On 20 August 2025, Salesloft published an advisory describing a security issue potentially affecting the Salesloft Drift integration with Salesforce. On 26 August, Google Threat Intelligence Group (GTIG) provided additional details about the campaign, in which a threat actor known as UNC6395 authenticated against Salesforce customer instances using compromised OAuth tokens tied to the Salesloft Drift integration with Salesforce. The malicious activity, observed between 8 August and at least 18 August, resulted in the exfiltration of large volumes of data from multiple corporate Salesforce instances.
Customers of the Salesforce integration for Salesloft Drift were contacted by Salesforce, recommending that they create a support case for further assistance in investigating the malicious activity.
Campaign Details
There is no evidence that the Salesforce platform itself was compromised. Rather, public reporting suggests that the Salesforce integration for the Salesloft Drift chat agent was compromised, and that OAuth secrets were used to exfiltrate customer data from Salesforce.
The threat actor’s primary objective was credential theft, with a focus on sensitive information such as AWS access keys, passwords, and Snowflake-related access tokens. The incident was limited to customers using the Salesloft Drift Salesforce integration. To mitigate the threat, all active access and refresh tokens for the Drift application were proactively revoked by Salesloft and Salesforce, requiring administrators to re-authenticate their Salesforce connection to restore the integration. Salesloft has indicated that there is no evidence that the malicious activity is still ongoing at this time.
Recommendations
Take Remediation Actions for Your Salesloft-Salesforce Integration
Salesforce has reached out to impacted customers regarding the Salesloft Drift integration. If your organisation uses this integration, we recommend confirming your status directly with Salesforce, opening a support case if needed to investigate activity related to this campaign, and following any guidance they provide. Sensitive information contained within Salesforce objects, such as API keys or other credentials, should be rotated to prevent malicious access.
Additionally, Google Threat Intelligence Group provides guidance with additional remediation actions that can be taken in response to this campaign.
Follow Salesloft for Additional Updates
Arctic Wolf recommends monitoring the Salesloft Trust Page for additional updates. In collaboration with Salesforce, Salesloft has stated they have proactively revoked all active access and refresh tokens for the Drift application. Administrators must re-authenticate their Salesforce connection to re-enable the integration.
