Inside the Salesloft Drift OAuth Breach: How OAuth Tokens Fueled a Salesforce Data Theft Campaign—and How to Respond

A coordinated data theft campaign leveraged compromised OAuth access and refresh tokens tied to the Salesloft Drift integration to pull large datasets from many organizations’ Salesforce instances. Google’s Threat Intelligence Group (GTIG) attributes the activity to UNC6395 and observed systematic SOQL querying focused on harvesting credentials and secrets from CRM records. The activity window runs from at least August 8 to August 18, 2025; on August 20, Salesloft and Salesforce revoked active Drift tokens and Salesforce removed Drift from AppExchange pending investigation. The issue did not stem from a core Salesforce platform vulnerability. (cloud.google.com)

Scope and impact

• Scale: GTIG told multiple outlets it is aware of over 700 potentially impacted organizations, noting the campaign’s breadth and automation. Salesforce stated a “small number of customers” were impacted, reflecting the difference between potential exposure and confirmed impact. (cybersecuritydive.com, cyberscoop.com)
• A pivotal pivot: According to GTIG, a single token stolen from Salesloft enabled access to tokens for any organization that had linked Drift, allowing direct data access to many Salesforce tenants. (cyberscoop.com)
• Immediate containment: Salesloft and Salesforce invalidated active access and refresh tokens for Drift on August 20, 2025, and notified affected customers; Drift was temporarily delisted from AppExchange. (cloud.google.com, thehackernews.com)

What the attackers did

UNC6395 authenticated via compromised OAuth tokens associated with the Salesloft Drift connected app and executed structured, repeatable SOQL queries across objects such as Users, Accounts, Cases, and Opportunities. They assessed data volumes, then extracted high-value fields—especially those likely to contain secrets—and attempted to conceal their activity by deleting query jobs. GTIG noted that while some job artifacts were removed, event logs remained available for post-incident review. (cloud.google.com)

What they were after

The primary objective was credential harvesting. Extracted data was searched for:

• Cloud credentials: Amazon Web Services access keys (AKIA- prefixed), Snowflake-related tokens
• Other secrets: passwords and VPN details embedded in case descriptions, attachments, custom fields, or free-text notes These secrets serve as springboards to compromise additional systems beyond Salesforce. (cloud.google.com, cyberscoop.com)

How OAuth and connected apps factored in

The Salesloft Drift integration uses a Salesforce connected app with OAuth scopes that authorize API access on behalf of the customer tenant. When refresh tokens are stolen, an adversary can mint new access tokens and query data until tokens are revoked or expire. Connected app policies—such as scope minimization and IP relaxation controls—determine how broadly those tokens can be used. In this campaign, token compromise at the provider side enabled cross-tenant reach into many Salesforce orgs that had linked Drift. (cloud.google.com, cyberscoop.com)

Timeline (all dates 2025)

• Aug 8–18: UNC6395’s data theft activity across numerous Salesforce orgs using compromised Salesloft Drift OAuth tokens. (cloud.google.com)
• Aug 19–20: Salesloft alerts on malicious Drift activity; in collaboration with Salesforce, all active Drift access/refresh tokens are revoked on Aug 20; Salesforce removes Drift from AppExchange. Activity subsides after revocation. (cyberscoop.com, thehackernews.com)
• Aug 26: GTIG publishes public advisory with technical details, IOCs, and remediation guidance. (cloud.google.com)
• Aug 26–27: Multiple outlets publish analyses and statements from stakeholders and third-party experts. (cyberscoop.com, cybersecuritydive.com)

Detection signals and IOCs

GTIG shared representative IOCs and telemetry to guide investigations:

• User-Agent strings observed: “Salesforce-Multi-Org-Fetcher/1.0”, “Salesforce-CLI/1.0”, “python-requests/2.32.4”, and “Python/3.11 aiohttp/3.12.15”.
• Infrastructure: traffic included Tor exit nodes and cloud hosts (e.g., DigitalOcean, AWS) seen in the campaign.
• Deletion of query jobs: evidence of attempted log hygiene by the actor. Event Monitoring data still retained useful traces. (cloud.google.com)

Where to hunt in Salesforce

Prioritize Event Monitoring and connected app telemetry:

• Connected app usage: Review authentication activity for the Drift connected app and the connection/“integration” user behind it.
• UniqueQuery events: Identify unusual SOQL—bulk enumeration, high LIMITs, repeated SELECTs over Users, Cases, Accounts, Opportunities, or queries that search for credential patterns.
• API activity: Look for anomalous access from Tor networks or unusual cloud IPs; correlate with the IOCs above.
• LoginHistory and Profile/PermissionSet changes for the integration user during the period of interest. (cloud.google.com)

What to search inside your data

Assume data exposure if your org linked Drift during the window and search for secrets stored in CRM records:

• Strings and patterns: “AKIA” (AWS), “snowflakecomputing.com”, “password”, “secret”, “key”, VPN or SSO URLs, tokens embedded in case comments/attachments or custom fields.
• Triage attachments: Export and scan with secret-scanning tools (e.g., TruffleHog) and DLP workflows for API keys and tokens. (cloud.google.com)

Immediate response checklist

• Rotate credentials: Revoke and regenerate any cloud/API keys or tokens discoverable in Salesforce data; reset impacted user passwords; invalidate session tokens for affected accounts.
• Re-auth Drift only after investigation: If you still use the integration, reconnect after completing forensics and hardening steps; Salesloft previously required administrators to reauthenticate post-revocation. (thehackernews.com)
• Notify downstream owners: Any system whose credentials were stored in CRM (e.g., AWS, Snowflake, VPN) should be treated as potentially compromised.
• Expand log review: Analyze the Aug 8–18 window (and a buffer before/after) for anomalous queries and bulk exports. (cloud.google.com)

Hardening Salesforce and connected apps against OAuth abuse

• Restrict connected app scopes: Avoid overly broad scopes (“full” or equivalent) where possible; grant minimum privilege for integrations. (cloud.google.com)
• Enforce connected app IP restrictions: Set IP Relaxation to enforce restrictions, require trusted egress points for integration traffic. (cloud.google.com)
• Tighten “API Enabled”: Remove API access from broad profiles; grant via targeted Permission Sets to only the integration identities that require it. (cloud.google.com)
• Session hygiene: Reduce session lifetimes and consider additional device/IP controls for integration users. (cloud.google.com)
• Secrets governance in CRM: Establish a policy forbidding storage of passwords, tokens, and keys in CRM fields and attachments; run continuous secret scanning over CRM exports to enforce the policy.

Why this campaign stands out

Independent experts highlighted both the scale and discipline: hundreds of targeted Salesforce tenants, methodical enumeration, deliberate query-job deletion, and a laser focus on secrets harvesting. The tactics underscore a systemic blind spot: cloud-to-cloud OAuth integrations and the difficulty of governing third-party connected apps at enterprise scale. (thehackernews.com, cyberscoop.com)

Stakeholder statements and current status

• Salesloft: Confirmed a security issue in the Drift app; stated the incident primarily affected customers integrating Drift with Salesforce; all impacted customers were notified and required to reauthenticate after tokens were revoked. (thehackernews.com, securityweek.com)
• Salesforce: Reported a small subset of customers experienced unauthorized access through the Drift connection; reiterated this was not due to a platform vulnerability. (thehackernews.com, cyberscoop.com)
• GTIG/Mandiant: Attributed the campaign to UNC6395; emphasized that event logs remained available despite job deletions; published IOCs and detailed remediation steps. (cloud.google.com)

Operational playbook for security teams

• Scoping: Identify all orgs and sandboxes that had the Drift connected app installed or authorized during or before August 8–18.
• Containment: Disable affected connected app authorizations; rotate credentials discovered via secret scans; revoke OAuth grants for stale integrations; invalidate sessions.
• Forensics: Export and review Event Monitoring logs (especially UniqueQuery), Connected App Oauth usage, and API access logs for outliers that match IOC user-agents or Tor/cloud IPs. (cloud.google.com)
• Verification: Validate integrity of high-risk records (e.g., Cases with authentication tokens) and confirm no follow-on compromises occurred in cloud or identity providers referenced by CRM data.
• Recovery and hardening: Reconnect integrations with least-privilege scopes and enforced IP policies; implement continuous monitoring of connected app usage and automated secret-scanning gates on CRM exports.

Strategic takeaways

• OAuth supply chain risk is now a top-tier SaaS threat. A compromise at an integration provider can ripple into hundreds of customer tenants through token replay and refresh flows.
• Logging beats job deletion. Even with actor attempts to reduce noise, Event Monitoring preserved sufficient signal to scope activity—validate your licensing and retention for these logs now. (cloud.google.com)
• Secrets never belong in CRM. Treat CRM as untrusted for secret storage; enforce DLP and secret scanning and educate support/sales teams on safe alternatives.
• Govern connected apps like production code. Establish a review board for scopes, IP policies, and periodic reauthorization; inventory and disable idle grants regularly.

References used in this analysis include GTIG’s primary advisory (with IOCs and prescriptive hardening), stakeholder statements, and independent reporting that clarifies scale and the token-pivot mechanism.