Salesloft has confirmed a security breach that allowed hackers to hijack OAuth and refresh tokens used by its Drift AI chat agent’s Salesforce integration—exposing customer data stored in connected Salesforce environments. The attack, traced between August 8 and August 18, 2025, enabled threat actors to extract sensitive credentials, including AWS access keys, passwords, and Snowflake tokens from CRM support case records. The attackers used the compromised access to execute structured queries (SOQL) and collect secrets embedded in customer tickets.
This breach specifically affected customers using Salesloft’s SalesDrift product, a third-party integration platform that connects Drift with Salesforce to sync sales and support data. Customers not using this integration are reportedly unaffected. Salesloft, in coordination with Salesforce, has revoked all affected tokens and is urging impacted admins to manually disconnect and reconnect their Salesforce integration using valid credentials.
Google’s Mandiant team, which is tracking the actor as UNC6395, highlights the attacker’s operational discipline—including the deletion of query jobs post-exfiltration to reduce visibility, although logs remain intact. The threat actor also masked their activity using Tor and cloud providers such as AWS and DigitalOcean. Indicators of compromise include telltale user-agent strings like Salesforce-CLI/1.0 and python-requests/2.32.4, which administrators are advised to hunt for in Salesforce logs. Google also provided a list of IP addresses and user-agents for detection.
While the extortion group ShinyHunters initially claimed responsibility, asserting overlap with Scattered Spider, Google has found no direct evidence linking them to this specific incident. However, this breach appears part of a broader Salesforce-focused campaign that has affected high-profile organizations—including Cisco, Adidas, Workday, and several luxury brands—through OAuth abuse and social engineering. Attackers in these cases have tricked employees into authorizing malicious apps, exfiltrated CRM data, and used the results for extortion.
This breach highlights the dangers of over-permissioned OAuth integrations and the need for continuous monitoring of third-party app access in SaaS ecosystems. Organizations using Salesforce should immediately audit their connected applications, rotate sensitive credentials, and conduct keyword-based log searches to uncover further leaks. Tightening OAuth scopes, implementing stricter approval workflows, and educating staff on vishing and app consent threats are essential defenses against this rising wave of CRM supply chain attacks.
