In August 2025, organizations worldwide were shaken by a widespread data theft campaign that exploited OAuth tokens from Salesloft’s Drift integration with Salesforce. This incident, tracked by Google’s Threat Intelligence Group (GTIG) and Mandiant under the identifier UNC6395, highlights the growing risks posed by third party integrations and the need for proactive cybersecurity strategies.
What Happened?
Between August 8 to 18, 2025, UNC6395 systematically harvested OAuth and refresh tokens linked to Drift, allowing them to infiltrate Salesforce customer environments. Once inside, the attackers executed structured queries to extract massive amounts of data including AWS access keys (AKIA), Snowflake access tokens, and corporate passwords.
Salesloft confirmed the breach on August 20, 2025, and immediately revoked Drift’s Salesforce connections. Salesforce, in collaboration, also removed Drift from its AppExchange marketplace. While the direct impact was limited to integrated customers, the campaign underscores how supply chain risks can quickly ripple through ecosystems.
Why This Matters for Businesses
The sophistication of UNC6395’s tradecraft is alarming:
- They deleted query jobs to cover their tracks.
- They targeted high value credentials to enable broader attacks.
- They focused on technology and security firms; a sign this could be the beginning of larger supply chain compromises.
This incident is not just about Salesforce or Salesloft. It is a wakeup call for all businesses relying on SaaS integrations. Attackers are no longer stopping at breaching a single app, they are moving laterally across vendors, partners, and customers.
Recommended Security Actions
If your organization uses Salesforce or Drift integrations, experts recommend:
- Investigating for compromise – Review Salesforce event logs, connected app activities, and suspicious queries.
- Revoking API keys and rotating credentials – Especially AWS, Snowflake, or any exposed secrets.
- Enforcing stronger access controls – Such as IP restrictions, least privilege permissions, and strict session policies.
- Conducting a security audit – To uncover hidden exposures before attackers do.
How We Can Help
At CyberTech Nexus, we provide end to end cybersecurity solutions to help businesses stay ahead of evolving threats like UNC6395. Our services include:
- IT and Cybersecurity Consultancy – Tailored strategies to secure your digital ecosystem
- Password and Identity Security – Protecting credentials with best practices, training, and monitoring
- Personal and Social Media Security – Reducing risks from oversharing and weak digital hygiene
- Incident Response and Recovery – Fast containment and remediation when breaches occur
- Security Audits and Vulnerability Assessments – Identifying weaknesses before attackers exploit them
- Managed Security Services – Continuous monitoring and protection against real time threats
- Penetration Testing – Simulating attacks to strengthen defenses
- Compliance and Regulatory Services – Ensuring adherence to GDPR, NDPR, HIPAA, and ISO standards
- Cybersecurity Recruitment Services – Helping businesses hire skilled cybersecurity professionals
- Cyber Protection Academy – Training individuals and teams to recognize and respond to modern threats
Conclusion
The Salesloft Salesforce breach is yet another reminder that no organization is too small to be targeted. Opportunistic threat groups are exploiting trust relationships within digital supply chains to infiltrate hundreds of companies at scale. The question is not if your business will face such an attempt but when.
Strengthening identity security, monitoring third party integrations, and investing in proactive cybersecurity measures are no longer optional, they are critical to business survival.
References
- Google Threat Intelligence Group and Mandiant (2025). Advisory on UNC6395 OAuth Token Data Theft Campaign.
- Salesloft Trust Center Advisory, August 20, 2025.
- Salesforce Security Bulletin, August 2025.
- AppOmni Security Research: SaaS Supply Chain Threats and UNC6395 Analysis.