Hackers exploit Salesloft integration to steal Salesforce data in targeted credential theft campaign

Hackers breached Salesloft’s Drift-Salesforce integration earlier this month, stealing OAuth and refresh tokens that were later used to exfiltrate sensitive customer data from Salesforce environments, the company confirmed.

The incident, which occurred between August 8 and August 18, 2025, allowed attackers to pivot from Salesloft’s SalesDrift platform into customer Salesforce instances. SalesDrift connects Drift’s AI chat agent with Salesforce, enabling organizations to sync conversations, leads, and support cases into their CRM systems.

According to a Salesloft advisory, the attackers’ primary objective was credential theft. The company said threat actors targeted AWS access keys, passwords, and Snowflake access tokens. The breach did not impact customers who do not use the Drift-Salesforce integration.

In coordination with Salesforce, Salesloft revoked all active Drift tokens and required customers to reauthenticate. Administrators have been instructed to disconnect and reconnect the integration under Salesforce settings to restore functionality.

Google’s Threat Intelligence Group (Mandiant) is tracking the actor behind the breach as UNC6395. Once inside Salesforce, investigators say the hackers issued SOQL queries to extract authentication tokens and secrets stored in support cases, enabling further intrusions into downstream platforms.

“UNC6395 targeted sensitive credentials such as Amazon Web Services (AWS) access keys, passwords, and Snowflake-related access tokens,” Google reported. To cover their tracks, attackers deleted query jobs but did not erase logs, which organizations are urged to review.

The attackers reportedly used Tor and cloud providers such as AWS and DigitalOcean to mask their infrastructure. Associated user-agent strings include “python-requests/2.32.4,” “Python/3.11 aiohttp/3.12.15,” and custom tools labeled “Salesforce-Multi-Org-Fetcher/1.0” and “Salesforce-CLI/1.0.” Google has published IP addresses and indicators of compromise to assist organizations in identifying affected systems.

While the ShinyHunters extortion group initially claimed responsibility, Google has not found evidence linking them to this particular campaign. “We’ve not seen any compelling evidence connecting them at this time,” said Austin Larsen, Principal Threat Analyst at Google Threat Intelligence Group. ShinyHunters later denied involvement in targeting Salesforce support cases.

The breach comes amid a broader wave of Salesforce attacks tied to ShinyHunters and the Scattered Spider threat group. Since early 2025, the actors have used social engineering tactics, including voice phishing, to trick employees into authorizing malicious OAuth applications, enabling large-scale CRM data theft. Victims of related campaigns include Google, Cisco, Farmers Insurance, Adidas, Qantas, and luxury brands under LVMH such as Louis Vuitton and Dior.