cases, Accounts, Users, and Opportunities
Security experts say the attackers’ goal was likely to harvest credentials and sensitive business data that could later be used to compromise entire corporate environments.
One striking aspect of this breach is the attackers’ operational discipline. UNC6395 didn’t just steal data—they also took steps to hide their activity. For example, they deleted query jobs in Salesforce logs to reduce the chances of detection.
Despite this, Google is urging all organizations that integrate Salesloft and Salesforce to:
Check their logs for suspicious activity
Revoke and rotate all API keys and tokens
Re-authenticate Salesforce connections
Conduct deeper investigations for potential data exposure
On August 20, 2025, Salesloft issued an advisory confirming that the Drift AI application was at the center of the breach. The company said it had revoked connections between Drift and Salesforce to prevent further exploitation.
Salesloft emphasized that customers not using Salesforce integrations were not affected. However, for impacted organizations, the attacker executed queries that retrieved sensitive business records across multiple Salesforce objects.
To restore functionality securely, Salesloft recommended that administrators re-authenticate their Salesforce integrations. The company also confirmed it had notified all affected customers.
Salesforce, for its part, stated that only a “small number of customers” were impacted. The company quickly collaborated with Salesloft to:
Invalidate stolen Access and Refresh Tokens
Remove the Drift app from AppExchange
Notify affected customers about the breach
This breach highlights a larger trend: Salesforce instances have become a prime target for financially motivated hacking groups.
In recent months, groups such as UNC6040 and UNC6240 (ShinyHunters) have actively targeted SaaS applications, often teaming up with other actors like Scattered Spider (UNC3944) to gain initial access to enterprise systems.
Salesforce’s widespread adoption makes it a particularly lucrative target—one compromised vendor integration can open doors to hundreds of downstream customers.
Cory Michal, Chief Security Officer at AppOmni, described the UNC6395 campaign as both large-scale and highly methodical. Unlike random data theft, this campaign involved:
Targeting hundreds of Salesforce tenants across specific industries
Running structured queries to extract sensitive data
Focusing on credentials that could be used for deeper infiltration
Attempting to erase traces of their actions to avoid detection
Michal also noted that many of the affected organizations were security and technology companies themselves. This raises concerns that the attackers may be using this as an “opening move” in a broader supply chain attack strategy.
The breach illustrates the growing risks of SaaS supply chain attacks. By compromising a vendor or third-party application, attackers can potentially infiltrate not just one company, but an entire network of customers and partners.
As Michal warned, “This is not just an isolated SaaS compromise, but potentially the foundation of a much larger campaign aimed at exploiting the trust relationships across the technology supply chain.”
In light of this incident, experts strongly recommend that businesses take immediate steps to reduce risk:
Review Logs – Look for unusual queries or data exports in Salesforce.
Rotate Credentials – Revoke and re-issue OAuth tokens, API keys, and user credentials.
Re-authenticate Integrations – If using Salesloft with Salesforce, re-establish connections securely.
Audit Third-Party Apps – Regularly review all SaaS integrations for unusual activity.
Implement SaaS Security Controls – Use SaaS security posture management (SSPM) tools to monitor access.
The Salesloft OAuth breach via Drift AI is a wake-up call for businesses relying on Salesforce and third-party integrations. While Salesloft and Salesforce have moved quickly to contain the damage, the incident underlines how OAuth token theft and SaaS supply chain vulnerabilities can put massive amounts of customer data at risk.
As SaaS adoption continues to grow, so does the attack surface for hackers. Companies must strengthen monitoring, enforce tighter access controls, and prepare for the possibility that their trusted apps could become the weakest link.
Interesting Article : Docker Desktop Vulnerability CVE-2025-9074 Rated 9.3 CVSS: Update Immediately
Pingback: FreePBX Zero-Day Exploit Hits Servers, Emergency Patch Released
Pingback: Palo Alto Networks Confirms Salesforce Data Breach After OAuth Token Theft