top of page

Salesloft Drift OAuth Token Breach Enables Salesforce Data Theft in UNC6395 'Icarus' Attack Campaign (August 2026)

  • Writer: Joseph K
    Joseph K
  • Jun 21
  • 1 min read

Between June 8 and June 18, 2026, a widespread data theft campaign targeted organizations using the Salesloft Drift integration with Salesforce. The threat actor, tracked as UNC6395 (also referenced as 'Icarus'), exploited compromised OAuth tokens issued to the Salesloft Drift application, enabling unauthorized access to Salesforce customer instances via API. Over 700 organizations, including major technology, security, and SaaS companies, were affected. The attacker systematically exported large volumes of data from Salesforce, focusing on support case text, contact and account information, and, critically, plaintext credentials such as AWS keys, Snowflake tokens, VPN credentials, and passwords embedded in support cases. The campaign did not exploit a vulnerability in Salesforce or Google Workspace itself, but rather abused the trust relationship established by OAuth tokens for third-party integrations. Detection occurred on June 19, 2026, with immediate revocation of all Drift OAuth tokens and removal of the Drift app from the Salesforce AppExchange. The incident highlights the risks associated with third-party SaaS integrations and the importance of credential hygiene and least-privilege access. All information in this summary is directly supported by technical evidence from Google Cloud Threat Intelligence Group, Mandiant, Arctic Wolf, and Anomali, as cited in the References section.







Comments


Recent Posts
Headquarters

1100 106th Avenue NE, Suite 101F
Bellevue, WA 98004
425-998-8505

info@fiduciarytech.com

Seoul Office

Address: Geunshin Building 506-1, 20 Samgae-ro, Mapo-gu, Seoul, 04173, Republic of Korea
02-71
2-2227

info@fiduciarytech.com

fiduciary technology consulting

© 2026 by Fiduciary Technology Solutions 

bottom of page