Widespread Salesforce Data Theft via Compromised Salesloft Drift OAuth Tokens

Joseph K
Aug 26, 2025
1 min read

On August 20, 2025, Salesloft published an advisory describing a security issue potentially affecting the Salesloft Drift integration with Salesforce. On August 26, Google Threat Intelligence Group (GTIG) provided additional details about the campaign, in which a threat actor known as UNC6395 authenticated against Salesforce customer instances using compromised OAuth tokens tied to the Salesloft Drift integration with Salesforce. The malicious activity, observed between August 8 and at least August 18, resulted in the exfiltration of large volumes of data from multiple corporate Salesforce instances.

https://arcticwolf.com/resources/blog/widespread-salesforce-data-theft-via-compromised-salesloft-drift-oauth-tokens/

Widespread Salesforce Data Theft via Compromised Salesloft Drift OAuth Tokens

Comments

Recent Posts

AWS PartnerCast Highlights How Treehouse Software Replicates Mainframe Data to AWS Without Disruption

NBCUniversal, AWS, Adobe, and WPP Leaders Weigh AI Ad Innovation and IP Protection at CES

AUMOVIO and AWS Partner to Accelerate Safer, Scalable Autonomous Driving Development

AWS Introduces New Well-Architected Lens for Data Residency and Hybrid Cloud Compliance

GDIT Named AWS Global Defense Consulting Partner of the Year for Tactical Edge AI Innovation

Get In Touch

Headquarters

Seoul Office