What Happened?
etween August 8–18, 2025, threat actor UNC6395 exploited compromised Salesloft Drift OAuth tokens to infiltrate connected Salesforce instances. Using the stolen access, attackers executed structured queries to extract sensitive information, including AWS keys, Snowflake tokens, passwords, and corporate secrets.
On August 20, Salesforce and Salesloft revoked the OAuth tokens, and Drift was removed from AppExchange. Days later, Google Threat Intelligence Group (GTIG) revealed the breach’s scope extended beyond Salesforce, affecting other integrations, including limited Google Workspace accounts.
Why This Breach Matters
The incident highlights a growing attack trend: targeting integrations and SaaS connectors rather than the core platforms themselves. Salesforce was not directly exploited; the compromise happened through Drift’s OAuth tokens, which acted as a backdoor into Salesforce and beyond.
This reflects a third-party risk management (TPRM) challenge. Organizations often rely on numerous SaaS integrations without fully appreciating that each vendor expands the attack surface. A breach in one connector can cascade into multiple high-value environments.
The Attacker’s Tactics
- Querying Salesforce Data: Attackers retrieved Accounts, Opportunities, Cases, and User data, along with secrets stored in those records.
- Hunting Credentials: They specifically looked for cloud access keys and tokens embedded in Salesforce fields, evidence of a financially motivated campaign.
- Covering Tracks: Query jobs were deleted to obscure activity, though forensic logs remained.
This level of automation and precision shows that UNC6395 was not opportunistic but strategic, targeting valuable data across numerous organizations.
Key Impacts
- Salesforce Customers: Organizations with Drift integrations faced exfiltration of sensitive CRM data and embedded secrets.
- Google Workspace: A limited number of OAuth tokens tied to Drift Email were compromised, prompting Google to revoke access.
- Broader Ecosystem: Any SaaS system connected via Drift should be considered at risk, showing how supply-chain attacks ripple across platforms.
For TPRM programs, this reinforces the need to map dependencies: knowing exactly which third-party apps connect to core systems like Salesforce or Google Workspace is critical for assessing blast radius.
Recommended Response Steps
- Revoke All Drift Tokens
 Immediately revoke OAuth tokens tied to Drift and re-authenticate integrations.
- Rotate Secrets and Credentials
 Reset API keys, tokens, and passwords for Salesforce, AWS, and any other systems possibly exposed.
- Audit Logs for Suspicious Access
 Check for queries run from Tor exit nodes or unusual activity across Salesforce Event Monitoring and Workspace logs.
- Apply Least Privilege to Integrations
 Restrict OAuth scopes to the bare minimum—this limits damage if tokens are stolen. This is a TPRM best practice that could have reduced the blast radius.
- Engage with Vendors
 Coordinate with Salesforce, Salesloft, and Google for advisories and support. Consider incident response escalation.
Lessons in Third-Party Risk
This event is a stark reminder that third-party SaaS integrations carry inherent risks:
- Attackers target the weakest vendor: Drift became the entry point, not Salesforce.
- Risks cascade across ecosystems: Once attackers obtained Salesforce data, they gained credentials that could unlock AWS, Snowflake, and other services.
TPRM is essential: Organizations need visibility into all connected apps, continuous monitoring of vendor security, and stricter controls on token permissions.
The Salesloft Drift OAuth breach represents one of the most significant third-party integration incidents of 2025. From Salesforce data theft to potential Google Workspace exposure, it illustrates how one compromised connector can threaten multiple critical platforms.
While Salesforce itself remained intact, the event underscores a larger reality: third-party risk is first-party risk. Strengthening TPRM practices: continuous monitoring, least-privilege enforcement, and vendor accountability, is no longer optional.
Organizations that act quickly—revoking tokens, rotating credentials, and tightening integration controls—will be best positioned to contain the fallout and guard against similar supply-chain attacks in the future.Salesloft Drift breach
 
								 
															 
								