Salesforce & Salesloft Warn of Data Breach via Drift App
Salesforce and Salesloft have issued warnings about a data breach affecting their integrated systems. Hackers exploited OAuth credentials in the Drift app to steal sensitive data, leading to a swift response from both companies.
The incident, which occurred between August 8 and 18, 2025, saw threat actor UNC6395 breach Salesloft to steal OAuth/refresh tokens for Drift AI chat. The campaign targeted Salesforce customer instances via compromised OAuth tokens associated with the Salesloft Drift third-party application. During this period, hackers exfiltrated data from Salesforce, harvesting credentials like AWS access keys and Snowflake tokens.
Salesforce has confirmed that only a small number of customers were affected due to a compromised app connection. The company, along with Salesloft, has required admins to re-authenticate and shared indicators of compromise (IOCs) to help customers secure their systems. A digital forensics and incident response (DFIR) firm is assisting in the investigation.
The OAuth token theft campaign against Drift, documented from late 2022 to early 2023, has prompted Google Threat Intelligence Group to advise treating affected systems as compromised and rotating credentials. Salesforce and Salesloft continue to work together to mitigate the impact of this breach and enhance security measures.
Read also:
- Eric Dane Diagnosed with ALS, Advocates for ACT for ALS
- Deepwater Horizon Oil Spill: BP Faces Record-Breaking Settlement - Dubbed 'Largest Environmental Fine Ever Imposed'
- Meta Unveils Ray-Ban AR Display Sunglasses; TikTok Agrees to $200 Million Deal
- Historic downtown temples to receive restoration funds totaling over 25 million pesos
