Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Salesloft Drift Salesforce data exfiltration via OAuth token abuse

Data Leak
First reported
Last updated
Happening score
H score 55
4 unique sources, 10 articles

Summary

Hide ▲

A Salesloft Drift compromise led to data exfiltration from connected Salesforce customer instances in August 2025, with attackers using compromised OAuth tokens to pull large volumes of data from affected environments. The stolen material included corporate records and credentials such as AWS access keys, passwords, and Snowflake-related access tokens, raising the risk of follow-on compromise. The campaign affected hundreds of organizations and was attributed to UNC6395, with defenders urged to review logs, revoke keys, and rotate credentials. The FBI later warned that UNC6040 (ShinyHunters) and UNC6395 are targeting Salesforce customers for data theft and extortion. The advisory says UNC6040 has used vishing/social engineering since October 2024 to pose as IT support and abuse malicious apps and API calls, while UNC6395 used stolen OAuth tokens from Salesloft Drift to compromise Salesforce-connected victims. It also notes follow-on extortion emails, provides IP addresses and URLs tied to the activity, and recommends phishing-resistant MFA, AAA controls, IP-based access restrictions, and review of third-party connections. On October 3, 2025, Scattered Lapsus$ Hunters launched a new data leak site to extort 39 companies affected by the Salesforce attacks, posting samples of data allegedly stolen from victims' Salesforce instances and warning disclosure would begin before the October 10 deadline. The site includes well-known victims such as FedEx, Disney/Hulu, Home Depot, Marriott, Google, Cisco, Toyota, Gap, McDonald's, Walgreens, Instacart, Cartier, Adidas, Air France & KLM, Transunion, HBO MAX, UPS, Chanel, and IKEA. The group also added a separate demand that Salesforce pay a ransom to stop disclosure of roughly 1 billion records containing personal information, while claiming the broader Salesloft Drift thefts affected about 760 companies and 1.5 billion Salesforce records. Stellantis separately confirmed that attackers accessed a third-party service provider platform supporting its North American customer service operations and stole customer contact information. The company said the compromised platform did not store financial or other sensitive personal information, and it activated incident response, notified authorities, informed affected customers, and warned about possible phishing attempts. Reporting also says ShinyHunters claimed responsibility and alleged it stole over 18 million Salesforce records from Stellantis. Cloudflare, Palo Alto Networks, and Zscaler later confirmed they were among the organizations impacted by the same Salesforce-Salesloft Drift campaign. Palo Alto Networks said attackers exposed customer data and support cases after abusing compromised OAuth tokens to access its Salesforce instance, and it said it contained the incident and disabled the application from its Salesforce environment. Cloudflare said the attackers used Salesloft integration credentials to access its Salesforce instance, ran queries for several days, and exfiltrated a database in roughly three minutes using Salesforce Bulk API 2.0 on August 17. Zscaler said stolen data from its Salesforce instance included names, business email addresses, phone numbers, job titles, location details, licensing information, and plain text content from certain support cases. Cloudflare also said it found 104 Cloudflare API tokens in the stolen data and rotated them.

Cases

Salesloft Drift OAuth abuse exposes Salesforce customer data (2)

Related Happenings

Moltbook wide-open database exposure

Data Leak
First: 22.04.2026 13:41 Last: 22.04.2026 13:41 Sources 1

About this happening: The **Moltbook** database exposure placed **35,000 email addresses** and **1.5 million agent API tokens** at risk, creating immediate potential for account hijacking and credentia...

Open Happening

Scattered Spider SMS phishing and SIM-swap crypto theft campaign

Campaign
First: 20.04.2026 16:33 Last: 20.04.2026 16:33 Sources 1

About this happening: The **Scattered Spider** campaign used **SMS phishing** and **SIM swap** attacks to steal employee credentials, hijack phone numbers, and take over email and **virtual currency wa...

Open Happening

W3LL Microsoft 365 adversary-in-the-middle phishing campaign

Campaign
First: 13.04.2026 21:55 Last: 13.04.2026 21:55 Sources 1

About this happening: The **W3LL** phishing operation turned into a high-volume **Microsoft 365** credential-theft campaign, exposing **more than 17,000 victims worldwide** to **BEC** risk. The kit use...

Open Happening

UNC6783 BPO compromise campaign targeting downstream companies

Campaign
First: 09.04.2026 00:46 Last: 09.04.2026 00:46 Sources 1

About this happening: **UNC6783** is an active **BPO compromise campaign** targeting **business process outsourcers** and large enterprises to reach downstream environments for **extortion**. The opera...

Open Happening

Over a dozen companies data exposed after SaaS integration provider Snowflake breach

Data Leak
First: 07.04.2026 22:39 Last: 07.04.2026 22:39 Sources 1

About this happening: A stolen-token attack from a **SaaS integration provider breach** has led to data theft claims affecting **over a dozen companies**, creating immediate exposure and extortion risk...

Open Happening

Timeline

  1. 03.10.2025 17:16 3 articles · 7mo ago

    Scattered Lapsus$ Hunters launch Salesforce data leak site for 39 victims

    Campaign Scope Update

    Scattered Lapsus$ Hunters launched a new data leak site to extort 39 companies affected by Salesforce breaches, posting samples of data allegedly stolen from victims' Salesforce instances and warning them to contact the group before an October 10 deadline. Scattered Lapsus$ Hunters also added a separate demand that Salesforce pay a ransom to stop disclosure of roughly 1 billion records containing personal information.

    Show sources
    Open in new tab
  2. 22.09.2025 21:01 2 articles · 8mo ago

    Stellantis confirms customer data theft in ShinyHunters-linked breach

    Victim Impact Update

    Stellantis confirmed that attackers accessed a third-party service provider platform supporting its North American customer service operations and stole customer contact information, and ShinyHunters claimed responsibility for the breach and said it took over 18 million Salesforce records from Stellantis.

    Show sources
    Open in new tab
  3. 08.09.2025 23:17 1 articles · 8mo ago

    Mandiant traces Salesloft GitHub compromise and Drift token theft

    Technical Analysis Update

    Mandiant determined that Salesloft’s GitHub account was compromised as early as March, that UNC6395 downloaded data from multiple Salesloft repositories and conducted reconnaissance across the Salesloft and Drift environments between March and June, and that the actor later reached Drift’s AWS environment to steal OAuth tokens for customer integrations beyond Salesforce.

    Show sources
    Open in new tab
  4. 27.08.2025 22:05 3 articles · 9mo ago

    Google reports UNC6395 Salesforce data theft via Salesloft Drift

    Initial Disclosure

    Google said UNC6395 abused OAuth tokens tied to Salesloft Drift to carry out a widespread data theft campaign against numerous corporate Salesforce instances, exporting large volumes of data to harvest sensitive credentials such as AWS access keys (AKIA), passwords, and Snowflake-related access tokens. Google also said the actor searched stolen data for secrets that could be used to compromise victim environments and deleted query jobs to cover tracks, while advising affected organizations to treat Salesforce data as compromised, rotate credentials, review Salesforce Event Monitoring logs, and search for exposed secrets; Salesloft and Salesforce revoked active access and refresh tokens for the Drift application, removed the app from Salesforce AppExchange, and notified impacted organizations.

    Show sources
    Open in new tab
  5. 20.08.2025 03:00 1 articles · 9mo ago

    Salesloft issues Drift security advisory

    Initial Disclosure

    Salesloft said on August 20, 2025 that it identified a security issue in the Drift application, proactively revoked connections between Drift and Salesforce, and told administrators that the issue does not affect customers who do not integrate with Salesforce.

    Show sources
    Open in new tab