Salesloft Data Breach

A large-scale cyberattack has compromised Salesloft's integration with the Drift AI chat agent, enabling hackers to steal OAuth and refresh tokens. The threat actor, tracked as UNC6395, exploited these stolen tokens to breach Salesforce customer environments. Security experts have identified over 700 organizations as potentially affected.

Timeline of the Breach

Investigations reveal that the malicious activity spanned from August 8 to August 18, 2025. During this period, the attackers leveraged compromised OAuth tokens tied to Drift to infiltrate Salesforce instances. Once inside, they exported massive amounts of corporate data, aiming to collect sensitive credentials such as:

• Amazon Web Services (AWS) access keys
• Passwords
• Snowflake-related tokens

Attack Methods and Tradecraft

What makes this campaign stand out is the methodical precision of UNC6395. They did not conduct a one-off intrusion but instead launched structured and repeated attacks across hundreds of Salesforce tenants. Key observations include:

Disciplined execution – Queries were systematically run to identify and extract credentials.

Operational awareness – The attackers deleted query jobs to conceal traces of their activities.

Target selection – Many of the breached organizations were technology and security providers, suggesting this could be a supply chain infiltration attempt.

By compromising vendors and service providers, the group positioned itself to expand attacks downstream into customer and partner ecosystems.

Response From Salesloft and Salesforce

Salesloft issued an advisory on August 20, 2025, acknowledging the breach and confirming it had revoked all Drift–Salesforce connections. Salesforce followed with its own statement, noting that only a 'small number of customers' were directly affected. Both companies have taken immediate steps following the incident:

• Invalidated active Access and Refresh Tokens
• Removed Drift from AppExchange
• Collaborated to contain the attack and assess the impact

Salesloft emphasized that the incident does not affect organizations without Salesforce integrations.

Broader Threat Landscape

Salesforce environments have increasingly become lucrative targets for financially motivated groups. Other clusters, such as UNC6040 and UNC6240 (ShinyHunters), are known for exploiting SaaS environments, with UNC6240 even partnering with Scattered Spider (UNC3944) for initial access campaigns.

At present, there is no evidence linking UNC6395 to these groups, making it a new and distinct threat cluster. The scale, focus, and sophistication of its campaign, however, places it in the same league of high-risk adversaries.

Mitigation and Next Steps

Salesloft has engaged third-party security vendors to support investigations and remediation efforts. The company is urging administrators to re-authenticate Salesforce connections to restore integrations and take additional security precautions.

Key recommendations include:

• Revoking and rotating existing API keys
• Reconnecting Drift integrations with new keys
• Reviewing logs for suspicious queries and potential data exposure
• Performing deeper investigations to determine the impact

For organizations managing Drift connections through API keys, proactive key rotation is strongly advised. OAuth integrations, however, are already being addressed directly by Salesloft.

Final Takeaway

This campaign highlights the growing risks of third-party integrations within SaaS ecosystems. By abusing stolen OAuth tokens, UNC6395 demonstrated the ability to carry out targeted, stealthy, and supply chain–oriented operations. The event serves as a reminder that cloud-based platforms, while powerful, remain prime targets for threat actors seeking to exploit trust relationships across the digital supply chain.