Hackers have targeted the Salesloft sales automation platform and exploited the Drift integration with Salesforce to steal OAuth and refresh tokens, thereby gaining access to customer environments.
Between August 8 and 18, 2025, the attackers carried out a large-scale data theft, targeting sensitive information, including AWS access keys, passwords, and Snowflake-related tokens. According to Salesloft, only customers with the Drift-Salesforce link were affected. As a precaution, all active tokens have been revoked, and administrators must re-authenticate their integration.
Additional research by Google Threat Intelligence, formerly Mandiant, suggests the involvement of a group identified under the name UNC6395. Once access was gained, this group used SOQL queries to extract sensitive data from Salesforce objects. This included searching support cases for passwords, secrets, and other sensitive information. To make detection more difficult, the attackers deleted query jobs, although log files were retained.
The attackers used Tor and hosting providers such as AWS and DigitalOcean for their infrastructure. In addition to the user agents published by Salesloft, Salesforce-CLI/1.0 has also been identified as a tool used.
Attackers searched specifically for credentials
Google advises affected organizations to review their Salesforce logs and identify specific patterns. Examples include AKIA as an indicator for AWS keys, references to Snowflake, generic terms such as “password,” “secret,” and “key,” and organization-specific login URLs for VPN or SSO services. In addition, resetting and rotating credentials is considered necessary.
There has been some confusion about the attribution. The criminal group ShinyHunters briefly claimed responsibility for the attack, but later retracted this claim. Google has yet to find any evidence that ShinyHunters or the related Scattered Spider collective is responsible.
The attack on Salesloft comes at a time when Salesforce customers are being targeted more broadly. According to Google, several organizations have already been affected by similar methods in 2025. In these cases, malicious OAuth apps were linked to Salesforce environments via social engineering or vishing. Known victims include Google, Cisco, Farmers Insurance, Workday, Adidas, Qantas, Allianz Life, and LVMH subsidiaries Louis Vuitton, Dior, and Tiffany & Co.