Google Warns of Massive Salesforce Data Heist via Salesloft Drift Integration

A sophisticated hacking campaign exploited a popular sales automation app to steal vast amounts of data from Salesforce environments, Google’s Threat Intelligence Group (GTIG) revealed this week.

Between August 8 and August 18, a threat actor tracked as UNC6395 leveraged stolen OAuth tokens from Salesloft Drift, an AI-powered sales assistant, to siphon off data from hundreds of organizations worldwide. GTIG says the spree was both opportunistic and industrialized, targeting anyone with the misfortune of linking Drift to Salesforce.

“GTIG is aware of over 700 potentially impacted organizations,” Austin Larsen, principal threat analyst at GTIG, told CyberScoop. “The threat actor used a Python tool to automate the data theft process for each organization that was targeted.”

Automation at Scale

The attackers didn’t just smash-and-grab Salesforce data—they went hunting for the crown jewels of cloud infrastructure. According to Google, UNC6395 combed through compromised environments for plaintext AWS keys, VPN credentials, and Snowflake passwords, hoping to leapfrog from Salesforce into broader enterprise systems.

“Using a single token stolen from Salesloft, the threat actor was able to access tokens for any Drift linked organization,” explained GTIG analyst Tyler McLellan. “The threat actor then used the Salesforce tokens to directly access that data and exfiltrate it to servers, where they looked for plaintext credentials including Amazon, Snowflake and other passwords.”

While Google’s incident response arm, Mandiant, has not yet seen signs of secondary intrusions with those stolen secrets, investigators say the campaign shows clear evidence of preparation, automation, and operational discipline.

Vendor Response

Salesloft confirmed the breach in a Monday update, saying it had worked with Salesforce to revoke all Drift-linked OAuth tokens on August 20. The company insists the impact is contained to customers who integrated Drift with Salesforce. Salesforce, in turn, emphasized the issue was external.

“A small number of customers” were affected, Salesforce said in a statement, stressing that “this issue did not stem from a vulnerability within the core Salesforce platform, but rather from a compromise of the app’s connection.”

Still, Google’s advice is blunt: organizations using Drift with Salesforce should assume compromise, rotate keys, revoke API access, and audit their environments for signs of further intrusion.

A Known Blind Spot Comes Home to Roost

Experts say the campaign illustrates a longstanding cloud security weakness: the misuse of OAuth tokens and app-to-app integrations.

“The attacker methodically queried and exported data across many environments,” said Cory Michal, CSO at AppOmni. “They demonstrated a high level of operational discipline, running structured queries, searching specifically for credentials, and even attempting to cover their tracks by deleting jobs. The combination of scale, focus and tradecraft makes this campaign stand out.”

Lawrence Pingree, technical evangelist at Dispersive.io, put it more bluntly: “The most notable thing is the use of automation to cascade the breach across multiple entities. A wide scale breach like this is an essential feature of a failure to bring security properly to the cloud and SaaS. We must realize that all these new cloud services are just that, new, and they have potentially new vulnerabilities. Attackers take advantage of the scale and duplicity in code to scale out and breach many targets instead of just one organization. That's always been the downside of monoculture protection.”

What Comes Next

Google has yet to pin down who UNC6395 is or what their ultimate aim might be. But with hundreds of organizations exposed, security teams are bracing for the possibility that the stolen credentials could reemerge in supply-chain intrusions or targeted ransomware campaigns.

For now, the campaign serves as a cautionary tale for enterprises increasingly reliant on SaaS integrations: every cloud connection is another potential weak link, and attackers are watching.