Salesloft Drift Breach: OAuth Token Theft and Salesforce Corporate Data Exfiltration
A sophisticated data exfiltration campaign has targeted corporate Salesforce instances, exposing sensitive information from multiple organisations through compromised OAuth tokens linked to the Salesloft Drift third-party application. The threat actor, designated as UNC6395, systematically harvested credentials and sensitive data between August 8 and 18, 2025. This campaign demonstrated advanced operational security awareness as UNC6395 executed SOQL queries across numerous Salesforce objects. Key takeaways include the use of compromised Salesloft Drift OAuth tokens to access Salesforce instances, the harvesting of AWS keys, Snowflake tokens, and passwords from Salesforce data, and the revocation of all Drift tokens, necessitating that organisations rotate their credentials. This incident represents a significant supply chain attack vector, exploiting the trust relationship between Salesforce instances and integrated third-party applications, while bypassing traditional security controls and complicating detection efforts for affected organisations.
The Google Threat Intelligence Group reported that UNC6395 utilised compromised OAuth access tokens and refresh tokens from the Salesloft Drift application to authenticate against targeted Salesforce instances. This attack exploited the OAuth 2.0 authorisation framework, allowing third-party applications to access Salesforce data without directly exposing user credentials. UNC6395 executed systematic SOQL (Salesforce Object Query Language) queries to enumerate and extract data from critical Salesforce objects, including Cases, Accounts, Users, and Opportunities. The actor demonstrated technical sophistication by running COUNT queries to assess data volumes prior to exfiltration. Salesloft indicated that the attacker specifically targeted AWS access keys, passwords, Snowflake credentials, and other sensitive authentication materials stored within Salesforce custom fields and standard objects. Post-exfiltration analysis revealed that the actor searched the extracted data for patterns matching credential formats, indicating a primary objective of credential harvesting rather than traditional data theft. In response, Salesforce and Salesloft revoked all active OAuth tokens associated with the Drift application on August 20, 2025, effectively terminating the attack vector. The Drift application was subsequently removed from the Salesforce AppExchange pending a comprehensive security review. Organisations using the Salesloft Drift integration should implement several remediation measures, including reviewing event monitoring logs for suspicious UniqueQuery events and authentication anomalies associated with the Drift connected app. Security teams must also scan Salesforce objects for exposed secrets using tools like TruffleHog.
Categories: Data Exfiltration, OAuth Token Exploitation, Security Mitigations
Tags: Data Exfiltration, Salesforce, OAuth Tokens, Salesloft Drift, UNC6395, SOQL Queries, Credential Harvesting, Supply Chain Attack, Authentication Anomalies, Security Mitigations