Hackers Abuse Compromised OAuth Tokens to Access and Steal Salesforce Corporate Data

Google Threat Intelligence Group (GTIG) has issued an advisory concerning a broad data theft operation targeting corporate Salesforce instances via the Drift integration.

Beginning as early as August 8, 2025, UNC6395 leveraged valid access and refresh tokens associated with the Salesloft Drift app to connect as an authenticated connected app user, executing large-scale SOQL queries to export records from key Salesforce objects, including Accounts, Opportunities, Users, and Cases.

Upon exfiltration, the threat actor performed in-place searches for sensitive material—such as AWS access keys (AKIA), passwords, and Snowflake tokens—within the stolen data.

Although UNC6395 deleted its query jobs to hinder detection, Salesforce event logs remained intact, enabling organizations to trace the activity.

Salesloft clarified that only customers integrating with Salesforce via Drift were impacted, and Google Cloud customers without that integration face no known exposure.

However, any organization using Drift should verify their Salesforce objects for Google Cloud Platform ...