Hackers raided numerous corporate Salesforce instances by abusing compromised access tokens from Salesloft Drift integrations, a premium AI-powered conversational marketing platform. Cyber pros warn that OAuth tokens are becoming one of the biggest risks: unlike user sessions, they don’t expire.
Google has alerted users about a widespread data theft campaign that began on August 8th and continued through at least August 18th, 2025.
Hackers, who obtained access (OAuth) tokens associated with marketing app Salesloft Drift, “systematically exported large volumes of data from numerous corporate Salesforce instances.”
Credentials were the main target, as the threat actor, labeled UNC6395 and believed to be from China, was observed searching for secrets that could be used to compromise other victim environments.
This campaign appears distinct from the recent Salesforce instances breaches attributed to ShinyHunters and other threat actors using voice phishing and tricking employees into installing malicious connected apps.
Drift users are advised to review their Salesforce objects for any Google Cloud Platform service account keys, as well as other credentials, such as Amazon Web Services (AWS) access keys (AKIA), passwords, and Snowflake-related access tokens.
“Impacted organizations should search for sensitive information and secrets contained within Salesforce objects and take appropriate action, such as revoking API keys, rotating credentials, and performing further investigation to determine if the secrets were abused by the threat actor,” Google Threat Intelligence Group said.
Google also suggests limiting session timeout values to shorten the lifespan of sessions.
Salesforce has removed the Drift application from the Salesforce AppExchange until further notice. Google confirmed that the issue did not stem from the vulnerability within the core Salesforce platform, but rather the compromised Drift access tokens.
“We took immediate action to proactively revoke all active access and refresh tokens for the Drift application. As a result, administrators must re-authenticate their Salesforce connection to re-enable the integration,” Drift said in the security advisory.
The firm acknowledges that the hackers executed queries to retrieve information associated with various Salesforce objects, including Cases, Accounts, Users, and Opportunities.
The companies did not disclose how the hackers obtained access tokens from the compromised Salesloft Drift integration.
OAuth tokens turning against users
Cory Michal, CSO of AppOmni, warns that the incident is yet another example of how integrated apps open doors to attackers, enabling broader access. The firm assesses that UNC6395 is a Chinese threat actor.
“The lateral movement is made possible by the abuse of admin OAuth tokens from lesser-known SaaS (software-as-a-service) apps to compromise business-critical applications,” the blog post reads.
“Unlike user sessions, OAuth tokens often don’t expire.”
Many third-party apps request full data access to the platforms, which are approved without proper review, and most organizations don’t monitor the add-ons.
“We regularly see the compromise and abuse of OAuth2 tokens and SaaS-to-SaaS integrations. They’ve long been a known blind spot in most enterprise security programs. What did surprise me was the sheer scale and the methodical discipline the attackers demonstrated,” Michal said.
The attacks appear to be highly coordinated. The level of planning and execution suggests a state-sponsored adversary pursuing a broader mission.
“Hundreds of Salesforce tenants of specific organizations of interest were targeted using stolen OAuth tokens, and the attacker methodically queried and exported data across many environments,” Michal noted.
The expert warns that OAuth use and third-party app integrations represent “one of the largest risks and blind spots for organizations today.”
Once an integration is compromised, attackers can operate with the same level of access granted to that app, often bypassing traditional MFA controls. The risk is compounded if organizations are insecurely storing secrets, API keys, or credentials in Salesforce objects.
Many of the compromised organizations were security and technology companies, which will likely lead to a broader supply chain compromise.
“By first infiltrating vendors and service providers, the attackers put themselves in a position to pivot into downstream customers and partners,” Michal warns.
Your email address will not be published. Required fields are markedmarked