Google Identifies ‘Widespread Data Theft’ Impacting Salesforce-Salesloft Drift Users

We may earn from vendors via affiliate links or sponsorships. This might affect product placement on our site, but not the content of our reviews. See our Terms of Use for details.

A previously unidentified threat actor, UNC6395, has been linked to a recent breach campaign that exposed Salesforce customer data. The activity, which occurred between early and mid-August, involved the misuse of OAuth tokens issued through Salesloft Drift integration.

Google Threat Intelligence Group (GTIG) identified the threat actor in an Aug. 26 post and noted the “widespread data theft” started as early as Aug. 8, 2025 and ran through at least Aug. 18, 2025.

Understanding the threat

UNC6395 used targeted database queries to extract records containing personal user data, account profiles, case logs, and similar sensitive information. After pulling the data, the group exported the results in an apparent effort to collect login credentials and cloud ...