Salesloft OAuth Breach: Drift AI Chat Agent Compromises Salesforce Customer Data

A widespread data theft campaign has enabled hackers to breach the sales automation platform Salesloft, resulting in the theft of OAuth and refresh tokens linked to the Drift artificial intelligence (AI) chat agent. This opportunistic activity has been attributed to a threat actor identified by the Google Threat Intelligence Group and Mandiant as UNC6395. Beginning as early as August 8, 2025, and continuing through at least August 18, 2025, the actor targeted Salesforce customer instances by exploiting compromised OAuth tokens associated with the Salesloft Drift third-party application. Researchers Austin Larsen, Matt Lin, Tyler McLellan, and Omar ElAhdan reported that the attackers exported large volumes of data from numerous corporate Salesforce instances, likely aiming to harvest credentials for further compromises.

The stolen data included Amazon Web Services (AWS) access keys, passwords, and Snowflake-related access tokens. UNC6395 demonstrated operational security awareness by deleting query jobs to cover their tracks. Google has urged organisations to review relevant logs for signs of data exposure, revoke API keys, rotate credentials, and conduct further investigations to assess the extent of the compromise. In an advisory issued on August 20, 2025, Salesloft acknowledged a security issue in the Drift application and proactively revoked connections between Drift and Salesforce. The incident reportedly does not affect customers who do not integrate with Salesforce. Salesloft confirmed that the threat actor used OAuth credentials to exfiltrate data from Salesforce instances, executing queries to retrieve information related to various Salesforce objects, including Cases, Accounts, Users, and Opportunities. 

Categories: Data Breach, OAuth Token Theft, Cybersecurity Response 

Tags: Data Theft, Salesloft, OAuth Tokens, Drift Application, Salesforce, Cybersecurity, Threat Actor, Exfiltration, Access Keys, Compromise