Hackers breached the Salesloft platform to steal OAuth and refresh tokens tied to its Drift chat integration with Salesforce, enabling data exfiltration from customer environments between August 8 and August 18, 2025. Salesloft described the incident as a targeted data theft campaign that focused on credentials, including AWS access keys and Snowflake tokens, through its Drift-Salesforce integration. Salesloft advisory noted that the incident did not appear to impact customers not using the Drift-Salesforce connection and that investigators do not currently see ongoing malicious activity tied to the breach.
In response, Salesloft, working with Salesforce, revoked all active access and refresh tokens for the Drift integration and directed customers to re-authenticate. Admins are advised to go to Settings > Integrations > Salesforce, disconnect the integration, and reconnect using valid Salesforce credentials.
Google’s Threat Intelligence team, tracked by Mandiant as UNC6395, said that after obtaining access to a Salesforce instance, the actors ran SOQL queries to extract case authentication tokens, passwords, and other secrets from support cases, enabling further incursions into connected platforms. Google’s analysis describes the attackers as targeting credentials such as AWS access keys (AKIA), passwords and Snowflake tokens; they used Tor and hosting providers like AWS and DigitalOcean to obfuscate infrastructure. Google Threat Intelligence report also notes that the attackers deleted query jobs to evade detection, underscoring the importance of log reviews for evidence of data exposure.
To aid administrators in detecting and mitigating impact, Google provided a list of IP addresses and user agents associated with the activity and urged organizations to search Salesforce logs for signs of compromise. The threat actors’ activity has been described as part of a broader wave of Salesforce breaches tied to the ShinyHunters group, with some overlap alleged with other actor groups. The article notes a public stance from ShinyHunters claiming involvement, while Google has not found conclusive links to the extortion operation at this time. Louis Vuitton and related brands cited in related coverage highlight the broader impact of Salesforce-driven data exposures.
Administrators should act promptly to rotate credentials and search Salesforce objects for credential material such as:
- AKIA keys used for long-term AWS access
- Snowflake-related tokens or references to snowflakecomputing.com
- Passwords, secrets, and keys that may indicate credential material
- Strings referencing organization-specific login URLs, including VPN or SSO portals