CyberHappenings logo
🏠 Home 📂 Browse ℹ️ About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

Salesloft OAuth breach exposes Salesforce customer data via Drift AI chat agent

First reported
Last updated
📰 4 unique sources, 13 articles

Summary

Hide ▲

A threat actor, UNC6395, exploited OAuth tokens associated with the Drift AI chat agent to breach Salesloft and access customer data across multiple integrations, including Salesforce, Google Workspace, and others. The breach occurred between August 8 and 18, 2025, affecting over 700 organizations, including Zscaler, Palo Alto Networks, Cloudflare, Google Workspace, PagerDuty, Proofpoint, SpyCloud, and Tanium. The attackers targeted Salesforce instances and accessed email from a small number of Google Workspace accounts, exporting large volumes of data, including credentials and access tokens. Salesloft and Salesforce have taken steps to mitigate the breach and are advising affected customers to revoke API keys and rotate credentials. Salesloft will temporarily take Drift offline to enhance security. UNC6395 demonstrated operational security awareness by deleting query jobs, indicating a sophisticated approach. The breach highlights the risks of third-party integrations and the potential for supply chain attacks. The breach is unrelated to previous vishing attacks attributed to ShinyHunters. UNC6395 systematically exported large volumes of data from numerous corporate Salesforce instances, searching for secrets that could be used to compromise victim environments. The campaign is not limited to Salesforce customers who integrate their own solutions with the Salesforce service; it impacts all integrations using Salesloft Drift. There is no evidence that the breaches directly impacted Google Cloud customers. Organizations are urged to review all third-party integrations connected to their Drift instance, revoke and rotate credentials for those applications, and investigate all connected systems for signs of unauthorized access. The blast radius of the Salesloft Drift attacks remains uncertain, with the ultimate scope and severity still unclear. Numerous companies have disclosed downstream breaches resulting from this campaign, including Zscaler, Palo Alto Networks, Proofpoint, Cloudflare, and Tenable. Zscaler and Palo Alto Networks warned of potential social engineering attacks resulting from the campaign. Cloudflare confirmed that some customer support interactions may reveal information about a customer's configuration and could contain sensitive information like access tokens. Okta successfully prevented a breach of its Salesforce instance by enforcing inbound IP restrictions, securing tokens with DPoP, and using the IPSIE framework. Okta recommends that organizations demand IPSIE integration from application vendors and implement an identity security fabric unified across applications. Palo Alto Networks' Unit 42 recommends conducting an immediate log review for signs of compromise and rotating exposed credentials. The breach started with the compromise of Salesloft's GitHub account between March and June 2025. UNC6395 accessed the Salesloft GitHub account and downloaded content from multiple repositories, added a guest user, and established workflows. Reconnaissance activities occurred between March 2025 and June 2025 in the Salesloft and Drift application environments. Salesloft isolated the Drift infrastructure, application, and code, and took the application offline on September 5, 2025. Salesloft rotated credentials in the Salesloft environment and hardened the environment with improved segmentation controls between Salesloft and Drift applications. Salesforce restored the integration with the Salesloft platform on September 7, 2025, but Drift remains disabled. 22 companies have confirmed they were impacted by the supply chain breach. ShinyHunters and Scattered Spider were also involved in the Salesloft Drift attacks. The FBI has issued a flash alert to release indicators of compromise (IoCs) associated with UNC6395 and UNC6040 for data theft and extortion attacks targeting Salesforce platforms. UNC6040, active since October 2024, engages in vishing campaigns to hijack Salesforce instances. ShinyHunters, Scattered Spider, and LAPSUS$ have teamed up to consolidate criminal efforts, but the group 'scattered LAPSUS$ hunters 4.0' announced it is shutting down on September 12, 2025, possibly to avoid law enforcement attention.

Timeline

  1. 13.09.2025 12:04 📰 1 articles · ⏱ 13h ago

    FBI issues IoCs for UNC6395 and UNC6040 targeting Salesforce platforms

    The FBI has released indicators of compromise (IoCs) for UNC6040 and UNC6395, detailing their data theft and extortion attacks on Salesforce platforms. UNC6395 exploited compromised OAuth tokens for the Salesloft Drift application in August 2025, leading Salesloft to isolate the Drift infrastructure and take the AI chatbot application offline. Salesloft is implementing new multi-factor authentication processes and GitHub hardening measures. UNC6040, active since October 2024, engages in vishing campaigns to hijack Salesforce instances and has been involved in extortion activities. ShinyHunters, Scattered Spider, and LAPSUS$ have teamed up to consolidate criminal efforts, but the group 'scattered LAPSUS$ hunters 4.0' announced it is shutting down on September 12, 2025, possibly to avoid law enforcement attention. The FBI's alert highlights the ongoing risks posed by these threat actors, emphasizing the need for organizations to remain vigilant and review all third-party integrations connected to their Drift instance. The shutdown of 'scattered LAPSUS$ hunters 4.0' may be temporary, with the group potentially rebranding and resurfacing under new names.

    Show sources
    Open in new tab
  2. 08.09.2025 23:17 📰 1 articles · ⏱ 5d ago

    Salesloft's GitHub account compromise and its implications

    Salesloft's GitHub account compromise is a rich attack vector for a variety of threat actors in recent years, for everything from code poisoning campaigns to developer-focused supply chain attacks. GitGuardian's 2025 'State of Secrets Sprawl' report detected more than 23.7 million secrets contained in public commits in 2024, a sizeable increase from approximately 19 million secrets detected the previous year. Cloudflare rotated 104 compromised API tokens found in the exfiltrated data. Salesloft confirmed that the campaign did not affect customers who don't use the company's Drift-Salesforce integration. Salesforce restored integrations with Salesloft products and technologies with the exception of any Drift app. Drift will remain disabled until further notice as part of the continued response to the security incident.

    Show sources
    Open in new tab
  3. 08.09.2025 18:43 📰 1 articles · ⏱ 5d ago

    Multiple threat actors involved in Salesloft Drift attacks

    UNC6395, ShinyHunters, and Scattered Spider were involved in the Salesloft Drift attacks. The threat actors primarily focused on stealing support cases from Salesforce instances, which were then used to harvest credentials, authentication tokens, and other secrets shared in the support tickets. The attackers used automated tools, including custom Python scripts, to steal data from Salesforce objects. The campaign targeted support cases to identify sensitive data, such as authentication tokens, passwords, and cloud secrets. The threat actor deleted logs and used Tor to evade detection. The list of affected organizations includes Google, Zscaler, Cloudflare, Workiva, Tenable, JFrog, Bugcrowd, Proofpoint, and Palo Alto Networks, among others.

    Show sources
    Open in new tab
  4. 08.09.2025 18:26 📰 3 articles · ⏱ 5d ago

    Initial breach vector identified and mitigation actions taken

    The breach began with the compromise of Salesloft's GitHub account between March and June 2025. UNC6395 accessed the account, downloaded content from multiple repositories, added a guest user, and established workflows. Reconnaissance activities were detected in the Salesloft and Drift application environments during the same period. Mandiant confirmed that the attackers performed reconnaissance activities in Salesloft and Drift environments between March and June 2025. The activity escalated after the threat actors breached Drift's AWS environment, allowing them to steal the OAuth tokens used to access customer data across technology integrations, including Salesforce and Google Workspace. Salesloft rotated credentials, hardened defenses, and verified segmentation from Drift, which had its infrastructure isolated and credentials also rotated. Mandiant validated containment and segmentation, and engagement has now shifted to forensic quality assurance review. The Salesloft integration with Salesforce was restored on September 7, 2025, following the precautionary suspension triggered by the Drift security incident. 22 companies have confirmed impacts from the supply chain breach. The breach highlights the risks of third-party integrations and the potential for supply chain attacks. Organizations are urged to review all third-party integrations connected to their Drift instance, revoke and rotate credentials for those applications, and investigate all connected systems for signs of unauthorized access.

    Show sources
    Open in new tab
  5. 04.09.2025 19:52 📰 1 articles · ⏱ 9d ago

    Uncertainty remains regarding the blast radius and severity of the Salesloft Drift attacks

    The blast radius of the Salesloft Drift attacks remains uncertain, with the ultimate scope and severity still unclear. Numerous companies have disclosed downstream breaches resulting from this campaign, including Zscaler, Palo Alto Networks, Proofpoint, Cloudflare, and Tenable. Zscaler and Palo Alto Networks warned of potential social engineering attacks resulting from the campaign. Cloudflare confirmed that some customer support interactions may reveal information about a customer's configuration and could contain sensitive information like access tokens. Okta successfully prevented a breach of its Salesforce instance by enforcing inbound IP restrictions, securing tokens with DPoP, and using the IPSIE framework. Okta recommends that organizations demand IPSIE integration from application vendors and implement an identity security fabric unified across applications. Palo Alto Networks' Unit 42 recommends conducting an immediate log review for signs of compromise and rotating exposed credentials.

    Show sources
    Open in new tab
  6. 03.09.2025 12:53 📰 1 articles · ⏱ 10d ago

    Cloudflare, Palo Alto Networks, and Zscaler confirm data breaches due to Salesloft Drift compromise

    On September 3, 2025, Cloudflare, Palo Alto Networks, and Zscaler reported data breaches resulting from the Salesloft Drift compromise. UNC6395 accessed customer information from their Salesforce instances, including names, business email addresses, job titles, phone numbers, regional details, product licensing information, and support case content. The attackers used Salesloft integration credentials to access Salesforce instances and exfiltrated data using Salesforce Bulk API 2.0. Cloudflare identified and rotated 104 compromised API tokens found in the exfiltrated data. The threat actor may use harvested credentials and customer information for future targeted attacks against affected organizations. The breach highlights the risks of third-party integrations and the potential for supply chain attacks.

    Show sources
    Open in new tab
  7. 03.09.2025 06:53 📰 1 articles · ⏱ 10d ago

    Salesloft to take Drift offline to enhance security

    Salesloft will temporarily take Drift offline to review and enhance security. The breach impacts all platforms integrated with Drift, not just Salesforce. Salesforce has temporarily disabled all Salesloft integrations with Salesforce, Slack, and Pardot. The affected organizations include Cloudflare, Google Workspace, PagerDuty, Palo Alto Networks, Proofpoint, SpyCloud, Tanium, and Zscaler. UNC6395 may use harvested credentials and customer information for future attacks. The breach is part of a broader supply chain attack strategy targeting security and technology companies. The threat actor systematically exported large volumes of data from numerous corporate Salesforce instances, searching for secrets that could be used to compromise victim environments. The campaign impacts all integrations using Salesloft Drift. There is no evidence that the breaches directly impacted Google Cloud customers. Organizations are urged to review all third-party integrations connected to their Drift instance, revoke and rotate credentials for those applications, and investigate all connected systems for signs of unauthorized access.

    Show sources
    Open in new tab
  8. 02.09.2025 22:54 📰 1 articles · ⏱ 11d ago

    Cloudflare confirms data breach due to Salesloft Drift compromise

    On September 2, 2025, Cloudflare reported a data breach resulting from the Salesloft Drift compromise. UNC6395 accessed customer information from Cloudflare's Salesforce instance, including names, business email addresses, job titles, phone numbers, regional details, product licensing information, and support case content. Cloudflare has revoked all Salesloft Drift integrations, rotated API tokens, and strengthened authentication protocols. The breach's scope includes both Drift Salesforce and Drift Email integrations. The attackers used automated tools, including custom Python scripts, to steal data from Salesforce objects. The campaign targeted support cases to identify sensitive data, such as authentication tokens, passwords, and cloud secrets. The threat actor deleted logs and used Tor to evade detection. Cloudflare advises customers to investigate potential compromises and review all Drift integrations.

    Show sources
    Open in new tab
  9. 02.09.2025 15:00 📰 1 articles · ⏱ 11d ago

    Palo Alto Networks confirms data breach due to Salesloft Drift compromise

    On September 2, 2025, Palo Alto Networks reported a data breach resulting from the Salesloft Drift compromise. UNC6395 accessed customer information from Palo Alto Networks' Salesforce instance, including names, business email addresses, job titles, phone numbers, regional details, product licensing information, and support case content. Palo Alto Networks has revoked all Salesloft Drift integrations, rotated API tokens, and strengthened authentication protocols. The breach's scope includes both Drift Salesforce and Drift Email integrations. The attackers used automated tools, including custom Python scripts, to steal data from Salesforce objects. The campaign targeted support cases to identify sensitive data, such as authentication tokens, passwords, and cloud secrets. The threat actor deleted logs and used Tor to evade detection. Palo Alto Networks advises customers to investigate potential compromises and review all Drift integrations.

    Show sources
    Open in new tab
  10. 01.09.2025 20:00 📰 1 articles · ⏱ 12d ago

    Zscaler confirms data breach due to Salesloft Drift compromise

    On September 1, 2025, Zscaler reported a data breach resulting from the Salesloft Drift compromise. UNC6395 accessed customer information from Zscaler's Salesforce instance, including names, business email addresses, job titles, phone numbers, regional details, product licensing information, and support case content. Zscaler has revoked all Salesloft Drift integrations, rotated API tokens, and strengthened authentication protocols. Google Threat Intelligence confirmed the targeting of sensitive credentials by UNC6395. The breach's scope includes both Drift Salesforce and Drift Email integrations. Some researchers suggest a potential overlap with ShinyHunters' recent Salesforce data theft attacks.

    Show sources
    Open in new tab
  11. 29.08.2025 10:24 📰 1 articles · ⏱ 15d ago

    Breach scope expands to all Drift integrations, including Google Workspace

    On August 9, 2025, UNC6395 accessed email from a small number of Google Workspace accounts via compromised OAuth tokens for the Drift Email integration. Google revoked specific OAuth tokens granted to the Drift Email application and disabled the integration functionality between Google Workspace and Salesloft Drift. Salesforce has temporarily disabled all Salesloft integrations with Salesforce, Slack, and Pardot. Organizations are urged to review all third-party integrations connected to their Drift instance, revoke and rotate credentials for those applications, and investigate all connected systems for signs of unauthorized access.

    Show sources
    Open in new tab
  12. 27.08.2025 12:39 📰 4 articles · ⏱ 17d ago

    Salesloft OAuth breach via Drift AI chat agent exposes Salesforce customer data

    Between August 8 and 18, 2025, UNC6395 exploited OAuth tokens associated with the Drift AI chat agent to breach Salesloft and access Salesforce customer data. The attackers targeted Salesforce instances, exporting large volumes of data, including credentials and access tokens. The breach is unrelated to previous vishing attacks attributed to ShinyHunters. The threat actor systematically exported large volumes of data from numerous corporate Salesforce instances, searching for secrets that could be used to compromise victim environments. The campaign is limited to Salesloft customers who integrate their own solutions with the Salesforce service. There is no evidence that the breaches directly impacted Google Cloud customers. Organizations are urged to review Salesforce objects for any Google Cloud Platform service account keys, search for sensitive information and secrets, and take appropriate remediation steps. Cloudflare, Palo Alto Networks, and Zscaler confirmed their Salesforce instances were compromised. The attackers used Salesloft integration credentials to access Salesforce instances and exfiltrated data using Salesforce Bulk API 2.0. Cloudflare identified and rotated 104 compromised API tokens found in the exfiltrated data. The threat actor may use harvested credentials and customer information for future targeted attacks against affected organizations.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

The Gentlemen Ransomware Gang Exploits Vulnerable Driver to Disable Security Tools

The Gentlemen ransomware gang has been observed using a vulnerable driver to disable security products in targeted networks. The group employs a bring-your-own-vulnerable-driver (BYOVD) attack to exploit a high-severity vulnerability in the ThrottleStop driver, allowing them to terminate antivirus and extended detection and response (EDR) processes. The group has demonstrated advanced capabilities and adaptability, posing a significant threat to enterprise environments. The gang uses ThrottleBlood.sys, a renamed version of the legitimate ThrottleStop.sys driver, to exploit CVE-2025-7771. This vulnerability allows the ransomware to gain kernel-level access, disabling security measures and facilitating file encryption. The Gentlemen have also been observed using customized tools and in-depth reconnaissance to tailor their attacks to specific security solutions.

Open in new tab

Evolved Vidar Infostealer Campaigns Target Windows Environments

The Vidar infostealer, first tracked in late 2018, has evolved with new obfuscation techniques and enhanced stealth capabilities. This malware-as-a-service targets Windows environments, stealing credentials, financial data, and other sensitive information. It spreads through social engineering, malicious websites, and malvertising campaigns. The latest iteration uses encrypted command-and-control (C2) channels, Living-off-the-Land Binaries (LOLBins), and covert exfiltration methods to evade detection. The malware employs PowerShell scripts for stealthy payload retrieval, disguises traffic as legitimate PowerShell activity, and uses exponential backoff with jitter to avoid detection. It also attempts to bypass Windows Defender and Antimalware Scan Interface (AMSI) to maintain persistence and evade defenses. The C2 server used for data exfiltration is TLS-encrypted.

Open in new tab

Akira Ransomware Exploits SonicWall SSL VPN Flaws and Misconfigurations

The Akira ransomware group has been actively exploiting vulnerabilities and misconfigurations in SonicWall SSL VPN devices to gain initial access to networks. This campaign has seen increased activity since late July 2025, targeting organizations globally, including those in Australia. The attacks leverage a year-old flaw (CVE-2024-40766) and misconfigured LDAP settings to bypass access controls and facilitate ransomware deployment. The threat actors use a combination of brute-forcing credentials, exploiting default configurations, and leveraging the Virtual Office Portal to configure multi-factor authentication (MFA) with valid accounts. These tactics allow them to bypass security measures and gain unauthorized access to networks. SonicWall has confirmed that recent SSLVPN activity is related to CVE-2024-40766, not a zero-day vulnerability. The affected firewall versions include specific models of Gen 5, Gen 6, and Gen 7 devices. Organizations are advised to update to firmware version 7.3.0 or later, rotate passwords, enforce MFA, mitigate the SSLVPN Default Groups risk, and restrict Virtual Office Portal access to trusted/internal networks to mitigate risks.

Open in new tab

APT41 Targets U.S. Trade Officials in Cyber Espionage Campaign

The House Select Committee on China has issued a warning about ongoing cyber espionage campaigns by China-linked APT41 targeting U.S. trade officials and related organizations. The attacks involve phishing emails impersonating U.S. officials to steal sensitive information. The campaign coincides with contentious U.S.-China trade negotiations. The threat actors exploit software and cloud services to cover their tracks. The attacks aim to steal valuable data and gain unauthorized access to systems. The committee has noted similar tactics used in previous campaigns, including a January 2025 spear-phishing attempt targeting committee staffers. The FBI is investigating the ongoing cyber espionage campaign. APT41 has been known to conduct financially motivated activities in addition to state-sponsored espionage. The group has targeted various sectors, including logistics, utilities, healthcare, high-tech, and telecommunications. The committee recommends user awareness phishing training, mandatory multifactor authentication, FIDO keys, and appropriate email gateway and endpoint security tools to mitigate such attacks.

Open in new tab

Axios Abuse and Salty 2FA Kits in Microsoft 365 Phishing Campaigns

Threat actors are leveraging HTTP client tools like Axios and Microsoft's Direct Send feature to execute advanced phishing campaigns targeting Microsoft 365 environments. These campaigns have demonstrated a 70% success rate, bypassing traditional security defenses and exploiting authentication workflows. The attacks began in July 2025 and have targeted executives and managers in various sectors, including finance, healthcare, and manufacturing. The phishing campaigns use compensation-themed lures to trick recipients into opening malicious PDFs containing QR codes that direct users to fake login pages. Additionally, a phishing-as-a-service (PhaaS) offering called Salty 2FA is being used to steal Microsoft login credentials and bypass multi-factor authentication (MFA). The Salty2FA kit includes advanced features such as subdomain rotation, dynamic corporate branding, and sophisticated evasion tactics to enhance its effectiveness and evade detection. Salty2FA activity began gaining momentum in June 2025, with early traces possibly dating back to March–April 2025. The campaigns have been active since late July 2025 and continue to this day, generating dozens of fresh analysis sessions daily. Salty2FA targets industries including finance, energy, telecom, healthcare, government, logistics, IT consulting, education, construction, chemicals, industrial manufacturing, real estate, consulting, metallurgy, and more.

Open in new tab