Google Threat Intelligence Group (GTIG) warns that attackers are stealing OAuth tokens via Salesloft Drift integrations in a massive Salesforce data theft.
Alphabet’s GTIG and Mandiant attributed the hacking campaign to a threat actor tracked as UNC6395. The attacks occurred between August 8, 2025, and August 18, 2025, and affected up to 700 Salesloft customers.
“Beginning as early as August 8, 2025, through at least August 18, 2025, the actor targeted Salesforce customer instances through compromised OAuth tokens associated with the Salesloft Drift third-party application,” GTIG stated.
While Salesloft initially assessed that only Salesforce users were affected, Google has warned all customers with Drift integrations to consider their tokens compromised.
Salesloft Drift integrations used to steal OAuth tokens in Salesforce data theft
GTIG says the attackers conducted a large-scale data theft operation targeting credentials for future attacks against the CRM platform. The threat actor was observed sifting through the stolen data, searching for other access secrets.
Subsequently, the data theft has also impacted other secrets, such as Amazon Web Services (AWS) access keys (AKIA), passwords, and Snowflake-related access tokens, widening the scope of the Salesloft hacking campaign.
Google’s own integration with the Drift Email application was compromised. Upon discovery, the tech colossus responded by revoking Salesloft Drift OAuth tokens, disabling integration with Google Workspace, and notifying the platform administrators.
However, Google concluded that only a few customers’ accounts were compromised and its Workspace platform, and the parent company were not impacted by the Salesloft data theft campaign.
“To be clear, there has been no compromise of Google Workspace or Alphabet itself,” it said.
Meanwhile, Salesloft has acknowledged the credential theft affecting Salesforce OAuth tokens. It warned that the threat actor had retrieved “information associated with various Salesforce objects, including Cases, Accounts, Users, and Opportunities.”
Upon detection, Salesloft coordinated with Salesforce to deactivate and refresh the compromised OAuth tokens, removed Drift from AppExchange, and notified impacted customers.
However, Salesforce says only a “small number of customers” were affected by the Salesloft data theft campaign. It also initially assessed that only Drift customers with Salesforce integration were affected.
Nevertheless, Google advises all organizations with third-party Drift integrations, not limited to Salesforce, to consider their OAuth tokens compromised.
“We now advise all Salesloft Drift customers to treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised,” Google warned.
It also advised all Salesloft customers to “Review all third-party integrations associated with an organization’s Drift instance.”
Google also recommended revoking and rotating OAuth tokens associated with all third-party applications integrated with Salesloft Drift: “We recommend organizations take immediate action to review all third-party integrations connected to their Drift instance, revoke and rotate credentials for those applications, and investigate all connected systems for signs of unauthorized access.”
Salesforce customers should also re-authenticate their connection to reactivate the Salesloft Drift integrations that were previously disabled.
Google also observed that the attacker demonstrated a high degree of operational security awareness by deleting query jobs to cover their tracks. Therefore, GTIG advised system administrators to analyze their logs to uncover evidence of compromise.
Not a Salesforce platform or product vulnerability
Nonetheless, the tech giant stressed that the data breach did not stem from any Salesforce platform or product vulnerability.
Meanwhile, the breach occurred hot on the heels of another massive data theft campaign by the threat group ShinyHunters. The voice phishing (vishing) campaign compromised the Salesforce CRM system and breached numerous high-profile organizations, including Google.
However, the hacking campaign did not stem from Salesforce product vulnerabilities, but from threat actors luring employees into authorizing a rogue OAuth bulk data export tool on their organizations’ Salesforce portal.
“This incident underscores a systemic issue that our own research has repeatedly highlighted: API drift is real, and it’s risky,” said Mayur Upadhyaya, CEO of APIContext. “In our testing, 75% of APIs had at least one nonconformant endpoint, and 25% didn’t conform at all. When API behavior diverges from its intended description, it becomes harder to secure, harder to monitor, and easier to exploit. Organizations need to continuously test their APIs against declared specifications.”
