Customers are targeted through compromised OAuth access tokens from Salesloft Drift integrations. IT Pro reports:
Google’s Threat Intelligence Group (GTIG) has revealed that hackers harvested user credentials from Salesforce customers in a widespread campaign during the first half of this month.
The attacker, tracked as UNC6395, targeted Salesforce customer instances through compromised OAuth tokens associated with the Salesloft Drift third-party application.
“The actor systematically exported large volumes of data from numerous corporate Salesforce instances. GTIG assesses the primary intent of the threat actor is to harvest credentials,” researchers said in an advisory.
“After the data was exfiltrated, the actor searched through the data to look for secrets that could be potentially used to compromise victim environments.”
These secrets included sensitive credentials such as Amazon Web Services (AWS) access keys (AKIA), passwords, and Snowflake-related access tokens.
Read more at IT Pro.
On August 28, GTIG updated its advisory after finding a broader scope of the attack:
Based on new information identified by GTIG, the scope of this compromise is not exclusive to the Salesforce integration with Salesloft Drift and impacts other integrations. We now advise all Salesloft Drift customers to treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised.
On August 28, 2025, our investigation confirmed that the actor also compromised OAuth tokens for the “Drift Email” integration. On August 9, 2025, a threat actor used these tokens to access email from a very small number of Google Workspace accounts.
