Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

UNC6395 Salesloft Drift token-theft campaign

Campaign
First reported
Last updated
Happening score
H score 48
1 unique sources, 1 articles

Summary

Hide ▲

The UNC6395 campaign against Salesloft Drift has widened into a multi-victim disclosure wave, increasing uncertainty about how many customer environments were exposed. Stolen OAuth and refresh tokens from the Salesforce integration were used to move laterally into customer systems and steal data. Reported impacts range from business contact details to support content that may include tokens or passwords. The operation’s true blast radius remains unresolved as additional victims continue to assess exposure.

Related Happenings

BlackFile vishing extortion campaign targeting retail and hospitality organizations

Campaign
First: 24.04.2026 21:26 Last: 24.04.2026 21:26 Sources 1

About this happening: The **BlackFile** campaign is driving **vishing-based data theft and extortion** against **retail and hospitality organizations**, putting employee credentials and enterprise data...

Open Happening

UNC6783 BPO compromise campaign targeting downstream companies

Campaign
First: 09.04.2026 00:46 Last: 09.04.2026 00:46 Sources 1

About this happening: **UNC6783** is an active **BPO compromise campaign** targeting **business process outsourcers** and large enterprises to reach downstream environments for **extortion**. The opera...

Open Happening

OAuth device-code phishing campaign targeting SaaS accounts

Campaign
First: 04.04.2026 17:17 Last: 04.04.2026 17:17 Sources 1

About this happening: A **device code phishing** campaign now includes **EvilTokens**, a **phishing-as-a-service** kit sold on **Telegram** that uses the **OAuth 2.0 device authorization flow** to hija...

Open Happening

ShinyHunters widespread Okta SSO data theft campaign

Campaign
First: 03.04.2026 20:41 Last: 03.04.2026 20:41 Sources 1

About this happening: **ShinyHunters** is tied to a **widespread campaign** that compromised **Okta SSO accounts** to steal data from third-party **cloud storage** and **SaaS platforms**, widening the...

Open Happening

DPRK-linked cryptoasset theft campaign continuing into 2026

Campaign
First: 03.04.2026 11:35 Last: 03.04.2026 11:35 Sources 1

About this happening: The **DPRK-linked cryptoasset theft campaign** is continuing into **2026**, keeping **crypto and Web3** targets at risk of repeated theft and laundering activity. The operation us...

Open Happening

Timeline

  1. 04.09.2025 19:52 2 articles · 8mo ago

    UNC6395 Salesloft Drift token theft campaign widens across customer environments

    Campaign Scope Update

    UNC6395 stole OAuth and refresh tokens from Salesloft's Salesforce integration during Aug. 8-18, used those tokens to move laterally into certain Salesloft customer environments, and triggered downstream breach disclosures from organizations including Zscaler, Palo Alto Networks, Proofpoint, Cloudflare, and Tenable. Salesloft revoked active access and refresh tokens in Drift, Salesforce disabled all Salesloft integrations to Salesforce until further notice, and Google warned Drift customers to treat authentication tokens stored in or connected to Drift as potentially compromised. The campaign's full blast radius remains unclear.

    Show sources
    Open in new tab