A sophisticated threat actor has successfully infiltrated numerous Salesforce customer instances through compromised OAuth tokens (authentication credentials) associated with the popular Salesloft Drift application, exposing sensitive corporate data from August 8-18, 2025.
Google Threat Intelligence Group (GTIG) identified the campaign, attributing it to UNC6395, a threat actor who systematically extracted large volumes of data from corporate Salesforce environments. The primary objective appears to be credential harvesting, with attackers specifically targeting Amazon Web Services (AWS) access keys, passwords, and Snowflake database tokens.
"The threat actor executed queries to retrieve information associated with Salesforce objects such as Cases, Accounts, Users, and Opportunities," GTIG reported. The attackers demonstrated operational sophistication by deleting query jobs to cover their tracks, though audit logs remained intact for forensic analysis.
The breach exploited OAuth tokens from Salesloft Drift, a sales engagement platform integrated with Salesforce CRM systems. Importantly, customers not using the Drift-Salesforce integration remain unaffected by this campaign.
In response to the discovery, Salesforce and Salesloft took immediate action on August 20, revoking all active access and refresh tokens for the Drift application. Salesforce also temporarily removed Drift from its AppExchange marketplace pending investigation. "This issue does not stem from a vulnerability within the core Salesforce platform," officials clarified.
The incident highlights growing risks associated with third-party application integrations in enterprise environments. OAuth tokens, while convenient for seamless app connectivity, can become powerful attack vectors when compromised.
GTIG recommends that affected organizations immediately search their Salesforce data for exposed secrets, rotate any discovered credentials, and implement stricter access controls. Organizations should review Event Monitoring logs for suspicious activity and consider that their Salesforce data may have been compromised.
Salesloft has engaged third-party digital forensics experts and is collaborating with Salesforce to provide detailed attack information to affected customers. All impacted organizations have been directly notified.