UNC6395 Targets Salesloft in Drift OAuth Token Theft Campaign

A recent data breach campaign carried out by threat actor UNC6395 has left many organizations scrambling to assess the impact of compromised Salesforce data. The Google Threat Intelligence Group (GTIG) and Mandiant researchers have linked the campaign to this particular threat actor, highlighting the scope and severity of the attack.

The breach, which occurred between August 8th and 18th, 2025, targeted the Salesloft platform, specifically the Drift AI chat agent integrated with Salesforce. Hackers exploited OAuth tokens associated with this integration to exfiltrate large volumes of data from numerous corporate Salesforce instances.

According to GTIG's report, the actor systematically exported data from multiple Salesforce customer instances, including sensitive information like AWS access keys (AKIA) and Snowflake tokens. This data was then used to harvest credentials such as AWS access keys (AKIA), Snowflake tokens, and other confidential data.

The Impact of the Breach

GTIG advises treating this breach as compromised and urges organizations using Drift integrated with Salesforce to take immediate remediation steps. This includes searching for sensitive information and secrets contained within Salesforce objects, revoking API keys, rotating credentials, and performing further investigation to determine if the secrets were abused by the threat actor.

Salesloft has confirmed that hackers exploited OAuth credentials in the Drift app to steal Salesforce data (Cases, Accounts, Users, Opportunities). On August 20th, 2025, it revoked all Drift-Salesforce connections, stressing that non-Salesforce users are unaffected. Admins are advised to re-authenticate Salesforce integrations, and impacted customers have been notified.

The Response

Salesforce has stated that only a small number of customers were affected due to a compromised app connection. Working with Salesloft, it revoked tokens, pulled Drift from AppExchange, and notified impacted users. Salesloft states that they have no evidence of ongoing malicious activity related to this incident.

A DFIR firm is assisting the investigation, and Salesloft has shared indicators of compromise (IOCs) with the public. It's essential for organizations to take these threats seriously and implement necessary security measures to prevent similar breaches in the future.

What You Can Do

To assess compromise, log reviews, key revocation, and credential rotation are recommended by Google. Organisations should search for sensitive information and secrets contained within Salesforce objects, revoking API keys, rotating credentials, and performing further investigation to determine if the secrets were abused by the threat actor.

Stay informed about this incident and follow reputable sources for updates on this ongoing situation. Follow me on Twitter: @securityaffairs and Facebook and Mastodon for the latest news and insights.