Security Intelligence
Loading table of contents...
Between August 8-18, 2025, Google’s Threat Intelligence team observed a targeted data exfiltration campaign exploiting OAuth tokens associated with Drift-Salesforce integration on the Salesloft platform.
The threat actors used these tokens to access customer Salesforce instances and extract sensitive data, including Amazon Web Services (AWS) access keys (AKIA), Snowflake-related access tokens, and passwords. Google observed systematic SOQL queries, issued via compromised OAuth tokens, against Salesforce objects such as Cases, Accounts, and Users.
Salesloft confirmed the breach on August 19, 2025, and revoked all Drift-Salesforce connections the following day. Salesforce subsequently disabled all integrations between Salesforce and Salesloft technologies, including the Drift app.
Initially believed to be limited to Salesforce integrations, the scope of the breach expanded on August 28, when Google’s Threat Intelligence Group confirmed that OAuth tokens linked to Drift Email were also compromised.
This allowed limited access to Google Workspace accounts configured with Drift. However, Google emphasized that its core infrastructure was not affected, and that the compromise was limited to third-party integrations.
Google linked the activity to a likely China-based threat actor, UNC6395, citing evidence of targeted SOQL queries and credential theft using compromised OAuth tokens.
However, the ShinyHunters extortion group separately claimed responsibility in a statement to BleepingComputer. Google has not confirmed the link, and attribution remains unclear due to conflicting claims and lack of direct proof.
Stay on top of emerging threats like this.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
Analyst insight
The campaign reflects a growing pattern of OAuth token misuse and exploitation of third-party integrations, consistent with tactics seen in earlier incidents involving Snowflake and other SaaS platforms. The risks introduced by interconnected SaaS environments underscore the need for stronger access controls across cloud ecosystems.
OAuth tokens and third-party apps give access to critical systems, so they should be managed with the same care and controls as your main infrastructure.
To contain this threat, revoke all Drift-related OAuth tokens and reconnect integrations. Check Salesforce logs for unusual queries or Drift activity. Replace any stored credentials like AWS keys or Snowflake tokens. If Drift Email is linked to Google Workspace, turn off the connection and revoke access. Google has already alerted affected admins and blocked further use.
Organizations should review their third-party app inventories and assess the threat surface for any integrations with Salesloft Drift.
