Salesloft OAuth breach impacting Salesforce customer data

A significant data breach has occurred at Salesloft, where hackers exploited OAuth and refresh tokens linked to the Drift AI chat agent. The threat actor, identified as UNC6395 by Google Threat Intelligence Group (GTIG) and Mandiant, targeted Salesforce customer instances from August 8 to August 18, 2025, affecting over 700 organizations.

Salesloft OAuth breach impacting Salesforce customer dataSalesloft OAuth breach impacting Salesforce customer data

The attackers exfiltrated large volumes of data, including AWS access keys and passwords, from various Salesforce accounts. They demonstrated operational security by deleting query jobs to cover their tracks. Salesloft has since revoked connections between Drift and Salesforce and advised affected customers to re-authenticate their Salesforce connections.

Salesloft OAuth breach impacting Salesforce customer dataSalesloft OAuth breach impacting Salesforce customer data

Salesforce confirmed that a "small number of customers" were impacted due to the app's compromised connection. The breach highlights a concerning trend, as financially motivated groups increasingly target Salesforce instances. Experts suggest this may be part of a broader supply chain attack strategy, aiming to exploit trust relationships within the technology sector.

NPAV offers a robust solution to combat cyber fraud. Protect yourself with our top-tier security product, Z Plus Security