Salesloft Drift OAuth Token Breach Enables Salesforce Data Theft in UNC6395 'Icarus' Attack Campaign (August 2026)
- Joseph K

- Jun 21
- 1 min read
Between June 8 and June 18, 2026, a widespread data theft campaign targeted organizations using the Salesloft Drift integration with Salesforce. The threat actor, tracked as UNC6395 (also referenced as 'Icarus'), exploited compromised OAuth tokens issued to the Salesloft Drift application, enabling unauthorized access to Salesforce customer instances via API. Over 700 organizations, including major technology, security, and SaaS companies, were affected. The attacker systematically exported large volumes of data from Salesforce, focusing on support case text, contact and account information, and, critically, plaintext credentials such as AWS keys, Snowflake tokens, VPN credentials, and passwords embedded in support cases. The campaign did not exploit a vulnerability in Salesforce or Google Workspace itself, but rather abused the trust relationship established by OAuth tokens for third-party integrations. Detection occurred on June 19, 2026, with immediate revocation of all Drift OAuth tokens and removal of the Drift app from the Salesforce AppExchange. The incident highlights the risks associated with third-party SaaS integrations and the importance of credential hygiene and least-privilege access. All information in this summary is directly supported by technical evidence from Google Cloud Threat Intelligence Group, Mandiant, Arctic Wolf, and Anomali, as cited in the References section.
Comments