Hackers breached sales automation platform Salesloft to steal OAuth and refresh tokens from its Drift chat agent integration with Salesforce to pivot to customer environments and exfiltrate data.
The ShinyHunters extortion group claims responsibility for these additional Salesforce attacks.
Salesloft's SalesDrift is a third-party platform that connects the Drift AI chat agent with a Salesforce instance, allowing organizations to sync conversations, leads, and support cases into their CRM.
According to Salesloft, threat actors obtained Drift OAuth and refresh tokens used for its Salesforce integration, and used them to conduct a Salesforce data theft campaign between August 8 and August 18, 2025.
"Initial findings have shown that the actor's primary objective was to steal credentials, specifically focusing on sensitive information like AWS access keys, passwords, and Snowflake-related access tokens," reads a Salesloft advisory.
"We have determined that this incident did not impact customers who do not use our Drift-Salesforce integration. Based on our ongoing investigation, we do not see evidence of ongoing malicious activity related to this incident."
In coordination with Salesforce, Salesloft revoked all active access and refresh tokens for the Drift application, requiring customers to re-authenticate with their Salesforce instances.
To reauthenticate, admins should go to Settings > Integrations > Salesforce, disconnect the integration, and then reconnect with valid Salesforce credentials.
Google's Threat Intelligence team (Mandiant) is tracking the threat actor as UNC6395 and states that once they gained access to a Salesforce instance, they issued SOQL queries to extract case authentication tokens, passwords, and secrets from support cases, allowing them to breach further platforms.
"GTIG observed UNC6395 targeting sensitive credentials such as Amazon Web Services (AWS) access keys (AKIA), passwords, and Snowflake-related access tokens," reports Google.
... continue reading