Find notable cyber news and cases, enriched with sources, timelines, and signals.
Data Leak Incident

Salesloft Drift OAuth abuse exposes Salesforce customer data

Updated 08.10.2025 03:17
Case score 56
Case score 56 Members 2 Latest activity 08.10.2025 03:17
Members 2 First seen 27.08.2025 12:39 Last seen 01.09.2025 20:00 Updated 08.10.2025 03:17

Overview

**Salesloft Drift** token abuse led to bulk exfiltration from connected **Salesforce** customer environments, with attackers pulling corporate records and credential material that could support follow-on compromise. **Zscaler** later disclosed a related Salesforce exposure through the same integration path, showing that the activity had already produced at least one separate victim environment and CRM data loss. Salesloft and Salesforce revoked active tokens, and affected organizations were told to review logs, rotate credentials, and treat exposed data as compromised.

Signals

6 derived
Impact signals
Affected impact
Exposed data
Remediation
Patch No Patch
Status
Incident status Disclosed
Threat context
Tooling
Data exposure
Data Passwords Leak status Partially Leaked

Malware context

2 families · 6 tools
Tools
Salesloft Drift BreachForums Gitleaks Salesloft's Drift Salesloft's Drift AI Trufflehog

Member happenings

2 related
Data Leak Salesloft Drift Salesforce data exfiltration via OAuth token abuse
Updated 27.08.2025 12:39 Lead Contribution 55
Data Type Passwords Data Status Partially Leaked

A **Salesloft Drift** compromise led to **data exfiltration** from connected **Salesforce customer instances** in **August 2025**, with attackers using **compromised OAuth tokens** to pull large volumes of data from affected environments. The stolen material included corporate records and credentials such as **AWS access keys**, passwords, and **Snowflake-related access tokens**, raising the risk of follow-on compromise. The campaign affected **hundreds of organizations** and was attributed to **UNC6395**, with defenders urged to review logs, revoke keys, and rotate credentials. The **FBI** later warned that **UNC6040 (ShinyHunters)** and **UNC6395** are targeting **Salesforce customers** for **data theft** and **extortion**. The advisory says **UNC6040** has used **vishing/social engineering** since **October 2024** to pose as IT support and abuse **malicious apps** and API calls, while **UNC6395** used **stolen OAuth tokens** from **Salesloft Drift** to compromise Salesforce-connected victims. It also notes follow-on **extortion emails**, provides **IP addresses and URLs** tied to the activity, and recommends **phishing-resistant MFA**, **AAA controls**, **IP-based access restrictions**, and review of third-party connections. On **October 3, 2025**, **Scattered Lapsus$ Hunters** launched a **new data leak site** to extort **39 companies** affected by the Salesforce attacks, posting samples of data allegedly stolen from victims' **Salesforce instances** and warning disclosure would begin before the **October 10 deadline**. The site includes well-known victims such as **FedEx**, **Disney/Hulu**, **Home Depot**, **Marriott**, **Google**, **Cisco**, **Toyota**, **Gap**, **McDonald's**, **Walgreens**, **Instacart**, **Cartier**, **Adidas**, **Air France & KLM**, **Transunion**, **HBO MAX**, **UPS**, **Chanel**, and **IKEA**. The group also added a separate demand that **Salesforce** pay a ransom to stop disclosure of roughly **1 billion records** containing personal information, while claiming the broader Salesloft Drift thefts affected about **760 companies** and **1.5 billion Salesforce records**. **Stellantis** separately confirmed that attackers accessed a **third-party service provider platform** supporting its **North American customer service operations** and stole customer contact information. The company said the compromised platform did not store financial or other sensitive personal information, and it activated incident response, notified authorities, informed affected customers, and warned about possible phishing attempts. Reporting also says **ShinyHunters** claimed responsibility and alleged it stole **over 18 million Salesforce records** from Stellantis. **Cloudflare**, **Palo Alto Networks**, and **Zscaler** later confirmed they were among the organizations impacted by the same **Salesforce-Salesloft Drift** campaign. **Palo Alto Networks** said attackers exposed customer data and support cases after abusing **compromised OAuth tokens** to access its Salesforce instance, and it said it contained the incident and disabled the application from its Salesforce environment. **Cloudflare** said the attackers used Salesloft integration credentials to access its Salesforce instance, ran queries for several days, and exfiltrated a database in roughly three minutes using **Salesforce Bulk API 2.0** on **August 17**. **Zscaler** said stolen data from its Salesforce instance included names, business email addresses, phone numbers, job titles, location details, licensing information, and plain text content from certain support cases. Cloudflare also said it found **104 Cloudflare API tokens** in the stolen data and rotated them.

Incident Zscaler hit by cyberattack
Updated 01.09.2025 20:00 Scoring Support Contribution 1
Extortion None Incident Disclosed Patch No Patch

**Zscaler** confirmed a **data breach** in its **Salesforce instance**, where unauthorized actors obtained customer information and some **support case content**. The exposed records included contact details, regional information, and product licensing data, creating **phishing** and **social-engineering** risk. Zscaler said the impact was limited to its Salesforce environment and that **no products, services, or infrastructure** were affected.