Salesloft Drift OAuth Compromise Results in Targeted Salesforce Data Theft

Published Date: August 29, 2025
Category: ShadowOpsIntel
Share:

Between August 8 and August 18, 2025, threat actor UNC6395 launched a targeted data exfiltration campaign exploiting OAuth tokens associated with the Salesloft Drift third-party integration for Salesforce. The attacker systematically accessed sensitive corporate data across multiple organizations, with a focus on credential harvesting and environment compromise. The incident underscores the critical risks of unsecured third-party integrations and token-based authentication abuse.

Severity Level: High

Threat Actor Activity

UNC6395 exploited compromised OAuth tokens linked to the Salesloft Drift application. These tokens granted unauthorized access to Salesforce instances, allowing the attacker to:

  • Authenticate as a connected app via Drift
  • Issue SOQL queries against sensitive Salesforce objects (Accounts, Cases, Users, Opportunities)
  • Exfiltrate large volumes of structured CRM data
  • Search for embedded secrets and credentials, including:
    • AWS access keys (AKIA)
    • Snowflake credentials
    • Hardcoded passwords or secrets
    • Organization-specific login URLs (VPN, SSO, etc.)

The campaign expanded beyond Salesforce to include Google Workspace accounts integrated with Drift Email, although the affected scope was narrowly defined and specific to certain configurations.

Data Access & Exfiltration

GTIG observed the attacker executing the following SOQL queries:

  • SELECT COUNT() FROM Account;
  • SELECT COUNT() FROM Opportunity;
  • SELECT COUNT() FROM User;
  • SELECT COUNT() FROM Case;

— Example for user data extraction

SELECT Id, Username, Email, Department, Division, CreatedDate, LastLoginDate FROM User WHERE IsActive = true

The goal was to enumerate and extract:

  • User account metadata
  • Business opportunity records
  • Customer case history
  • Credentials hidden within object data

After data extraction, query logs were deleted, suggesting operational security awareness, although logs from Salesforce’s Event Monitoring were unaffected.

    Affected Scope

    • Customers using Salesloft Drift integrated with Salesforce were directly impacted
    • Customers using Drift Email integration with Google Workspace may have had limited exposure
    • No breach occurred within Salesforce’s core platform or Google Workspace infrastructure

    Mitigation Measures Already Taken

    • Salesloft revoked all OAuth tokens linked to Drift
    • Salesforce removed Drift from AppExchange
    • Google disabled Drift integration with Workspace and notified impacted admins

    Recommendations

    1. It is recommended for organizations to review all third-party integrations connected to their Drift instance, revoke and rotate API keys, credentials and authentication tokens for those applications, and investigate all connected systems for signs of unauthorized access.
    2. Immediately revoke and rotate any discovered keys or secrets.
    3. Reset passwords for associated user accounts.
    4. For Salesforce integrations, configure session timeout values in Session Settings to limit the lifespan of a compromised session.
    5. Review Salesforce Event Monitoring logs for unusual activity associated with the Drift connection user.
    6. Review authentication activity from the Drift Connected App.
    7. Review UniqueQuery events that log executed SOQL queries.
    8. Open a Salesforce support case to obtain specific queries used by the threat actor.
    9. Search Salesforce objects for potential secrets, such as:
      • AKIA for long-term AWS access key identifiers
      • Snowflake or snowflakecomputing.com for Snowflake credentials
      • password, secret,key to find potential references to credential material
      • Strings related to organization-specific login URLs, such as VPN or SSO login pages
    10. Run tools like Trufflehog to find secrets and hardcoded credentials.
    11. Block the IOCs at their respective controls
      https://www.virustotal.com/gui/collection/722fb67674b7707c0e6e2d5af5f21d8540f0ced97987d16fef725e464fa5b596/iocs

    Source:

    • https://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesforce-instances-via-salesloft-drift?e=48754805
    • https://trust.salesloft.com/?uid=Drift%2FSalesforce+Security+Notification
    • https://status.salesforce.com/generalmessages/20000217

    Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

    No related posts found.

    Ampcus Cyber
    Privacy Overview

    This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.