Salesloft Integration Breach Exposes Salesforce Customer Data

 

A recent cyber incident has brought to light how one weak link in software integrations can expose sensitive business information. Salesloft, a sales automation platform, confirmed that attackers exploited its Drift chat integration with Salesforce to steal tokens that granted access to customer environments.

Between August 8 and August 18, 2025, threat actors obtained OAuth and refresh tokens connected to the Drift–Salesforce integration. These tokens work like digital keys, allowing connected apps to access Salesforce data without repeatedly asking for passwords. Once stolen, the tokens were used to log into Salesforce accounts and extract confidential data.

According to Salesloft, the attackers specifically searched for credentials such as Amazon Web Services (AWS) keys, Snowflake access tokens, and internal passwords. The company said the breach only impacted customers who used the Drift–Salesforce connection, while other integrations were unaffected. As a precaution, all tokens for this integration were revoked, forcing customers to reauthenticate before continuing use.

Google’s Threat Intelligence team, which is monitoring the attackers under the name UNC6395, reported that the group issued queries inside Salesforce to collect sensitive details hidden in support cases. These included login credentials, API keys, and cloud access tokens. Investigators noted that while the attackers tried to cover their tracks by deleting query jobs, the activity still appears in Salesforce logs.

To disguise their operations, the hackers used anonymizing tools like Tor and commercial hosting services. Google also identified user-agent strings and IP addresses linked to the attack, which organizations can use to check their logs for signs of compromise.

Security experts are urging affected administrators to rotate credentials immediately, review Salesforce logs for unusual queries, and search for leaked secrets by scanning for terms such as “AKIA” (used in AWS keys), “Snowflake,” “password,” or “secret.” They also recommend tightening access controls on third-party apps, limiting token permissions, and shortening session times to reduce future risk.

While some extortion groups have publicly claimed responsibility for the attack, Google stated there is no clear evidence tying them to this breach. The investigation is still ongoing, and attribution remains uncertain.

This incident underlines the broader risks of SaaS integrations. Connected apps are often given high levels of access to critical business platforms. If those credentials are compromised, attackers can bypass normal login protections and move deeper into company systems. As businesses continue relying on cloud applications, stronger governance of integrations and closer monitoring of token use are becoming essential.