Data Leak Incident

Salesloft Drift OAuth abuse exposes Salesforce customer data

Updated 08.10.2025 03:17

Case score 56

Case score 56 Members 2 Latest activity 08.10.2025 03:17

Members 2 First seen 27.08.2025 12:39 Last seen 01.09.2025 20:00 Updated 08.10.2025 03:17

Overview

**Salesloft Drift** token abuse led to bulk exfiltration from connected **Salesforce** customer environments, with attackers pulling corporate records and credential material that could support follow-on compromise. **Zscaler** later disclosed a related Salesforce exposure through the same integration path, showing that the activity had already produced at least one separate victim environment and CRM data loss. Salesloft and Salesforce revoked active tokens, and affected organizations were told to review logs, rotate credentials, and treat exposed data as compromised.

Key facts

Compromised **OAuth** tokens tied to **Salesloft Drift** were used to export large volumes of data from connected **Salesforce** environments.
The stolen material included **AWS access keys**, passwords, and **Snowflake**-related access tokens.
Available evidence says the actor searched exfiltrated data for secrets and deleted query jobs.
**Zscaler** later disclosed related access to its **Salesforce** instance through the same **Salesloft Drift** path, with names, contact details, licensing data, and some support case content exposed.
Salesloft and Salesforce revoked active access and refresh tokens, and **Zscaler** revoked the integrations and rotated other API tokens.
Available evidence still does not define the full downstream use of the stolen data or the total blast radius.

Malware context

2 families · 6 tools

Tools

Salesloft Drift BreachForums Gitleaks Salesloft's Drift Salesloft's Drift AI Trufflehog

Signals

3 derived

Affected impact

Exposed data

Threat context

Tooling

Data exposure

Data Passwords

Member happenings

2 related

Data Leak Salesloft Drift Salesforce data exfiltration via OAuth token abuse

Updated 27.08.2025 12:39 Lead Contribution 55

Data Status Partially Leaked Data Type Passwords

A **Salesloft Drift** compromise led to **data exfiltration** from connected **Salesforce customer instances** in **August 2025**, with attackers using **compromised OAuth tokens** to pull large volumes of data from affected environments. The stolen material included corporate records and credentials such as **AWS access keys**, passwords, and **Snowflake-related access tokens**, raising the risk of follow-on compromise. The campaign affected **hundreds of organizations** and was attributed to **UNC6395**, with defenders urged to review logs, revoke keys, and rotate credentials. The **FBI** later warned that **UNC6040 (ShinyHunters)** and **UNC6395** are targeting **Salesforce customers** for **data theft** and **extortion**. The advisory says **UNC6040** has used **vishing/social engineering** since **October 2024** to pose as IT support and abuse **malicious apps** and API calls, while **UNC6395** used **stolen OAuth tokens** from **Salesloft Drift** to compromise Salesforce-connected victims. It also notes follow-on **extortion emails**, provides **IP addresses and URLs** tied to the activity, and recommends **phishing-resistant MFA**, **AAA controls**, **IP-based access restrictions**, and review of third-party connections. On **October 3, 2025**, **Scattered Lapsus$ Hunters** launched a **new data leak site** to extort **39 companies** affected by the Salesforce attacks, posting samples of data allegedly stolen from victims' **Salesforce instances** and warning disclosure would begin before the **October 10 deadline**. The site includes well-known victims such as **FedEx**, **Disney/Hulu**, **Home Depot**, **Marriott**, **Google**, **Cisco**, **Toyota**, **Gap**, **McDonald's**, **Walgreens**, **Instacart**, **Cartier**, **Adidas**, **Air France & KLM**, **Transunion**, **HBO MAX**, **UPS**, **Chanel**, and **IKEA**. The group also added a separate demand that **Salesforce** pay a ransom to stop disclosure of roughly **1 billion records** containing personal information, while claiming the broader Salesloft Drift thefts affected about **760 companies** and **1.5 billion Salesforce records**. **Stellantis** separately confirmed that attackers accessed a **third-party service provider platform** supporting its **North American customer service operations** and stole customer contact information. The company said the compromised platform did not store financial or other sensitive personal information, and it activated incident response, notified authorities, informed affected customers, and warned about possible phishing attempts. Reporting also says **ShinyHunters** claimed responsibility and alleged it stole **over 18 million Salesforce records** from Stellantis. **Cloudflare**, **Palo Alto Networks**, and **Zscaler** later confirmed they were among the organizations impacted by the same **Salesforce-Salesloft Drift** campaign. **Palo Alto Networks** said attackers exposed customer data and support cases after abusing **compromised OAuth tokens** to access its Salesforce instance, and it said it contained the incident and disabled the application from its Salesforce environment. **Cloudflare** said the attackers used Salesloft integration credentials to access its Salesforce instance, ran queries for several days, and exfiltrated a database in roughly three minutes using **Salesforce Bulk API 2.0** on **August 17**. **Zscaler** said stolen data from its Salesforce instance included names, business email addresses, phone numbers, job titles, location details, licensing information, and plain text content from certain support cases. Cloudflare also said it found **104 Cloudflare API tokens** in the stolen data and rotated them.

View happening

Incident Zscaler hit by cyberattack

Updated 01.09.2025 20:00 Scoring Support Contribution 1

Incident Disclosed Extortion None

**Zscaler** confirmed a **data breach** in its **Salesforce instance**, where unauthorized actors obtained customer information and some **support case content**. The exposed records included contact details, regional information, and product licensing data, creating **phishing** and **social-engineering** risk. Zscaler said the impact was limited to its Salesforce environment and that **no products, services, or infrastructure** were affected.

View happening