Salesforce customers are being targeted in a widespread data theft campaign through compromised OAuth tokens linked to the third-party Salesloft Drift application.
Salesloft, which integrates with Salesforce to support sales and marketing collaboration, issued a security alert on August 20. The company reported it had detected a security issue and ‘proactively revoked connections between Drift and Salesforce.’
According to Google’s Threat Intelligence Group (GTIG), a threat actor known as UNC6395 targeted multiple Salesforce customer instances between August 8 and August 18, stealing large amounts of data. Experts believe hundreds of organizations may have been affected.
GTIG said the attackers were focused on harvesting credentials, specifically searching for AWS access keys, passwords, and Snowflake tokens. The group reportedly tried to cover its tracks by deleting certain logs, although most system logs remain intact.
Salesforce and Salesloft responded by revoking all Drift-related tokens and removing Drift from the Salesforce AppExchange while investigations continue. The companies confirmed the breach did not originate from the core Salesforce platform.
Salesforce customers using Drift are advised to assume their data has been compromised and to take immediate action such as rotating credentials, revoking API keys, and reviewing system logs for suspicious activity.