Ethical Hacking News
A recent breach at Salesloft Drift has exposed sensitive information from Salesforce instances due to a OAuth token theft campaign. The attack resulted in the theft of AWS access keys (AKIA) and Snowflake tokens, prompting organizations to re-examine their security measures.
Threat actor targeted Salesloft and Drift with OAuth token theft campaign, resulting in breach of sensitive information from Salesforce instances. Attack began on August 8, 2025, and continued until at least August 18, 2025, affecting a small number of customers due to compromised app connections. Primary objective was to steal credentials, including AWS access keys, passwords, and Snowflake-related access tokens. Google warned that the attack affected all integrations, and GTIG advises treating connected tokens as compromised. Organizations using Drift with Salesforce are advised to treat their data as compromised and take remediation steps such as revoking API keys and rotating credentials.
Recently, a threat actor carried out an OAuth token theft campaign that targeted the sales automation platform Salesloft and its integrated artificial intelligence (AI) chat agent Drift. The attack resulted in the breach of sensitive information from Salesforce instances, with all impacted customers being notified by both Salesloft and Google.
The incident began on August 8, 2025, when the threat actor used OAuth credentials to exfiltrate data from customer's Salesforce instances through compromised app connections. The breach affected a small number of customers due to the compromised connection but had significant repercussions for those impacted. As stated by Drift/Salesforce Security Update published by Salesloft, "Initial findings have shown that the actor’s primary objective was to steal credentials, specifically focusing on sensitive information like AWS access keys, passwords, and Snowflake-related access tokens."
Salesforce said only a small number of customers were affected due to the compromised app connection. Working with Salesloft, it revoked tokens, pulled Drift from AppExchange, and notified impacted users. Following this breach, Google warned that the attack was broader than just Salesforce, affecting all integrations. GTIG (Google Threat Intelligence Group) advises all customers to treat connected tokens as compromised.
The threat actor UNC6395 targeted Salesforce customer instances through compromised OAuth tokens associated with the Salesloft Drift third-party application, beginning as early as August 8, 2025, and continuing until at least August 18, 2025. The expert discovered that the threat actor systematically exported large volumes of data from numerous corporate Salesforce instances.
To assess the scope of the breach, organizations using Drift integrated with Salesforce are advised to treat their Salesforce data compromised by GTIG and Google. Impacted organizations should search for sensitive information and secrets contained within Salesforce objects and take appropriate action such as revoking API keys, rotating credentials, and performing further investigation to determine if the secrets were abused by the threat actor.
Google already notified impacted users and revoked Drift Email OAuth tokens, disabled its Workspace integration, and urged Salesloft Drift users to review integrations, rotate credentials, and check for breaches. Mandiant researchers have also investigated this large-scale data theft campaign aimed at hacking the sales automation platform Salesloft to steal OAuth and refresh tokens associated with the Drift AI chat agent.
The breach highlights the importance of robust security measures in protecting sensitive information from unauthorized access. As a result, organizations are urged to take immediate remediation steps such as revoking API keys, rotating credentials, and performing further investigation to determine if any secrets were abused by the threat actor.
This incident also underscores the need for constant vigilance in monitoring and reviewing integrations with third-party applications and ensuring that OAuth tokens and other credentials are properly secured. Salesloft warned that hackers exploited OAuth credentials in the Drift app to steal Salesforce data (Cases, Accounts, Users, Opportunities) on August 20, 2025.
In conclusion, the breach of sensitive information from Salesforce instances due to the OAuth token theft campaign highlights the importance of robust security measures and constant vigilance. It is essential for organizations to review their integrations with third-party applications, revoking API keys, rotating credentials, and performing further investigation to determine if any secrets were abused by the threat actor.
Related Information:
https://www.ethicalhackingnews.com/articles/OAuth-Token-Theft-Campaign-Salesloft-Drift-Breach-Affects-All-Integrations-ehn.shtml
https://securityaffairs.com/181686/cyber-crime/google-salesloft-drift-breach-hits-all-integrations.html
https://thehackernews.com/2025/08/google-warns-salesloft-oauth-breach.html
Published: Fri Aug 29 05:01:01 2025 by llama3.2 3B Q4_K_M
