Attackers exploited stolen OAuth tokens from the **Salesloft Drift** app—a third-party sales automation tool integrated with **Salesforce**—to gain unauthorized access to Salesforce databases between **August 8 and 18**. The threat actors (tracked as **UNC6395**) executed queries targeting sensitive Salesforce objects, including **cases, accounts, users, and opportunities**, with a primary focus on stealing credentials such as **AWS access keys, passwords, and Snowflake-related tokens**. The breach forced Salesloft and Salesforce to **revoke all active access and refresh tokens**, disrupting integrations and requiring IT admins to re-authenticate connections. Salesforce temporarily **removed Drift from its AppExchange** pending security validation. While the attack did not directly compromise **Google Cloud Platform (GCP)**, affected organizations were urged to **audit Salesforce objects for exposed secrets**, rotate credentials, and revoke compromised API keys. **Google Threat Intelligence Group (GTIG)** confirmed **data exfiltration**, warning that **Salesforce data should be considered compromised**. The incident highlights risks in third-party OAuth integrations, where stolen tokens enable lateral movement into core enterprise systems like Salesforce, exposing **customer leads, contact details, and authentication secrets** to malicious actors.
Source: https://www.theregister.com/2025/08/27/salesforce_salesloft_breach/
TPRM report: https://www.rankiteo.com/company/salesloft
"id": "sal725082725",
"linkid": "salesloft",
"type": "Breach",
"date": "8/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Organizations using Drift '
'integrated with Salesforce',
'industry': 'Technology (Sales Automation)',
'name': 'Salesloft (Drift)',
'type': 'SaaS (Sales Engagement Platform)'},
{'customers_affected': 'Customers using '
'Drift-Salesforce integration',
'industry': 'Technology',
'name': 'Salesforce',
'type': 'CRM Platform'},
{'customers_affected': 'Potential exposure of GCP '
'service account keys in '
'Salesforce objects',
'industry': 'Cloud Computing',
'name': 'Google (via Google Cloud Platform)',
'type': 'Technology'},
{'name': 'Affected Salesforce-Drift customers (e.g., '
'unnamed organizations)'}],
'attack_vector': ['stolen OAuth tokens',
'social engineering (in separate but related incidents)'],
'customer_advisories': ['Urged to treat Salesforce data as compromised if '
'using Drift integration',
'Recommended immediate remediation steps'],
'data_breach': {'data_exfiltration': True,
'sensitivity_of_data': 'high (credentials, access tokens, '
'business-critical Salesforce data)',
'type_of_data_compromised': ['credentials (AWS access keys, '
'passwords)',
'Snowflake access tokens',
'Salesforce object data (cases, '
'accounts, users, opportunities)',
'potential GCP service account '
'keys']},
'description': 'Attackers stole OAuth tokens from the third-party Salesloft '
'Drift app, which integrates with Salesforce databases, to '
'access sensitive Salesforce data. The campaign is separate '
'from other high-profile Salesforce breaches attributed to '
'ShinyHunters (UNC6240). The attackers (UNC6395) focused on '
'stealing credentials, including AWS access keys, passwords, '
'and Snowflake-related tokens. Salesloft and Google Threat '
'Intelligence Group (GTIG) revoked all active tokens and '
'removed Drift from Salesforce AppExchange pending '
'investigation. Affected organizations were advised to review '
'Salesforce objects for compromised data, revoke API keys, and '
'rotate credentials.',
'impact': {'brand_reputation_impact': ['potential reputational damage to '
'Salesloft, Drift, and affected '
'organizations'],
'data_compromised': ['Salesforce objects (cases, accounts, users, '
'opportunities)',
'AWS access keys',
'passwords',
'Snowflake-related access tokens',
'potential Google Cloud Platform service '
'account keys'],
'identity_theft_risk': ['high (due to stolen credentials)'],
'operational_impact': ['revocation of OAuth tokens',
're-authentication required for '
'Drift-Salesforce integrations',
'Drift app removed from Salesforce '
'AppExchange'],
'systems_affected': ['Salesforce databases (via Drift integration)',
'Drift app']},
'initial_access_broker': {'entry_point': 'Stolen OAuth tokens (Drift app '
'integration with Salesforce)',
'high_value_targets': ['AWS access keys',
'Snowflake tokens',
'GCP service account keys',
'Salesforce object data']},
'investigation_status': 'ongoing (Drift app remains off Salesforce '
'AppExchange pending security assurance)',
'motivation': ['credential theft',
'data exfiltration',
'potential financial gain'],
'post_incident_analysis': {'corrective_actions': ['Token revocation',
'App removal from '
'marketplace',
'Enhanced customer guidance '
'on credential hygiene'],
'root_causes': ['Insecure OAuth token management '
'in Drift-Salesforce integration',
'Potential lack of monitoring for '
'anomalous token usage']},
'ransomware': {'data_exfiltration': True},
'recommendations': ['Review Salesforce objects for sensitive data and secrets',
'Revoke and rotate compromised API keys and credentials',
'Monitor for unauthorized access or abuse of stolen '
'secrets',
'Enhance OAuth token security and third-party app '
'integrations',
'Conduct thorough investigations for signs of lateral '
'movement or further compromise'],
'references': [{'source': 'The Register'},
{'source': 'Google Threat Intelligence Group (GTIG) Advisory'},
{'source': 'Salesloft Advisory'}],
'response': {'communication_strategy': ['direct notifications to affected '
'customers',
'public advisories from Salesloft and '
'GTIG',
'indicators of compromise (IOCs) '
'shared with admins'],
'containment_measures': ['revoked all active OAuth access and '
'refresh tokens',
'removed Drift app from Salesforce '
'AppExchange'],
'enhanced_monitoring': ['advisory to monitor Salesforce objects '
'for malicious activity'],
'incident_response_plan_activated': True,
'remediation_measures': ['re-authentication of Drift-Salesforce '
'connections',
'review of Salesforce objects for '
'sensitive data',
'revocation of API keys',
'credential rotation'],
'third_party_assistance': ['Google Threat Intelligence Group '
'(GTIG)']},
'stakeholder_advisories': ['Direct notifications to affected customers',
'Public advisories with IOCs'],
'threat_actor': ['UNC6395 (for Salesloft Drift incidents)',
'ShinyHunters (UNC6240) (for separate Salesforce incidents)'],
'title': 'Salesforce-related breaches via stolen OAuth tokens from Salesloft '
'Drift app',
'type': ['data breach', 'credential theft', 'unauthorized access'],
'vulnerability_exploited': 'Weakness in OAuth token security (Drift app '
'integration with Salesforce)'}