Major OAuth Breach at Salesloft Compromises Salesforce Customer Data Through Drift AI Integration

A sophisticated data theft campaign has exposed over 700 organizations through compromised OAuth tokens linked to Salesloft's Drift AI AI-powered chatbot integration systems. The breach, discovered in August 2025, allowed hackers to extract sensitive customer information and credentials from corporate Salesforce instances.

Widespread Impact and Immediate Response

Google's Threat Intelligence Group (GTIG) has attributed the attacks to a newly identified threat actor known as UNC6395. The campaign targeted Salesforce customers through compromised OAuth tokens associated with the Salesloft Drift third-party application between August 8 and August 18, 2025.

Organizations must prioritize implementing robust data security measures to prevent similar breaches. Salesloft responded by revoking all connections between Drift and Salesforce on August 20, while Salesforce removed Drift from its AppExchange marketplace. The incident specifically affects customers using the Salesforce integration, though the full scale of the impact remains under assessment.

Technical Details and Data Exposure

The attackers demonstrated sophisticated capabilities by:

• Executing targeted queries to extract data from Salesforce objects
• Harvesting AWS access keys, passwords, and Snowflake-related tokens
• Methodically deleting query jobs to cover their tracks
• Focusing particularly on technology and security companies

"What's most noteworthy about the UNC6395 attacks is both the scale and the discipline," explains Cory Michal, CSO of AppOmni. "This wasn't a one-off compromise; hundreds of Salesforce tenants of specific organizations of interest were targeted using stolen OAuth tokens."

Remediation and Security Implications

Understanding modern cybersecurity threats and defenses is crucial for organizations. They can protect themselves by:

1. Reviewing logs for evidence of unauthorized data access
2. Revoking and rotating all API keys and credentials
3. Re-authenticating Salesforce connections if using the integration
4. Updating API keys for all connected Drift integrations

Security experts suggest this breach could be part of a larger supply chain attack strategy, targeting vendors and service providers to potentially compromise downstream customers and partners.

For more information about OAuth security best practices, visit the OAuth Security Advisory Council.

The incident highlights the growing complexity of securing cloud-based integrations and the importance of maintaining strict access controls across enterprise applications.