Salesloft Drift: Login token misused for data theft

Google's Threat Intelligence Group (GTIG) warns of a large-scale data theft campaign by the criminal group UNC6395. Initially, the attacks appeared to affect Salesforce instances connected to Salesloft Drift. However, new analysis shows that other systems connected to Salesloft Drift are also at risk. All authentication tokens associated with the Drift platform must be considered compromised.

Google writes this in an updated analysis. Initially, it became known that between August 8 and at least August 18, 2025, members of the unknown group UNC6395 "systematically copied large amounts of data from Salesforce instances" of companies. To do so, they gained access using compromised OAuth tokens originating from the AI platform Saleslost Drift. The Google IT researchers assume that the attackers' aim is to obtain further access data.

The IT security researchers observed how the attackers searched for information that could be used to compromise the victims' environments after the data had been exfiltrated. This includes login information for Amazon Web Services (AWS), in particular the access keys (AKIA, for long-term access), passwords or access tokens related to Snowflake. The attackers tried to cover their tracks by deleting the requests, but they did not touch the log files – Organizations can still search the logs for relevant traces of data leakage.

Salesloft discards access tokens, problem is more far-reaching

Initially, Salesloft, together with Salesforce, had withdrawn the access tokens. In addition, the company has removed the Drift app from the Salesforce AppExchange for now. Affected organizations have been notified by Google, Salesforce and Salesloft. However, the problem is more far-reaching, as Google's Threat Intelligence Group has now added. Not only were the access tokens of the Salesforce integration compromised, but potentially all authentication tokens stored by or connected to the Salesloft Drift platform.

At the end of last week, GTIG researchers discovered that OAuth tokens from the Drift Email integration were also misused by the criminal group to gain access to emails in Google Workspace accounts. Access was thus possible to Workspace accounts that used the Salesloft Drift integration, but not to other accounts. Google has therefore discarded the OAuth tokens that grant access to the Drift email app. The company has also disabled the Salesloft Drift integration in Google Workspace until the investigation is complete. All admins of affected Google Workspaces will be notified by the IT security researchers.

Google recommends that IT managers immediately review all third-party integrations connected to their Salesloft Drift instance and discard the credentials and create new ones. They should check the connected systems for signs of unauthorized access. The analysis contains Indicators of Compromise (IOCs) that admins should use for review.

The customer service platform Salesforce in particular is currently attracting a lot of interest from cyber criminals. At the beginning of June, Google had already observed attacks on Salesforce accesses. However, the attackers used phone calls to convince their victims (vishing) to install malicious "connected" apps in Salesforce, which the perpetrators could then use to access data on a large scale and blackmail the companies.

(dmk)