Hackers Exploit Drift AI Integration to Steal Salesforce Data in Major Campaign

 

Hackers have launched a widespread attack campaign stealing sensitive data from Salesforce instances by exploiting a third-party integration, according to Google’s Threat Intelligence Group.

The group of attackers, tracked by Google as UNC6395, abused compromised OAuth tokens linked to Salesloft’s Drift AI chat agent to infiltrate Salesforce environments. Their main objective was credential theft, enabling large-scale exfiltration of customer data.

“Google Threat Intelligence is aware of over 700 potentially impacted organizations,” said Austin Larsen, principal threat analyst at Google. He confirmed that the hackers automated the campaign using a Python-based tool to rapidly harvest information.

Researchers clarified that Salesforce itself was not compromised. Instead, attackers targeted authentication tokens, later searching for AWS access keys, passwords, and Snowflake platform tokens.

The incidents occurred primarily between August 8 and August 18, with Salesloft working alongside Salesforce to revoke compromised Drift tokens by August 20. Salesloft also issued a security alert instructing administrators to reauthenticate Salesforce connections.

Salesforce acknowledged detecting “unusual activity” tied to a small number of customer accounts. As a precaution, the company has temporarily removed Drift from its AppExchange marketplace and is cooperating with Salesloft to support affected customers.

Google researchers noted that attackers attempted to cover their tracks by deleting query jobs but confirmed that event logs remain intact, urging security teams to audit logs for signs of exposure.

Charles Carmakal, CTO of Mandiant Consulting, advised impacted organizations to follow remediation guidance, including revoking API keys, rotating credentials, and hardening access controls.

The latest Google update warns the compromise extends beyond Salesforce integrations, as OAuth tokens linked to “Drift Email” were also targeted. A limited number of Google Workspace accounts were breached on August 9, though Google confirmed there was no compromise of Workspace or Alphabet systems overall.

Experts emphasize that any organization using Salesloft Drift should assume their authentication tokens may have been exposed and act immediately to secure accounts.