Sales automation vendor Salesloft disclosed a breach that allowed attackers to steal OAuth and refresh tokens from its Drift chat agent integration with Salesforce, enabling the actors to pivot into customer Salesforce environments and exfiltrate secrets. The incident, active between August 8 and August 18, 2025, is tied to a broader wave of Salesforce-focused intrusions that have impacted multiple enterprises this year.
Salesloft Confirms Drift OAuth Token Compromise
Salesloft said threat actors obtained Drift OAuth and refresh tokens used for its Salesforce integration and used them to conduct a Salesforce data-theft campaign during the August timeframe.
The company’s advisory stated, “Initial findings have shown that the actor’s primary objective was to steal credentials, specifically focusing on sensitive information like AWS access keys, passwords, and Snowflake-related access tokens.” Salesloft added that the incident did not affect customers who do not use the Drift–Salesforce integration and that it did not see evidence of ongoing malicious activity related to the event.
In coordination with Salesforce, Salesloft revoked all active access and refresh tokens for the Drift application. The vendor instructed admins to reauthenticate by navigating to Settings > Integrations > Salesforce, disconnecting the integration, and then reconnecting with valid Salesforce credentials.
Threat Activity Tracked as UNC6395 and Observed Techniques
Google’s Threat Intelligence team (GTIG / Mandiant) is tracking the actor as UNC6395. GTIG reports that once the actors gained access to a Salesforce instance, they issued SOQL queries to extract authentication tokens, passwords, and other secrets stored in support-case records.
These extracted items included AWS access keys (AKIA identifiers), passwords, and Snowflake-related access tokens, which the actors used to breach additional cloud platforms and services.
“GTIG observed UNC6395 targeting sensitive credentials such as Amazon Web Services (AWS) access keys (AKIA), passwords, and Snowflake-related access tokens,” Google said. GTIG also noted that the attackers demonstrated operational security awareness by deleting query jobs, though logs themselves were not altered: “logs were not impacted and organizations should still review relevant logs for evidence of data exposure,” the report added.
Infrastructure, User Agents, and Operational Footprint
According to GTIG, attackers obscured their infrastructure using Tor and hosting providers including AWS and DigitalOcean. The teams analyzing the campaign identified distinctive user-agent strings associated with the data-theft activity, which include:
python-requests/2.32.4Python/3.11 aiohttp/3.12.15Salesforce-Multi-Org-Fetcher/1.0(custom tooling)Salesforce-CLI/1.0(custom tooling)
Google provided a list of IP addresses and these user-agent strings to help administrators search Salesforce logs for suspicious activity associated with the campaign.
Customer Impact and Vendor Actions
Salesloft said the breach focused on tokens tied to the Drift–Salesforce integration and that customers who do not use that integration were not impacted. In coordination with Salesforce, Salesloft revoked tokens and required reauthentication.
GTIG urged affected organizations to search Salesforce objects for exposed secrets and to rotate credentials where appropriate; GTIG’s guidance highlighted strings to search for, such as AKIA for AWS key identifiers, snowflake for Snowflake credentials, and common terms like password, secret, or key to find references to sensitive material. Google also advised looking for organization-specific login URLs that might identify VPN or SSO credentials referenced in records.
Salesloft reported that it “did not see evidence of ongoing malicious activity related to this incident” as its investigation continued.
Claims and Attribution: UNC6395, ShinyHunters, and Public Statements
While GTIG tracks the activity under UNC6395, the extortion group ShinyHunters initially told BleepingComputer they were behind these Salesforce attacks. In public comments earlier this year, ShinyHunters asserted operational overlap with other groups. “Like we have said repeatedly already, ShinyHunters and Scattered Spider are one and the same,” ShinyHunters told BleepingComputer. “They provide us with initial access and we conduct the dump and exfiltration of the Salesforce CRM instances. Just like we did with Snowflake.”
However, Google said it had not seen a compelling link to ShinyHunters. “We’ve not seen any compelling evidence connecting them at this time,” Austin Larsen, Principal Threat Analyst at Google Threat Intelligence Group, told BleepingComputer. After initial publication, the actors contacted BleepingComputer saying the incident described by Google was not linked to them, asserting they were not targeting support cases.
How Tokens Enabled Downstream Breaches
The Salesloft tokens provided API-level access that allowed the actors to query Salesforce datasets at scale. Once inside a compromised Salesforce instance, the attackers ran SOQL queries against support case objects and other locations where secret material was stored. Extracted credentials were then used to access cloud services — the campaign’s recorded focus included long-term AWS access key identifiers (AKIA), Snowflake tokens, and other authentication artifacts that permit lateral movement and data exfiltration.
GTIG observed the adversary deleting query jobs to hinder detection, though audit logs remained intact for forensic review.
Part of a Larger Wave of Salesforce Data Thefts
This incident sits alongside numerous Salesforce-related breaches investigated since June 2025, many of which involved social-engineering campaigns that tricked employees into authorizing malicious OAuth applications.
The broader campaign has affected a wide range of companies, including Google, Cisco, Farmers Insurance, Workday, Adidas, Qantas, Allianz Life, and LVMH subsidiaries such as Louis Vuitton, Dior, and Tiffany & Co. The actors have used initial access to extract CRM data for extortion and to pivot into downstream customers’ cloud environments.
The Salesloft breach underscores how third-party integrations can become pivot points in supply-chain attacks against CRM environments. Salesloft revoked the compromised tokens and directed customers using the Drift integration to reauthenticate.
GTIG tracked the actor as UNC6395 and shared forensic artifacts, IP addresses, and user-agent indicators to help administrators hunt for evidence of exposure. The campaign’s focus on support cases and secret-bearing records highlights an operational shift in which stolen CRM content is weaponized not only for extortion but also to breach additional cloud platforms.
